Filter based on From matching X-Envelope-From

Need help? Ask here.

Moderator: Moderators

Filter based on From matching X-Envelope-From

Postby minsk » Fri Feb 15, 2013 12:17 pm

Is there a way to filter messages based on whether From header matches X-Envelope-From? Either during SMTP phase or SpamAssassin rule or Sieve script? So many spam messages are just send from a valid source passing SPF but with fake From header.
minsk
 
Posts: 10
Joined: Sun Nov 02, 2008 12:58 pm

Re: Filter based on From matching X-Envelope-From

Postby Seth » Sun Dec 01, 2013 4:52 pm

Sieve should be able to with the "variables" extension. I have thought of this issue many times myself, but never made much progress. A source of false positives with this method is mailing lists where the X-Envelope-From is almost always going to be some unique sender (for the list server to handle bounces), but the "From" header will be any valid list subscriber. Or even our own automated messages if you look at the headers: the envelope is unique to each rollernet account so we can trap bounces, but the from header that's displayed is support@ or billing@.

I apologize for the much delayed response. Due to spam issues (spam posts and spammer registrations) we stopped monitoring/maintaining the forums for almost a year.
Seth Mattinen, Roller Network LLC
Seth
Site Admin
 
Posts: 265
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada

Re: Filter based on From matching X-Envelope-From

Postby Seth » Sun Dec 01, 2013 5:01 pm

Here's a Sieve snippet that is syntax valid but I didn't test it:

Code: Select all
require ["variables", "fileinto"];

if header :contains "X-Envelope-From" "*" {
  set "envelopefrom" "${1}";
}
if not header :contains "From" "${envelopefrom}" {
  fileinto "Junk";
}
Seth Mattinen, Roller Network LLC
Seth
Site Admin
 
Posts: 265
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada

Re: Filter based on From matching X-Envelope-From

Postby minsk » Wed Dec 18, 2013 12:14 pm

This is very helpful. I can at least mark the message as a suspect. Thank you for the tip.

I, personally, want to know when the From address that I see is spoofed. There are valid reasons to do this sometimes but this should raise a red flag. That's why, in my opinion, SpamAssassin should have test like this.
Another option is to re-write the From header with the envelope address. Let the end-user see where message actually came from. Will this be difficult to provide as an option?
minsk
 
Posts: 10
Joined: Sun Nov 02, 2008 12:58 pm

Re: Filter based on From matching X-Envelope-From

Postby Seth » Wed Dec 18, 2013 1:07 pm

minsk wrote:Another option is to re-write the From header with the envelope address. Let the end-user see where message actually came from. Will this be difficult to provide as an option?


That should actually be easy. We can just delete any "From" header and add a new one with the content of the envelope sender (SMTP MAIL FROM). I don't see why I can't make that an option.

I don't know how to duplicate the function of that Sieve script in SpamAssassin off the top of my head. Maybe I can have our system add a header like "X-Rollernet-EnvFromMatch: (Yes|No)" which is a simple rule in SA.
Seth Mattinen, Roller Network LLC
Seth
Site Admin
 
Posts: 265
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada


Return to Support

Who is online

Users browsing this forum: No registered users and 1 guest

cron