On 2024-07-17 at 13:17:16 UTC-0400 (Wed, 17 Jul 2024 10:17:16 -0700)
Kirk Ismay <k...@ismay.ca>
is rumored to have said:
I have a spammer using a malformed From header, as follows:
From: <UPS>sha...@marketcrank.com
The envelope from is: direcc...@delher.com.mx, and I've set up blocks
for that address.
Sendmail is munging the From: header to change <UPS> to
<u...@my.host.name>, so it ends up looking like a local address to my
users.
How do I detect similar mangled From headers in Spamassassin?
I believe SA already has a more general rule that will catch the *BAD*
form, but depending on how you've integrated SA and Sendmail, it may
only see the "cleaned up" form that Sendmail provides. I believe SA sees
the unmolested headers only in a milter interface, NOT if you've got it
hooked into a mailer.
If not, here's a rule that should work:
header FROM_ANGLE_UNQUAL From =~ /<[^<\@]*>[^\@]*\@/
Also does anyone know how to prevent Sendmail from rewriting the From
header like this? The documentation for confFROM_HEADER is a
somewhat cryptic:
https://www.sendmail.org/~ca/email/doc8.12/cf/m4/tweaking_config.html#confFROM_HEADER
I'd rather it say <UPS@suspected-spammer> instead, or reject it
entirely.
Thanks,
Kirk
Remove FEATURE(always_add_domain) from your .mc and remake sendmail.cf.
Consult the Ops guide and/or cf/README for all of the effects of that.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
