Excerpts from Charles Gregory's message of Thu Jun 11 07:13:02 -0700 2009: > > How many accounts are we talking about here? > If it is just one or two addresses, and the user(s) being 'spoofed' have > distinctive *names* on their genuine 'From' headers, then you can > test for quoted messages in the body that contain a From line withthe > correct address but a *wrong* 'name' in front of it. > > To use your address as an example: > > body LOC_NOTARVIS /^[ ]*From: "?([^A]|A[^r]|Ar[^v])[^<>@]+<a...@exys\.org>/ > > So any junk 'returned' to you as faked sender, containing, for example: > > Returned > From: Bob smith <a...@exys.org> > > ....would trip over this rule. > Also note that if somehow your name is *stripped*, and only the address > appears, this rule will *not* trigger. It only works on *wrong* names > in front of your address. The use of [^<>@] keeps the rule from triggering > if someone has specified multiple addresses. You might not want this on a > body 'From' test, but I also use this as a header 'To' rule for some of > my clients to stop dictionary spam attacks.... :) > > - Charles
Thanks! This looks very useful. We temporarily have blocked some networks which exhaust our relays. This is indeed caused by only a few domains all from the same customer group (trading stuff), and I think some spammers are using those addresses as From: mainly because 1) it looks trustworthy 2) we allow sender callins. Interestingly the backscatter is _only_ caused by domains within Russia with almost identical format (well, all qmail ), so I'm looking into triggering that. That forged Name/Address relationship is a pretty good find. I'll look into applying that rule system wide.
