Mailing List Archive: To/CC to RCPT compare

On 2023-08-22 at 16:18:43 UTC-0400 (Tue, 22 Aug 2023 13:18:43 -0700)
D Benham <fatherofnine@benham.net>
is rumored to have said:

> Hello,
>
>
> I saw this question out on the 'Net and thought I'd post it here. I
> can see a few false positives besides the OP's BCC that could arise,
> but it still seems like it's a logical check that should have been
> done before.
>
>
> Is there a way to compare the RCPT TO address to the addresses in the
> To and Cc lines to make sure there's at least one match?

All the needed information is available in SA, so such a check is
possible.

There is already a HEADER_FROM_DIFFERENT_DOMAINS rule which checks the
envelope sender domain against the From header address domain. It uses
an eval which I guess we could replicate for RCPT vs. To|Cc.

> I am aware that BCC would trigger a score but I am ok with that at
> this time. It seems like it would be a possibly useful check so I was
> surprised that I couldn't find anything of the sort in my searches.

I'm not sure that it actually would be worthwhile. E.g. the vast
majority of my legit mail is from lists like this one, which never have
any of my addresses in headers unless someone CC's me a post sent to the
list (which I despise...)

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire