On Mon, 22 Jan 2018, Chip wrote:
Understood, so then what would a From:name that contains a domain look
like since it seems the filter needs to compare the domain found in
From:addr to From:name in order to pass it as ham.
From: "Joe User (Your Bank) <joeu...@yourbank.com>" <joeb...@phishing.com>
Or am I on another planet altogether here, just say so and I'll shut up.
On 01/22/2018 06:21 PM, Chip wrote:
Ah, okay. Thanks for the clarification.
So this filter, what would it make of that message? Spam or ham?
On 01/22/2018 06:16 PM, sha...@shanew.net wrote:
I think what's tripping you up is what parts of the mail "From:addr"
and "From:name" refer to. In the example you give:
From: blablabla <blabla...@gmail.com>
From:name will be "blablabla"
and
From:addr will be "blabla...@gmail.com"
Since there's no "@" in From:name, there's clearly not an email
address there, so there's nothing to compare to the domain part of
From:addr.
The "bounces.em.secureserver.net" you're referring to is part of the
EnvelopeFrom (AKA ReturnPath). This particular check doesn't consider
that domain name in any way whatsoever.
On Mon, 22 Jan 2018, Chip wrote:
I might be wrong here understand I'm still learning, but the purpose of
the filter, from what I've been able to grasp, is that it checks the
From:addr and From:name values in SA to find
their domain and triggering a rule hit if there is a domain in the
From:name that doesn't match the domain in the From:addr.
In the example I sent From: (as in From:name) contains the domain
"gmail.com" - blabla...@gmail.com
From:addr contains "bounces.em.secureserver.net"
Thus mismatch between From:name that doesn't match the domain in the
From:addr.
Thus it would identify this message as probably spam, which it is not.
Are people talking about a name like "bla@bla...@domain.com"? in this
thread meaning the actual "@" character in the "name" or are we
comparing domains from the From:add to the domain in the From:name?
On 01/22/2018 05:56 PM, RW wrote:
On Mon, 22 Jan 2018 17:44:00 -0500
Chip wrote:
Following is the full header with identifiable information
anonymized.
I don't see what you are getting at, in:
From: blablabla <blabla...@gmail.com>
blablabla doesn't contain an "@".
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #20: The faster you finish the fight,
the less shot you will get.
-----------------------------------------------------------------------
Tomorrow: John Moses Browning's 163rd Birthday
