Hello all, I was the original poster of this topic but was away for a
couple of days.
I find it amazing to see the number of suggestions and ideas that have
come up here.
However none of the constuctions matched "my" From: lines of the form
From: "Firstname Lastname@" <recipient-domain.com
sendern...@real-senders-domain.com
<mailto:sendern...@real-senders-domain.com>>
I therefore now constructed the following rules:
describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign
header __FROM_NAME_CONTAINS_AT From:name =~ /\@/
describe __FROM_MULTIPLE_ADDR address part of FROM contains more than
one mail address (additional text)
header __FROM_MULTIPLE_ADDR From:addr =~ /\s/
describe __FROM_NAME_ADDRESS_EQUAL constructions like
"us...@companya.com" <us...@companyb.com>
header __FROM_NAME_ADDRESS_EQUAL From =~
/["']?(\w+@\w+\.\w+)["']?\s*\<\1\>/i
header __FROM_NAME_CONTAINS_ADDRESS From =~
/["']?(\w+@\w+\.\w+)["']?\s*\</i
meta FROM_SPOOF_SENDER1 __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
meta FROM_SPOOF_SENDER2 __FROM_NAME_CONTAINS_ADDRESS && !
__FROM_NAME_ADDRESS_EQUAL
meta FROM_ADDRESS_TWICE __FROM_NAME_CONTAINS_ADDRESS &&
__FROM_NAME_ADDRESS_EQUAL
(the last META could even get a slightly negative score, I occasionally
see people entering their email address in the name field).
and am now waiting to see some hits. I consider the risk of false
positives low in this case, if these METAs are matched somebody is
trying to trick you.
Regards JC
