[Mimedefang] filter on header from display name
Kris Deugau
kdeugau at vianet.ca
Wed Dec 19 10:25:19 EST 2018
Marcus Schopen wrote:
> Am Montag, den 26.11.2018, 13:02 -0500 schrieb Dianne Skoll:
>> On Mon, 26 Nov 2018 17:55:57 +0100
>> Marcus Schopen <lists at localguru.de> wrote:
>>
>>> is always the same, but I can't catch it with blacklist_from. Can I
>>> get
>>> that from $entity->head->get('From') or any better ideas?
>>
>> That should work, or you can open and read the file ./HEADERS, which
>> contains the message headers (unwrapped, so exactly one header per
>> line.)
>
> I use a spamassassin rule now
>
> header MY_HEADER_1 From =~ /^.*\@spammer\.com.*/
> describe MY_HEADER_1 Header-Spam-Rule 1
> score MY_HEADER_1 100
This will more or less work, but keep in mind that "spammer.com" might
better be shown in examples as "spoofvictim.com". The whole point of
this from the spammer's perspective is that mail clients will only
display the "known"/"trusted" address, hiding the *other* victim (the
compromised account). Most of the time *both* addresses in the From: on
these messages, however arranged, are innocent and unrelated to the
spammer. If you block either, you take the risk of blocking legitimate
mail.
I have a pair of subrules looking for two @ signs in the From: - one
just looks for two @ signs, the other looks for a specific variant with
two <>-wrapped normal email addresses. These get combined with a couple
of other factors in meta rules to build up the score.
-kgd
More information about the MIMEDefang
mailing list