Mailing List Archive

How to Block messages from display name not matching expected sender email address
Hello,



I'm trying to figure out how to write a rule that looks for matches of
certain names against the display name, and then insuring its from a list
of valid email addresses.



So a phishing email come in from "Boss Man<BossMan@Gmail.com>"



So I want to check if the display name is "Boss Man" and if so, make sure
the sending email address is BossMan@RealCompany.com or BossMan@Company2.com,
otherwise score it with 10.



Also, would there be a way to forward that email to a specific user, not
send it to the original recipient?



Thanks

--
Thanks!
Joey
Re: How to Block messages from display name not matching expected sender email address [ In reply to ]
On 24 Dec 2020, at 0:02, Joey J wrote:

> Hello,
>
> I'm trying to figure out how to write a rule that looks for matches of
> certain names against the display name, and then insuring its from a
> list
> of valid email addresses.
>
> So a phishing email come in from "Boss Man<BossMan@Gmail.com>"
>
> So I want to check if the display name is "Boss Man" and if so, make
> sure
> the sending email address is BossMan@RealCompany.com or
> BossMan@Company2.com,
> otherwise score it with 10.

header __BOSSNAME From:name =~ /Boss Man/
header __BOSSADDR From:addr =~
/BossMan\@RealCompany.com|BossMan@Company2.com/
meta BOSSPHISH __BOSSNAME && !__BOSSADDR
score BOSSPHISH 10

> Also, would there be a way to forward that email to a specific user,
> not
> send it to the original recipient?

That's a function of your MTA and depends on how you've attached
SpamAssassin to it.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: How to Block messages from display name not matching expected sender email address [ In reply to ]
On Thu, 24 Dec 2020, Bill Cole wrote:

> On 24 Dec 2020, at 0:02, Joey J wrote:
>
>> I'm trying to figure out how to write a rule that looks for matches of
>> certain names against the display name, and then insuring its from a list
>> of valid email addresses.
>>
>> So a phishing email come in from "Boss Man<BossMan@Gmail.com>"
>>
>> So I want to check if the display name is "Boss Man" and if so, make sure
>> the sending email address is BossMan@RealCompany.com or
>> BossMan@Company2.com,
>> otherwise score it with 10.
>
> header __BOSSNAME From:name =~ /Boss Man/
> header __BOSSADDR From:addr =~ /BossMan\@RealCompany.com|BossMan@Company2.com/

Missed escaping the second @ sign, and the periods...

> meta BOSSPHISH __BOSSNAME && !__BOSSADDR
> score BOSSPHISH 10

If you have a list of such addresses, you'd probably benefit from writing
a script to generate the rules from that list rather than manually
maintaining all the rules.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas