Spoofed Email But Different User Name

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Spoofed Email But Different User Name

mhildebr
Is there a way to have Spamassassin look for spoofed email addresses being used as the sender's address (myname@mydomain.com) but using a different user name (Viagra instead of myname)?  It seems like it would be simple to check the user name and filter results from that.  Thanks for any help.
Reply | Threaded
Open this post in threaded view
|

Re: Spoofed Email But Different User Name

Matt Kettler-3
mhildebr wrote:
> Is there a way to have Spamassassin look for spoofed email addresses being
> used as the sender's address ([hidden email]) but using a different
> user name (Viagra instead of myname)?  It seems like it would be simple to
> check the user name and filter results from that.  Thanks for any help.
>  
A quick-and-dirty way would be set up SPF records for your domain and
enable the SPF plugin.

However, to do this you would have to know all the servers that are
authorized to send mail as your domain, (ie: all your smarthosts).

This also messes with folks who run SPF after getting mail via
forwarding services. However anyone using a forwarding service to
receive their mail should be trusting the service that forwards their
mail, unless the forwarder is doing SRS.



Reply | Threaded
Open this post in threaded view
|

Re: Spoofed Email But Different User Name

mouss-2
In reply to this post by mhildebr
mhildebr wrote:
> Is there a way to have Spamassassin look for spoofed email addresses being
> used as the sender's address ([hidden email]) but using a different
> user name (Viagra instead of myname)?  It seems like it would be simple to
> check the user name and filter results from that.  Thanks for any help.
>  

if you have the list of all valid display names, then you can write
rules for that. something like

header __FROM_MARK             From =~ /<mark@example\.com>/
header __REALLY_FROM_MARK     From =~ /.*milderbr.*<mark@example\.com>/

meta    FAKE_FROM_MARK  (__FROM_MARK && !_REALLY_FROM_MARK)
score    FAKE_FROM_MARK  0.1

but this does not scale. Instead, look for other patterns that catch
this spam. you can show (or use pastebin...) a sample if you want hints.

Reply | Threaded
Open this post in threaded view
|

Re: Spoofed Email But Different User Name

Chris St. Pierre
In reply to this post by mhildebr
On Tue, 6 May 2008, mhildebr wrote:

> Is there a way to have Spamassassin look for spoofed email addresses being
> used as the sender's address ([hidden email]) but using a different
> user name (Viagra instead of myname)?  It seems like it would be simple to
> check the user name and filter results from that.  Thanks for any help.

Bad idea.  My name can be easily and legitimately displayed in dozens
of different ways, without even considering typos:

Chris St. Pierre
Chris St Pierre
Chris St-Pierre
Chris Saint Pierre
Chris Saint-Pierre
Christopher St. Pierre
...
Christopher A. St. Pierre
...
Chris A. St. Pierre
...

And so on and so forth.  And if someone accidentally mistypes my name,
suddenly I'm Chirs St. Pierre or something like that, and your filter
blocks the message.

A better idea would be to just let Bayes do its thing and notice the
token -- in this case, 'Viagra' -- and score accordingly.

Or, you can manually list out the various spellings of each users'
name, and then come up with a fancy algorithm to route around
misspellings, perhaps using something like Levenshtein distance to
figure out how egregiously misspelled a name is.  It'll be way more
work than it's worth, but if that's what tickles you, go for it.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

Reply | Threaded
Open this post in threaded view
|

Re: Spoofed Email But Different User Name

mouss-2
Chris St. Pierre wrote:

> On Tue, 6 May 2008, mhildebr wrote:
>
>> Is there a way to have Spamassassin look for spoofed email addresses
>> being
>> used as the sender's address ([hidden email]) but using a different
>> user name (Viagra instead of myname)?  It seems like it would be
>> simple to
>> check the user name and filter results from that.  Thanks for any help.
>
> Bad idea.  My name can be easily and legitimately displayed in dozens
> of different ways, without even considering typos:
>
> Chris St. Pierre
> Chris St Pierre
> Chris St-Pierre
> Chris Saint Pierre
> Chris Saint-Pierre
> Christopher St. Pierre
> ...
> Christopher A. St. Pierre
> ...
> Chris A. St. Pierre
> ...

they all match
       chris.*pierre
or to be more conservative
    [chris]{3}.*[pierre]{3}


>
> And so on and so forth.  And if someone accidentally mistypes my name,

they aren't supposed to use your name in their From header, are they?
> suddenly I'm Chirs St. Pierre or something like that, and your filter
> blocks the message.
>
> A better idea would be to just let Bayes do its thing and notice the
> token -- in this case, 'Viagra' -- and score accordingly.

agreed.
>
> Or, you can manually list out the various spellings of each users'
> name, and then come up with a fancy algorithm to route around
> misspellings, perhaps using something like Levenshtein distance to
> figure out how egregiously misspelled a name is.  It'll be way more
> work than it's worth, but if that's what tickles you, go for it.