This could also be an attempt to get a mailing list to work.
There's a continuing problem with email list traffic getting bounced by
DKIM, and various work-arounds - the gist is that the mail has to come
from the list manager, but you still need a way to indicate the original
author of the message. Hacks abound. But basically, DKIM is just broken.
Miles Fidelman
On 9/27/17 12:16 AM, Jakob Curdes wrote:
Hello all,
I recently stumbled onto a mail with a Spam link where the FROM header
field looked like this:
From: "Firstname Lastname@" <recipient-domain.com
sendern...@real-senders-domain.com>
which is displayed in different ways on different devices but most do
display something resembling an internal from address, maybe with an
additional second external address.
So it is a way to make users think this is an internal sender -
probably it gets harder and harder to circumvent the ever-growing SPF
rejections.
(The real sender domain has a valid SPF and DKIM entry).
I wonder whether it is possible to detect such a header with
spamassassin means? I only see the following rules that hit:
[BAYES_50=1.85,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VERIFIED=-0.2,FSL_HELO_BARE_IP_2=1.999,NAME_EMAIL_DIFF=1.043,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_NOT_IN_IPREPDNS=0.0001,SPF_PASS=-0.5,URIBL_BLOCKED=0.001
I looked into the NAME_EMAIL_DIFF rule but this seems to be a slightly
different scope and I would not want to just raise the score for that
rule, it would probably give many false positives.
This is spamassassin 3.3.1 on Centos 6.
Regards and thanks, JC
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra