a...@ibcsolutions.de a écrit : > Excerpts from Charles Gregory's message of Thu Jun 11 07:13:02 -0700 2009: >> How many accounts are we talking about here? >> If it is just one or two addresses, and the user(s) being 'spoofed' have >> distinctive *names* on their genuine 'From' headers, then you can >> test for quoted messages in the body that contain a From line withthe >> correct address but a *wrong* 'name' in front of it. >> >> To use your address as an example: >> >> body LOC_NOTARVIS /^[ ]*From: "?([^A]|A[^r]|Ar[^v])[^<>@]+<a...@exys\.org>/ >> >> So any junk 'returned' to you as faked sender, containing, for example: >> >> Returned >> From: Bob smith <a...@exys.org> >> >> ....would trip over this rule. >> Also note that if somehow your name is *stripped*, and only the address >> appears, this rule will *not* trigger. It only works on *wrong* names >> in front of your address. The use of [^<>@] keeps the rule from triggering >> if someone has specified multiple addresses. You might not want this on a >> body 'From' test, but I also use this as a header 'To' rule for some of >> my clients to stop dictionary spam attacks.... :) >> >> - Charles > > Thanks! This looks very useful. > > We temporarily have blocked some networks which exhaust our relays. > This is indeed caused by only a few domains all from the same customer > group (trading stuff), and I think some spammers > are using those addresses as From: mainly because 1) it looks > trustworthy 2) we allow sender callins. > Interestingly the backscatter is _only_ caused by domains within Russia > with almost identical format (well, all qmail ), so I'm looking into > triggering that. > > That forged Name/Address relationship is a pretty good find. I'll > look into applying that rule system wide.
I wouldn't recommend this. my friends use many variants of my name/nick/... that I can't do that even for my own address. only use as a cure.
