Mailing List Archive: block emails with fake FROM

block emails with fake FROM

emaia at ipbrick

Jun 23, 2022, 7:56 AM

Post #1 of 7 (667 views)

Hi,

I'm trying to block the emails with fake FROM like:

From: "Nick Blue <nick@domain.pt>" <ykato@omega-eng.co.jp>

I have installed spamassassin v3.4.6 and after I enabled the
FromNameSpoof plugin.

I added the following lines on the files:

1- /etc/spamassassin/v342.pre :

loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof

2 - /etc/spamassassin/local.cf

header LOCAL_FROMNAME_SPOOF eval:check_fromname_spoof()
score LOCAL_FROMNAME_SPOOF 5.0

My question is about how to configure this plugin and also which score i
should give on the new rules ?

Thanks,

Best regards,

--
Assinatura
Eduardo Maia
/IPBrick IDI/ IPBRICK R&D <https://www.ipbrick.com/>
Av. da França, 821
4250-214 Porto
Portugal TEL: +351 220 126 921
TLM: +351 933 568 871
FAX: +351 225 189 722
UCoIP: emaia@ipbrick.com
www.ipbrick.com <https://www.ipbrick.com/>
www.youtube.com/ipbricksa <https://www.youtube.com/ipbricksa> UCoIP
<http://emaia.ipbrick.com/> Facebook
<http://www.facebook.com/pages/IPBrick/263923950988/> Twitter
<http://twitter.com/IPBrick/> Linked In
<https://www.linkedin.com/company/ipbrick-international> Instagram
<https://www.instagram.com/ipbricksa>

Re: block emails with fake FROM [ In reply to ]

Jun 23, 2022, 8:30 AM

Post #2 of 7 (667 views)

On 2022-06-23 16:56, Eduardo Maia wrote:

> From: "Nick Blue <nick@domain.pt>" <ykato@omega-eng.co.jp>

header FOO From:Name =~ /\b@/

others may refine it :=)

note From:Addr must accept more then one @, but not From:Name

i dont know if the plugin is better or not, also remember dkim revails
bogus adressing, eq no dkim pass

if more then one From:Addr then all dkim must pass to not be forged

lots of bugs

Re: block emails with fake FROM [ In reply to ]

uhlar at fantomas

Jun 23, 2022, 9:08 AM

Post #3 of 7 (667 views)

On 23.06.22 15:56, Eduardo Maia wrote:
>I'm trying to block the emails with fake FROM like:
>
>From: "Nick Blue <nick@domain.pt>" <ykato@omega-eng.co.jp>
>
>I have installed spamassassin? v3.4.6 and after I enabled the
>FromNameSpoof plugin.

I have checked FromNameSpoof plugin from SA 3.4.6 and it does not detect all
mail with this kind of From:

out of 59 examples I got onto one server, 20 were detected, 39 undetected.

SA 4.0 (beta) catched all of them

>I added the following lines on the files:
>
>1- /etc/spamassassin/v342.pre :
>loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
>
>2 - /etc/spamassassin/local.cf
>header LOCAL_FROMNAME_SPOOF eval:check_fromname_spoof()
>score LOCAL_FROMNAME_SPOOF 5.0

>My question is about how to configure this plugin and also which score
>i should give on the new rules ?

you have just described how you configured it.
the next question is how do you block them.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.

Re: block emails with fake FROM [ In reply to ]

uhlar at fantomas

Jun 23, 2022, 9:13 AM

Post #4 of 7 (667 views)

>On 23.06.22 15:56, Eduardo Maia wrote:
>>I'm trying to block the emails with fake FROM like:
>>
>>From: "Nick Blue <nick@domain.pt>" <ykato@omega-eng.co.jp>
>>
>>I have installed spamassassin? v3.4.6 and after I enabled the
>>FromNameSpoof plugin.

On 23.06.22 18:08, Matus UHLAR - fantomas wrote:
>I have checked FromNameSpoof plugin from SA 3.4.6 and it does not
>detect all mail with this kind of From:
>
>out of 59 examples I got onto one server, 20 were detected, 39 undetected.
>
>SA 4.0 (beta) catched all of them

seems it did not catch this one:

From: " Dr Perfect <helsenv@gepesdaru.hu>"@mail.gepesdaru.hu

but still it's a leap forward

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*

Re: block emails with fake FROM [ In reply to ]

Jun 23, 2022, 9:50 AM

Post #5 of 7 (667 views)

On 2022-06-23 18:08, Matus UHLAR - fantomas wrote:

>> 2 - /etc/spamassassin/local.cf
>> header LOCAL_FROMNAME_SPOOF eval:check_fromname_spoof()
>> score LOCAL_FROMNAME_SPOOF 5.0
>
>> My question is about how to configure this plugin and also which score
>> i should give on the new rules ?
>
> you have just described how you configured it.
> the next question is how do you block them.

set score on that rule to 1000 ?

if blocking high score spams

Re: block emails with fake FROM [ In reply to ]

mysqlstudent at gmail

Jun 24, 2022, 5:12 AM

Post #6 of 7 (667 views)

Hi,

seems it did not catch this one:
>
> From: " Dr Perfect <helsenv@gepesdaru.hu>"@mail.gepesdaru.hu
>
> but still it's a leap forward
>

Is it designed to also identify From addresses that have no name component?

From: LiVE@beroe-inc.com

This is an invoice phish that isn't tagged. Ideas on how to block these
would be appreciated.

https://pastebin.com/FXX8cx5f

This is with v4 SA from a week ago with FromNameSpoof enabled.

$ spamassassin --version
SpamAssassin version 4.0.0-r1901426
running on Perl version 5.34.1

Jun 24 08:11:42.828 [3222587] dbg: plugin: loading
Mail::SpamAssassin::Plugin::FromNameSpoof from @INC
Jun 24 08:11:46.669 [3222587] dbg: FromNameSpoof: no From-name addr found

Re: block emails with fake FROM [ In reply to ]

uhlar at fantomas

Jun 24, 2022, 5:50 AM

Post #7 of 7 (667 views)

>seems it did not catch this one:
>>
>> From: " Dr Perfect <helsenv@gepesdaru.hu>"@mail.gepesdaru.hu
>>
>> but still it's a leap forward

On 24.06.22 08:12, Alex wrote:
>Is it designed to also identify From addresses that have no name component?
>
> From: LiVE@beroe-inc.com

I guess this one is correct via RC5321

>This is an invoice phish that isn't tagged. Ideas on how to block these
>would be appreciated.
>
>https://pastebin.com/FXX8cx5f

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)