David Jones skrev den 2017-10-02 19:43:
https://pastebin.com/f07Gq1kZ
https://pastebin.com/FMsJNGba
This is catching this pretty well so far:
header FROM_SPOOF_EMAIL_DISPLAY From =~
/\@[a-z_]+?\.[a-z]{2,3} \</i
describe FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an
email address in the display name
score FROM_SPOOF_EMAIL_DISPLAY 4.2
From: some...@example.com <maintena...@soldive.fr>
also imho from:name must be with qouted content like
From: "some...@example.com" <maintena...@soldive.fr>
for being rfc valid, was the extra space from from: added by you ?, i
have only seen spam bots do this
you miss hits on tld with the above tests with only support 3 chars
tlds, no ?