On Fri, 2019-11-22 at 13:01 +0000, RW wrote: > On Fri, 22 Nov 2019 00:00:53 +0000 > Martin Gregorie wrote: > > > > describe SPOOFED_MAYOR Check for spoofed mail from the Mayor > > header __SM1 From:name =~ /^John M Mayor$/ > > header __SM2 From:addr =~ /^john\@cityhall\.com$/ > > meta SPOOFED_MAYOR (__SM1 && ! __SM2) || ! _SM1 > > score SPOOFED_MAYOR 5.0 > > > .. > > The final " || ! __SM1" meta term is only needed if > > you want to ensure that the name part must also be an exact match, > > i.e. you assume that the user will notice that the sender name isn't > > quite right, but a careful rule writer would not rely on that, hence > > its inclusion. > > I don't understand what you were aiming for here, but '|| ! _SM1' > means that the rule will hit *anything* that doesn't match __SM1, > which is almost everything. > Quite. The original rule detected spoofs marked by having a correct From:name part and an incorrect From:addr part - which is what the OP wanted. Then I thought it would be useful to try to validate the name part as well, which is what I was trying to do. A decent sleep later, and its obvious that doing this is complete BS: the only sensible form of the rule uses this meta:
meta SPOOFED_MAYOR (__SM1 && !__SM2) Doing anything apart from that would require a needlessly complex rule (the OP's original message said that this spam was getting through BECAUSE the From:name part was visually exactly what his mail recipients were expecting to see. Doing anything sensible beyond this probably requires a set of related rules, ranging from a check on the Message-ID or initial MTA relay to scanning the email body for signs of a spear phishing expedition etc., or even a dedicated plugin to do some sort of fuzzy match on acceptable name parts, i.e. those using different charsets and/or glyphs but that still look like the Mayor's name given a fairly quick glance. Martin