On Wed, 27 Jan 2021, John Hardin wrote:
> On Wed, 27 Jan 2021, Dan Mahoney (Gushi) wrote:
>
>> All,
>>
>> I'm noticing a pattern of email like:
>>
>> From: "GUSHI.ORG Administrator" <somerando@host.cn>
>> To: you@gushi.org
>> Subject: Your mailbox has exceeded its quota
>>
>> Or some such nonsense.
>>
>> Now, DMARC and SPF and DKIM would be able to block the domain if they tried
>> to spoof it in the From email address. But mail clients helpfully these
>> days aren't showing the actual email address to people. Ergo, I'm looking
>> to do the following:
>>
>> Catch a case where the REALNAME of the FROM address contains a domain that
>> is in the TO header. This would seem to require a macro of some kind to
>> capture the value and do the comparison, so this doesn't seem to be the
>> kind of thing one can do (dynamically) with a regular rule.
>
> It can be done with a regular rule, as header rules can match across multiple
> headers.
>
> There is already a rule like that in the base ruleset:
>
> https://ruleqa.spamassassin.org/20210127-r1885943-n/PDS_FROM_NAME_TO_DOMAIN/detail
>
> Jan 27 12:03:34.724 [29312] dbg: rules: ran header rule
> __PDS_FROM_NAME_TO_DOMAIN ======> got hit: "From: "GUSHI.ORG Administrator"
> <somerando@host.cn>
> Jan 27 12:03:34.724 [29312] dbg: rules: [...] To: you@gushi.org"
>
> PDS_FROM_NAME_TO_DOMAIN should have hit on that message. Did it?
Let me spoof something out to the day job and we'll find out.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
> On Wed, 27 Jan 2021, Dan Mahoney (Gushi) wrote:
>
>> All,
>>
>> I'm noticing a pattern of email like:
>>
>> From: "GUSHI.ORG Administrator" <somerando@host.cn>
>> To: you@gushi.org
>> Subject: Your mailbox has exceeded its quota
>>
>> Or some such nonsense.
>>
>> Now, DMARC and SPF and DKIM would be able to block the domain if they tried
>> to spoof it in the From email address. But mail clients helpfully these
>> days aren't showing the actual email address to people. Ergo, I'm looking
>> to do the following:
>>
>> Catch a case where the REALNAME of the FROM address contains a domain that
>> is in the TO header. This would seem to require a macro of some kind to
>> capture the value and do the comparison, so this doesn't seem to be the
>> kind of thing one can do (dynamically) with a regular rule.
>
> It can be done with a regular rule, as header rules can match across multiple
> headers.
>
> There is already a rule like that in the base ruleset:
>
> https://ruleqa.spamassassin.org/20210127-r1885943-n/PDS_FROM_NAME_TO_DOMAIN/detail
>
> Jan 27 12:03:34.724 [29312] dbg: rules: ran header rule
> __PDS_FROM_NAME_TO_DOMAIN ======> got hit: "From: "GUSHI.ORG Administrator"
> <somerando@host.cn>
> Jan 27 12:03:34.724 [29312] dbg: rules: [...] To: you@gushi.org"
>
> PDS_FROM_NAME_TO_DOMAIN should have hit on that message. Did it?
Let me spoof something out to the day job and we'll find out.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------