FROM header with two email addresses

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

FROM header with two email addresses

Jakob Curdes
Hello all,

I recently stumbled onto a mail with a Spam link where the FROM header field looked like this:

From: "Firstname Lastname@" <recipient-domain.com [hidden email]>

which is displayed in different ways on different devices but most do display something resembling
an internal from address, maybe with an additional second external address.
So it is a way to make users think this is an internal sender - probably it gets harder and harder
to circumvent the ever-growing SPF rejections.
(The real sender domain has a valid SPF and DKIM entry).

I wonder whether it is possible to detect such a header with spamassassin means? I only see the
following rules that hit:

[BAYES_50=1.85,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VERIFIED=-0.2,FSL_HELO_BARE_IP_2=1.999,NAME_EMAIL_DIFF=1.043,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_NOT_IN_IPREPDNS=0.0001,SPF_PASS=-0.5,URIBL_BLOCKED=0.001

I looked into the NAME_EMAIL_DIFF rule but this seems to be a slightly different scope and I would
not want to just raise the score for that rule, it would probably give many false positives.
This is spamassassin 3.3.1 on Centos 6.

Regards and thanks, JC

Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Bill Cole
On 27 Sep 2017, at 3:16, Jakob Curdes wrote:

> Hello all,
>
> I recently stumbled onto a mail with a Spam link where the FROM header
> field looked like this:
>
> From: "Firstname Lastname@" <recipient-domain.com
> [hidden email]>
>
> which is displayed in different ways on different devices but most do
> display something resembling an internal from address, maybe with an
> additional second external address.

Or if the MUA is minimally competent, it displays the whole broken
pathological From header, not some misparsed deception. But like
poverty, it seems that Outlook will always be with us...

> So it is a way to make users think this is an internal sender -
> probably it gets harder and harder to circumvent the ever-growing SPF
> rejections.
> (The real sender domain has a valid SPF and DKIM entry).

SPF has nothing to do with From headers.
I find it amazing that a DKIM implementation would not choke on that
 From, since it is syntactically improper.

> I wonder whether it is possible to detect such a header with
> spamassassin means?

A custom rule would work.

> I only see the following rules that hit:
>
> [BAYES_50=1.85,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VERIFIED=-0.2,FSL_HELO_BARE_IP_2=1.999,NAME_EMAIL_DIFF=1.043,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_NOT_IN_IPREPDNS=0.0001,SPF_PASS=-0.5,URIBL_BLOCKED=0.001

Ok, so you do realize that URIBL_BLOCKED is a serious problem, right? I
mean, you're trying to do checks of URL's against a URIDNSBL that won't
give you a real answer until you fix your DNS, reduce your query volume,
or pay for a direct datafeed. Fix hthat problem and you are likely to
catch a bunch more spam.

> I looked into the NAME_EMAIL_DIFF rule but this seems to be a slightly
> different scope and I would not want to just raise the score for that
> rule, it would probably give many false positives.

Indeed, NAME_EMAIL_DIFF is not part of the default ruleset, so I'd be
very careful with it.

> This is spamassassin 3.3.1 on Centos 6.

Antique aficionado? :)

I don't think you'd solve this particular case by updating to a modern
version of SA but it is possible, since the are a number of rules that
only work in 3.4.x
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Kevin A. McGrail-2

I recently stumbled onto a mail with a Spam link where the FROM header field looked like this:

From: "Firstname Lastname@" <recipient-domain.com [hidden email]>

Jakob, just wanted to let you know I identified this issue as well and just opened a ticket about it yesterday to try and figure out a rule against it.  Can you send me spamples via pastebin, please?


Regards,
KAM

Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Benny Pedersen-2
Kevin A. McGrail skrev den 2017-09-27 16:52:
>> I recently stumbled onto a mail with a Spam link where the FROM
>> header field looked like this:
>>
>> From: "Firstname Lastname@" <recipient-domain.com
>> [hidden email]>
>
> Jakob, just wanted to let you know I identified this issue as well and
> just opened a ticket about it yesterday to try and figure out a rule
> against it.  Can you send me spamples via pastebin, please?

untested:

header FROM_NAME_HAVE_SNABLE_A from:name /\@/i

who would test this ?

the above sample is doubble from domain in from:addr and from:name

both should be meta'ed

sorry if my syntax is not right, write it here on windows, so sorry
trying to help
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Jakob Curdes
In reply to this post by Jakob Curdes


Am 27.09.2017 16:54 schrieb "Kevin A. McGrail" <[hidden email]>:

I recently stumbled onto a mail with a Spam link where the FROM header field looked like this:

From: "Firstname Lastname@" <recipient-domain.com [hidden email]>

Jakob, just wanted to let you know I identified this issue as well and just opened a ticket about it yesterday to try and figure out a rule against it.  Can you send me spamples via pastebin, please?

Yes will try to, have to ask customer first though. JC
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

milesf
In reply to this post by Jakob Curdes
This could also be an attempt to get a mailing list to work.

There's a continuing problem with email list traffic getting bounced by
DKIM, and various work-arounds - the gist is that the mail has to come
from the list manager, but you still need a way to indicate the original
author of the message.  Hacks abound. But basically, DKIM is just broken.

Miles Fidelman


On 9/27/17 12:16 AM, Jakob Curdes wrote:

> Hello all,
>
> I recently stumbled onto a mail with a Spam link where the FROM header
> field looked like this:
>
> From: "Firstname Lastname@" <recipient-domain.com
> [hidden email]>
>
> which is displayed in different ways on different devices but most do
> display something resembling an internal from address, maybe with an
> additional second external address.
> So it is a way to make users think this is an internal sender -
> probably it gets harder and harder to circumvent the ever-growing SPF
> rejections.
> (The real sender domain has a valid SPF and DKIM entry).
>
> I wonder whether it is possible to detect such a header with
> spamassassin means? I only see the following rules that hit:
>
> [BAYES_50=1.85,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VERIFIED=-0.2,FSL_HELO_BARE_IP_2=1.999,NAME_EMAIL_DIFF=1.043,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_NOT_IN_IPREPDNS=0.0001,SPF_PASS=-0.5,URIBL_BLOCKED=0.001
>
>
> I looked into the NAME_EMAIL_DIFF rule but this seems to be a slightly
> different scope and I would not want to just raise the score for that
> rule, it would probably give many false positives.
> This is spamassassin 3.3.1 on Centos 6.
>
> Regards and thanks, JC

--
In theory, there is no difference between theory and practice.
In practice, there is.  .... Yogi Berra

Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Alan Hodgson
On Wed, 2017-09-27 at 11:42 -0700, Miles Fidelman wrote:
This could also be an attempt to get a mailing list to work.

There's a continuing problem with email list traffic getting bounced by 
DKIM, and various work-arounds - the gist is that the mail has to come 
from the list manager, but you still need a way to indicate the original 
author of the message.  Hacks abound. But basically, DKIM is just broken.


DKIM works fine. It is in fact working as intended when a signature fails to validate against a message that has been modified in transit.

Mailing lists or other forwarders that modify signed portions of the message without taking ownership of the From: header are just not compatible with DKIM or DMARC-reject senders.
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Benny Pedersen-2
In reply to this post by milesf
Miles Fidelman skrev den 2017-09-27 20:42:
> This could also be an attempt to get a mailing list to work.

i have seen few mails get dkim fail from apache.org, very few, but its
not normaly not dmarc fail for me on this, what is worse is that
opendmarc have still brokken spf support :(

even google does not care in reports

> There's a continuing problem with email list traffic getting bounced
> by DKIM, and various work-arounds - the gist is that the mail has to
> come from the list manager, but you still need a way to indicate the
> original author of the message.  Hacks abound. But basically, DKIM is
> just broken.

i have added patch to opendmarc that ignore domains that have policy
reject on dmarc if its a known maillist sender mta, this way i would
stay on maillists and have policy reject, if i turn down to quarantine
policy, people would not see the forrest for trees

i will still keep postfix maillist never breaked dkim for a good
reference
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

David Jones
In reply to this post by Kevin A. McGrail-2
On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:

>
>> I recently stumbled onto a mail with a Spam link where the FROM header
>> field looked like this:
>>
>> From: "Firstname Lastname@" <recipient-domain.com
>> [hidden email]>
>
> Jakob, just wanted to let you know I identified this issue as well and
> just opened a ticket about it yesterday to try and figure out a rule
> against it.  Can you send me spamples via pastebin, please?
>
>
> Regards,
> KAM
>

I am seeing this more and more on my SA filters and being reported by my
customers:

https://pastebin.com/f07Gq1kZ

https://pastebin.com/FMsJNGba

This is catching this pretty well so far:

header          FROM_SPOOF_EMAIL_DISPLAY    From =~
/\@[a-z_]+?\.[a-z]{2,3} \</i
describe        FROM_SPOOF_EMAIL_DISPLAY    From trying to spoof an
email address in the display name
score           FROM_SPOOF_EMAIL_DISPLAY    4.2

P.S. I am sure that someone will suggest an improvement to the above
rule and they are welcome.  I know it won't catch all email addresses
based on that regex so it probably should be adjusted to handle new TLDs
with more than 3 characters.

P.S.S. Standard disclaimer to adjust the score down until you have done
some testing in your environment then score it how you see fit.

--
David Jones
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Benny Pedersen-2
David Jones skrev den 2017-10-02 19:43:

> https://pastebin.com/f07Gq1kZ
> https://pastebin.com/FMsJNGba
>
> This is catching this pretty well so far:
>
> header          FROM_SPOOF_EMAIL_DISPLAY    From =~
> /\@[a-z_]+?\.[a-z]{2,3} \</i
> describe        FROM_SPOOF_EMAIL_DISPLAY    From trying to spoof an
> email address in the display name
> score           FROM_SPOOF_EMAIL_DISPLAY    4.2

 From:  [hidden email] <[hidden email]>

also imho from:name must be with qouted content like

 From: "[hidden email]" <[hidden email]>

for being rfc valid, was the extra space from from: added by you ?, i
have only seen spam bots do this

you miss hits on tld with the above tests with only support 3 chars
tlds, no ?
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

John Hardin
In reply to this post by David Jones
On Mon, 2 Oct 2017, David Jones wrote:

> On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
>>
>> >  I recently stumbled onto a mail with a Spam link where the FROM header
>> >  field looked like this:
>> >
>> >  From: "Firstname Lastname@" <recipient-domain.com
>> >  [hidden email]>
>>
>>  Jakob, just wanted to let you know I identified this issue as well and
>>  just opened a ticket about it yesterday to try and figure out a rule
>>  against it.  Can you send me spamples via pastebin, please?
>>
>>
>>  Regards,
>>  KAM
>>
>
> I am seeing this more and more on my SA filters and being reported by my
> customers:
>
> https://pastebin.com/f07Gq1kZ
>
> https://pastebin.com/FMsJNGba
>
> This is catching this pretty well so far:
>
> header          FROM_SPOOF_EMAIL_DISPLAY    From =~ /\@[a-z_]+?\.[a-z]{2,3}
> \</i
> describe        FROM_SPOOF_EMAIL_DISPLAY    From trying to spoof an email
> address in the display name
You probably want to let SA do the header parsing and write your rule
against From:name or From:addr instead.

If you're testing your rules in a sandbox using debug mode, this may help:

   header   __FROM_NAME  From:name =~ /.*/
   header   __FROM_ADDR  From:addr =~ /.*/

That way you can see what's actually being parsed from the header.


Potentially this might be as simple as:

   header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/

or

   header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/

No idea how FP-prone those might be, though, so it's probably prudent to
meta them with other stuff as well...


--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   If you ask amateurs to act as front-line security personnel,
   you shouldn't be surprised when you get amateur security.
                                                     -- Bruce Schneier
-----------------------------------------------------------------------
  186 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

David Jones
On 10/02/2017 01:11 PM, John Hardin wrote:

> On Mon, 2 Oct 2017, David Jones wrote:
>
>> On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
>>>
>>> >  I recently stumbled onto a mail with a Spam link where the FROM
>>> header >  field looked like this:
>>> > >  From: "Firstname Lastname@" <recipient-domain.com >  
>>> [hidden email]>
>>>
>>>  Jakob, just wanted to let you know I identified this issue as well and
>>>  just opened a ticket about it yesterday to try and figure out a rule
>>>  against it.  Can you send me spamples via pastebin, please?
>>>
>>>
>>>  Regards,
>>>  KAM
>>>
>>
>> I am seeing this more and more on my SA filters and being reported by
>> my customers:
>>
>> https://pastebin.com/f07Gq1kZ
>>
>> https://pastebin.com/FMsJNGba
>>
>> This is catching this pretty well so far:
>>
>> header          FROM_SPOOF_EMAIL_DISPLAY    From =~
>> /\@[a-z_]+?\.[a-z]{2,3} \</i
>> describe        FROM_SPOOF_EMAIL_DISPLAY    From trying to spoof an
>> email address in the display name
>
> You probably want to let SA do the header parsing and write your rule
> against From:name or From:addr instead.
>

Thank you for the suggestions.  I didn't know about the From:name and
From:addr parsing by SA.  As it turns out, the double quotes missing are
very important.  When I use the From:name which properly has the quotes,
I am hitting many false positives.  It appears that legit sending people
or mail clients are putting email addresses in their "Display Name".
It's the ones without quotes that are spam a high percentage of the time
in my mail flow.

I have gone back to my original rule that catches senders that put an
email addresss in the Display Name and do not have quotes.

> If you're testing your rules in a sandbox using debug mode, this may help:
>
>    header   __FROM_NAME  From:name =~ /.*/
>    header   __FROM_ADDR  From:addr =~ /.*/
>
> That way you can see what's actually being parsed from the header.
>
>
> Potentially this might be as simple as:
>
>    header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/
>
> or
>
>    header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/
>
> No idea how FP-prone those might be, though, so it's probably prudent to
> meta them with other stuff as well...
>
>
--
David Jones
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

John Hardin
On Mon, 2 Oct 2017, David Jones wrote:

> On 10/02/2017 01:11 PM, John Hardin wrote:
>>  On Mon, 2 Oct 2017, David Jones wrote:
>>
>> >  On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
>> > >
>> > > >   I recently stumbled onto a mail with a Spam link where the FROM
>> > > header >   field looked like this:
>> > > > >   From: "Firstname Lastname@" <recipient-domain.com >
>> > >  [hidden email]>
>> > >
>> > >   Jakob, just wanted to let you know I identified this issue as well
>> > >  and
>> > >   just opened a ticket about it yesterday to try and figure out a rule
>> > >   against it.  Can you send me spamples via pastebin, please?
>> > >
>> > >
>> > >   Regards,
>> > >   KAM
>> > >
>> >
>> >  I am seeing this more and more on my SA filters and being reported by my
>> >  customers:
>> >
>> >  https://pastebin.com/f07Gq1kZ
>> >
>> >  https://pastebin.com/FMsJNGba
>> >
>> >  This is catching this pretty well so far:
>> >
>> >  header          FROM_SPOOF_EMAIL_DISPLAY    From =~
>> >  /\@[a-z_]+?\.[a-z]{2,3} \</i
>> >  describe        FROM_SPOOF_EMAIL_DISPLAY    From trying to spoof an
>> >  email address in the display name
>>
>>  You probably want to let SA do the header parsing and write your rule
>>  against From:name or From:addr instead.
>>
>
> Thank you for the suggestions.  I didn't know about the From:name and
> From:addr parsing by SA.  As it turns out, the double quotes missing are very
> important.  When I use the From:name which properly has the quotes, I am
> hitting many false positives.  It appears that legit sending people or mail
> clients are putting email addresses in their "Display Name". It's the ones
> without quotes that are spam a high percentage of the time in my mail flow.
Not surprising.

> I have gone back to my original rule that catches senders that put an email
> addresss in the Display Name and do not have quotes.

How about:

header  __FROM_QUOTES           From =~ /"/
header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/
meta    __FROM_SPOOF            __FROM_MAYBE_SPOOF && !__FROM_QUOTES

(warning: totally untested)

>>  If you're testing your rules in a sandbox using debug mode, this may help:
>>
>>     header   __FROM_NAME  From:name =~ /.*/
>>     header   __FROM_ADDR  From:addr =~ /.*/
>>
>>  That way you can see what's actually being parsed from the header.
>>
>>
>>  Potentially this might be as simple as:
>>
>>     header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/
>>
>>  or
>>
>>     header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/
>>
>>  No idea how FP-prone those might be, though, so it's probably prudent to
>>  meta them with other stuff as well...
--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The world has enough Mouse Clicking System Engineers.
                                                        -- Dave Pooser
-----------------------------------------------------------------------
  186 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Benny Pedersen-2
In reply to this post by David Jones
David Jones skrev den 2017-10-02 20:54:

> I have gone back to my original rule that catches senders that put an
> email addresss in the Display Name and do not have quotes.

also matches what i see, non spam have " around from:name while spam
have not

testing if there is a @ in from:name is 2nd test to possible use in meta
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Benny Pedersen-2
In reply to this post by John Hardin
John Hardin skrev den 2017-10-02 21:07:

> How about:
>
> header  __FROM_QUOTES           From =~ /"/
> header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/
> meta    __FROM_SPOOF            __FROM_MAYBE_SPOOF && !__FROM_QUOTES
>
> (warning: totally untested)

+1

i can only see one problem with it, that is that email adresses is
caSeinsensitive, and you test casEsensitive

it is basicly a rule i like to keep
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

John Hardin
On Mon, 2 Oct 2017, Benny Pedersen wrote:

> John Hardin skrev den 2017-10-02 21:07:
>
>>  How about:
>>
>>  header  __FROM_QUOTES           From =~ /"/
>>  header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/
>>  meta    __FROM_SPOOF            __FROM_MAYBE_SPOOF && !__FROM_QUOTES
>>
>>  (warning: totally untested)
>
> +1
>
> i can only see one problem with it, that is that email adresses is
> caSeinsensitive, and you test casEsensitive
Where?  \w is not case-sensitive.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Homeland Security: Specializing in Tactical Band-aids
   for Strategic Problems.         -- Eric K. in Bruce Schneier's blog
-----------------------------------------------------------------------
  186 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Benny Pedersen-2
John Hardin skrev den 2017-10-02 23:13:

> Where?  \w is not case-sensitive.

perfect then, i had not know that, learning still so
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Martin Gregorie-2
On Mon, 2017-10-02 at 23:18 +0200, Benny Pedersen wrote:
> John Hardin skrev den 2017-10-02 23:13:
>
> > Where?  \w is not case-sensitive.
>
> perfect then, i had not know that, learning still so
>
Do you have a copy of the 'Camel Book'? AKA "Programming Perl" by Larry
Wall, Tom Christiansen & Jon Orwant, pub O'Reilly.

If you don't have it, you need a copy. Its never failed to explain
anything I've needed to know about Perl and its chapter on regexes will
help you to solve all regex-based SA rule problems. 

Or there's an online reference: http://www.regular-expressions.info/

Also worth knowing:
 
- if you're running Linux, you can use the grep command to test
  regexes. Use the -P or --perl-regexp option to make grep use Perl
  regexes, so it is possible to quickly test regexes you want to use
  in SA rules by running the spam, saved as a file, through the
 
     grep -P 'regex' <spam

  command as a really fast check on whether the regex is any good
  before you add a rule using it to a .cf file. I use this quite a
  lot.

- if you don't like bash command lines or use some other OS, you can
  do the same with the online regex tester at https://regex101.com/ 
  by typing in your regex and then pasting the relevant part of the
  spam message you're testing against into its 'Test String' box.

Martin

Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Michael Storz
In reply to this post by David Jones
Am 2017-10-02 19:43, schrieb David Jones:

> On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
>>
>>> I recently stumbled onto a mail with a Spam link where the FROM
>>> header field looked like this:
>>>
>>> From: "Firstname Lastname@" <recipient-domain.com
>>> [hidden email]>
>>
>> Jakob, just wanted to let you know I identified this issue as well and
>> just opened a ticket about it yesterday to try and figure out a rule
>> against it.  Can you send me spamples via pastebin, please?
>>
>>
>> Regards,
>> KAM
>>
>
> I am seeing this more and more on my SA filters and being reported by
> my customers:
>
> https://pastebin.com/f07Gq1kZ
>
> https://pastebin.com/FMsJNGba
>

These are typical examples for the emails send by a botnet since at
least May this year. You can catch these mostly with a simple rule:

header __LRZ_BND_MS        Content-Type =~
/boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/
header __LRZ_MSGID_SPAM_99 MESSAGEID =~ /<\d{8,13}\.2017\d{6,11}\@/
meta   LRZ_HEADER_SPAM_99  (__LRZ_MSGID_SPAM_99 && __LRZ_BND_MS)

Regards,
Michael
Reply | Threaded
Open this post in threaded view
|

Re: FROM header with two email addresses

Jakob Curdes

Hello all, I was the original poster of this topic but was away for a couple of days.
I find it amazing to see the number of suggestions and ideas that have come up here.

However none of the constuctions matched "my" From: lines of the form

From: "Firstname Lastname@" <recipient-domain.com [hidden email]>

I therefore now constructed the following rules:

describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign
header  __FROM_NAME_CONTAINS_AT From:name =~ /\@/
describe __FROM_MULTIPLE_ADDR address part of FROM contains more than one mail address (additional text)
header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/

describe __FROM_NAME_ADDRESS_EQUAL constructions like [hidden email] [hidden email]
header  __FROM_NAME_ADDRESS_EQUAL From =~ /[[hidden email]']?\s*\<\1\>/i
header  __FROM_NAME_CONTAINS_ADDRESS From =~ /[[hidden email]']?\s*\</i

meta FROM_SPOOF_SENDER1  __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
meta FROM_SPOOF_SENDER2  __FROM_NAME_CONTAINS_ADDRESS && ! __FROM_NAME_ADDRESS_EQUAL
meta FROM_ADDRESS_TWICE  __FROM_NAME_CONTAINS_ADDRESS && __FROM_NAME_ADDRESS_EQUAL

(the last META could even get a slightly negative score, I occasionally see people entering their email address in the name field).

and am now waiting to see some hits. I consider the risk of false positives low in this case, if these METAs are matched somebody is trying to trick you.

Regards JC

12