I think what's tripping you up is what parts of the mail "From:addr"
and "From:name" refer to. In the example you give:
From: blablabla <blabla...@gmail.com>
From:name will be "blablabla"
and
From:addr will be "blabla...@gmail.com"
Since there's no "@" in From:name, there's clearly not an email
address there, so there's nothing to compare to the domain part of
From:addr.
The "bounces.em.secureserver.net" you're referring to is part of the
EnvelopeFrom (AKA ReturnPath). This particular check doesn't consider
that domain name in any way whatsoever.
On Mon, 22 Jan 2018, Chip wrote:
I might be wrong here understand I'm still learning, but the purpose of
the filter, from what I've been able to grasp, is that it checksĀ the
From:addr and From:name values in SA to find
their domain and triggering a rule hit if there is a domain in the
From:name that doesn't match the domain in the From:addr.
In the example I sent From: (as in From:name) contains the domain
"gmail.com" - blabla...@gmail.com
From:addr contains "bounces.em.secureserver.net"
Thus mismatch between From:name that doesn't match the domain in the
From:addr.
Thus it would identify this message as probably spam, which it is not.
Are people talking about a name like "bla@bla...@domain.com"? in this
thread meaning the actual "@" character in the "name" or are we
comparing domains from the From:add to the domain in the From:name?
On 01/22/2018 05:56 PM, RW wrote:
On Mon, 22 Jan 2018 17:44:00 -0500
Chip wrote:
Following is the full header with identifiable information
anonymized.
I don't see what you are getting at, in:
From: blablabla <blabla...@gmail.com>
blablabla doesn't contain an "@".
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines | sha...@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
