Filter based on From matching X-Envelope-From
Moderator: Moderators
Filter based on From matching X-Envelope-From
Is there a way to filter messages based on whether From header matches X-Envelope-From? Either during SMTP phase or SpamAssassin rule or Sieve script? So many spam messages are just send from a valid source passing SPF but with fake From header.
Re: Filter based on From matching X-Envelope-From
Sieve should be able to with the "variables" extension. I have thought of this issue many times myself, but never made much progress. A source of false positives with this method is mailing lists where the X-Envelope-From is almost always going to be some unique sender (for the list server to handle bounces), but the "From" header will be any valid list subscriber. Or even our own automated messages if you look at the headers: the envelope is unique to each rollernet account so we can trap bounces, but the from header that's displayed is support@ or billing@.
I apologize for the much delayed response. Due to spam issues (spam posts and spammer registrations) we stopped monitoring/maintaining the forums for almost a year.
I apologize for the much delayed response. Due to spam issues (spam posts and spammer registrations) we stopped monitoring/maintaining the forums for almost a year.
Seth Mattinen, Roller Network LLC
Re: Filter based on From matching X-Envelope-From
Here's a Sieve snippet that is syntax valid but I didn't test it:
Code: Select all
require ["variables", "fileinto"];
if header :contains "X-Envelope-From" "*" {
set "envelopefrom" "${1}";
}
if not header :contains "From" "${envelopefrom}" {
fileinto "Junk";
}
Seth Mattinen, Roller Network LLC
Re: Filter based on From matching X-Envelope-From
This is very helpful. I can at least mark the message as a suspect. Thank you for the tip.
I, personally, want to know when the From address that I see is spoofed. There are valid reasons to do this sometimes but this should raise a red flag. That's why, in my opinion, SpamAssassin should have test like this.
Another option is to re-write the From header with the envelope address. Let the end-user see where message actually came from. Will this be difficult to provide as an option?
I, personally, want to know when the From address that I see is spoofed. There are valid reasons to do this sometimes but this should raise a red flag. That's why, in my opinion, SpamAssassin should have test like this.
Another option is to re-write the From header with the envelope address. Let the end-user see where message actually came from. Will this be difficult to provide as an option?
Re: Filter based on From matching X-Envelope-From
That should actually be easy. We can just delete any "From" header and add a new one with the content of the envelope sender (SMTP MAIL FROM). I don't see why I can't make that an option.minsk wrote:Another option is to re-write the From header with the envelope address. Let the end-user see where message actually came from. Will this be difficult to provide as an option?
I don't know how to duplicate the function of that Sieve script in SpamAssassin off the top of my head. Maybe I can have our system add a header like "X-Rollernet-EnvFromMatch: (Yes|No)" which is a simple rule in SA.
Seth Mattinen, Roller Network LLC