On 12/20/2018 10:30 AM, Mark London wrote:
Hi - What's the best rule to catch email with multiple addresses in the From: line?
¯\_(ツ)_/¯
I realize thatrfc2822allows it.
Does SpamAssassin even handle two true From:addr(esses)? I.e.: From: <us...@example.com>, <us...@example.net> Does From:addr contain both of the from addresses?
But the only email we've ever received with multiple addresses, were spam, and even GMAIL.COM doesn't allow it:
I question if the examples that you're seeing are actually multiple From:addr(esses) or if it's not one From:addr(ess) and a creative From:name.
<<< 550-5.7.1 Messages with multiple addresses in From: <<< 550 5.7.1 header are not accepted. e7si4119336qvp.159 - gsmtp
I would like to see the raw header that you tested, particularly to understand how it relates to the above question.
At the very least, I want to block emails that spoof my domain.
Aside: I hope that you've already got other measures in place, like SPF, DKIM, DMARC, to thwart people spoofing your domain. As a bonus, they also help other people detect when people are spoofing your domain.
I.e. I want to block email that has @psfc.mit.edu followed by a comma. For example:From:struth...@psfc.mit.edu, "Lorraine M.<lstru...@slac.stanford.edu>"<xp...@clientes.xhost.cl>
I'll have to go back and read pertinent RFCs to see how struth...@psfc.mit.edu is interpreted, seeing as how it's outside of double quotes, and not in angle brackets. I don't know if it's treated as a raw From:addr(ess) or part of a weirdly formed From:name.
I tried to have a rule like:
It looks like you solved your own problem in a follow up. -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature