Mailing List Archive

On Friday 27 February 2004 04:14 pm, Bram Mertens wrote:
> Hi
>
> I have received quite a few messages where my own address was used as
> the from address. While most of those are now caught by other filters
> I'd like to add a check for this.
>
> Right now I have the following in ~/.spamassassin/user_prefs:
> header LOCAL_TEST_RULE From =~
> /(?<!Bram\sMertens)\s<bram-mertens\@linux\.be>/ score LOCAL_TEST_RULE
> 0.1
> describe LOCAL_TEST_RULE Is someone faking to be me?
>

Don't know if this is what you're looking for but its what I use, its very
effective. I didn't write it, just modified an existing rule I found.

header RM_t_bobbf ToCc =~ /cpollock\@earthlink\.com/ # 98%+ spam
describe RM_t_bobbf Definate spam destination email address
score RM_t_bobbf 10.0
header RM_t_bobbf2 From =~ /cpollock\@earthlink\.com/i
describe RM_t_bobbf2 Definately not from me
score RM_t_bobbf2 9.0
header RM_t_bobbf3 From =~ /cpollock\@earthlink\.net/i
describe RM_t_bobbf3 I may have sent it as a test, probably not
score RM_t_bobbf3 9.0

Chris

--
Regards
Chris
A 100% Microsoft free computer
Registered Linux User 283774 http://counter.li.org
8:17pm up 3 days, 22:36, 3 users, load average: 0.18, 0.43, 0.48

This is more complicated than it looks to do right.
You have to handle several cases. Off the top of my head, all are valid
addresses:

Joe Foo <joe@foo.com>
"Joe Foo" joe@foo.com
"Joe Foo" <joe@foo.com>
joe@foo.com
<joe@foo.com>
"Joe the-one-and-only Foo" joe@foo.com

You also have to handle
fred@foo.com, joe@foo.com

After a good deal of work, I came up with the following check for my name,
which so far seems reliable in all cases that I've checked

header __TO_ME ToCc =~ /(?:^|\>,|\>|,)\s*(?:\"?Loren
.*?\b?Wilton\s*\"?\s*\<?lwilton\@earthlink\.net\>?|\<?lwilton\@earthlink\.ne
t\>?)/

Note there are no spaces in that regexp, regardless of how it ended up
folded.

Loren

On Sat, 2004-02-28 at 06:12, Loren Wilton wrote:
> This is more complicated than it looks to do right.
> You have to handle several cases. Off the top of my head, all are valid
> addresses:
>
> Joe Foo <joe@foo.com>
> "Joe Foo" joe@foo.com
> "Joe Foo" <joe@foo.com>
> joe@foo.com
> <joe@foo.com>
> "Joe the-one-and-only Foo" joe@foo.com

They are valid addresses but when I send mail the From field should be
what my MUA sets it no? No server relaying the message should alter
this, right?

When I started using Evolution I set it to:
Mertens Bram <bram-mertens@linux.be>
Later I altered it to:
Bram Mertens <bram-mertens@linux.be>

Am I wrong then to assume that messages containing:
"Bram Mertens" <bram-mertens@linux.be>
bram-mertens <bram-mertens@linux.be>
are most likely faked? Or could this be altered by some mailing list
software or something like that?

> You also have to handle
> fred@foo.com, joe@foo.com

Is it possible to have more than one address in the From field? Or are
you checking the TO and Cc fields?

> After a good deal of work, I came up with the following check for my name,
> which so far seems reliable in all cases that I've checked
>
> header __TO_ME ToCc =~ /(?:^|\>,|\>|,)\s*(?:\"?Loren.*?\b?Wilton\s*\"?\s*\<?lwilton\@earthlink\.net\>?|\<?lwilton\@earthlink\.net\>?)/
[...]

Thanks for thinking about this but again doesn't this check the To and
Cc fields? I am looking for someone claiming to be me...

As I said above I do have to check two cases so I edited my code to:
header LOCAL_TEST_RULE From =~ /(?<!(?:Bram\sMertens)|(?:Mertens\sBram))\s<bram-mertens\@linux\.be>/
score LOCAL_TEST_RULE 0.2
describe LOCAL_TEST_RULE Is someone faking to be me?

Doesn't this allow messages with the following From headers?
From: Mertens Bram <bram-mertens@linux.be>
From: Bram Mertens <bram-mertens@linux.be>
(and off course everything that doesn't contain 'bram-mertens@linux.be')

So it should trigger on:
From: "odessa" <bram-mertens@linux.be>
From: "michael" <bram-mertens@linux.be>
From: "al" <bram-mertens@linux.be>
From: "bram-mertens" <bram-mertens@linux.be>
(and all other variants of this...)

TIA
--
# Mertens Bram "M8ram" <bram-mertens@linux.be> Linux User #249103 #
# SuSE Linux 8.2 (i586) kernel 2.4.20-4GB i686 256MB RAM #
# 5:01pm up 36 days 20:40, 7 users, load average: 0.12, 0.13, 0.09 #

I apologise, I missed that you were only testing the From address. Yes,
your case will work for that check, I would think.

Loren

On Sat, 28 Feb 2004 17:02:05 +0100, Bram Mertens wrote:
> On Sat, 2004-02-28 at 06:12, Loren Wilton wrote:
>> This is more complicated than it looks to do right.
>> You have to handle several cases. Off the top of my head, all
>> are valid
>> addresses:
>>
>> Joe Foo <joe@foo.com>
>> "Joe Foo" joe@foo.com
>> "Joe Foo" <joe@foo.com>
>> joe@foo.com
>> <joe@foo.com>
>> "Joe the-one-and-only Foo" joe@foo.com
>
> They are valid addresses but when I send mail the From field should
> be
> what my MUA sets it no? No server relaying the message should alter
> this, right?
>
> When I started using Evolution I set it to:
> Mertens Bram <bram-mertens@linux.be>
> Later I altered it to:
> Bram Mertens <bram-mertens@linux.be>
>
> Am I wrong then to assume that messages containing:
> "Bram Mertens" <bram-mertens@linux.be>
> bram-mertens <bram-mertens@linux.be>
> are most likely faked? Or could this be altered by some mailing
> list
> software or something like that?
>
>> You also have to handle
>> fred@foo.com, joe@foo.com
>
> Is it possible to have more than one address in the From field? Or
> are
> you checking the TO and Cc fields?
>
>> After a good deal of work, I came up with the following check for
>> my name,
>> which so far seems reliable in all cases that I've checked
>>
>> header __TO_ME ToCc =~ /(?:^|\>,|\>|,)\s*(?:\"?Loren.*
>> ?\b?Wilton\s*\"?\s*
>> \<?lwilton\@earthlink\.net\>?|\<?lwilton\@earthlink\.net\>?)/
> [...]
>
> Thanks for thinking about this but again doesn't this check the To
> and
> Cc fields? I am looking for someone claiming to be me...
>
> As I said above I do have to check two cases so I edited my code to:
> header LOCAL_TEST_RULE From =~ /(?<!
> (?:Bram\sMertens)|(?:Mertens\sBram))\s<bram-mertens\@linux\.be>/
> score LOCAL_TEST_RULE 0.2
> describe LOCAL_TEST_RULE Is someone faking to be me?
>
> Doesn't this allow messages with the following From headers?
> From: Mertens Bram <bram-mertens@linux.be>
> From: Bram Mertens <bram-mertens@linux.be>
> (and off course everything that doesn't contain 'bram-
> mertens@linux.be')
>
> So it should trigger on:
> From: "odessa" <bram-mertens@linux.be>
> From: "michael" <bram-mertens@linux.be>
> From: "al" <bram-mertens@linux.be>
> From: "bram-mertens" <bram-mertens@linux.be>
> (and all other variants of this...)
>
> TIA

Hi,

I think it also allows through addresses like:

From: Mr Mertens Bram <bram-mertens@linux.be>
From: Bob<bram-mertens@linux.be>

where there is some text before the Mertens Bram in the first one (or
likewise before Bram Mertens) and no space after the name in the
second one. Not sure if these will affect you in practise but
otherwise it seems to work great.

Kind regards,
Mat

On Sat, 2004-02-28 at 19:07, Mat Bowen wrote:
[...]
> I think it also allows through addresses like:
>
> From: Mr Mertens Bram <bram-mertens@linux.be>
> From: Bob<bram-mertens@linux.be>
>
> where there is some text before the Mertens Bram in the first one (or
> likewise before Bram Mertens) and no space after the name in the
> second one. Not sure if these will affect you in practise but
> otherwise it seems to work great.
[...]

Indeed! Thanks for pointing that out, but I suppose this fixes both
these problems:
header M8RAM_FAKE_FROM From =~ /(?<!(?:^Bram\sMertens\s)|(?:^Mertens\sBram\s))<bram-mertens\@linux\.be>/
score M8RAM_FAKE_FROM 1.0
describe M8RAM_FAKE_FROM From contains my address but I didn't send this!

TIA
--
# Mertens Bram "M8ram" <bram-mertens@linux.be> Linux User #249103 #
# SuSE Linux 8.2 (i586) kernel 2.4.20-4GB i686 256MB RAM #
# 8:13pm up 36 days 23:51, 7 users, load average: 0.17, 0.16, 0.11 #

On Sat, 28 Feb 2004 20:15:38 +0100, Bram Mertens wrote:
> On Sat, 2004-02-28 at 19:07, Mat Bowen wrote:
> [...]
>> I think it also allows through addresses like:
>>
>> From: Mr Mertens Bram <bram-mertens@linux.be>
>> From: Bob<bram-mertens@linux.be>
>>
>> where there is some text before the Mertens Bram in the first one
>> (or
>> likewise before Bram Mertens) and no space after the name in the
>> second one. Not sure if these will affect you in practise but
>> otherwise it seems to work great.
> [...]
>
> Indeed! Thanks for pointing that out, but I suppose this fixes both
> these problems:
> header M8RAM_FAKE_FROM From =~ /(?<!
> (?:^Bram\sMertens\s)|(?:^Mertens\sBram\s))<bram-mertens\@linux\.be>/
> score M8RAM_FAKE_FROM 1.0
> describe M8RAM_FAKE_FROM From contains my address but I didn't
> send this!
>
> TIA

Yes that seems to be perfect! I think i might pinch it ;-)

Thanks,
Mat