Filter based on From matching X-Envelope-From

Need help? Ask here.

Moderator: Moderators

Post Reply
minsk
Posts: 10
Joined: Sun Nov 02, 2008 11:58 am

Filter based on From matching X-Envelope-From

Post by minsk » Fri Feb 15, 2013 11:17 am

Is there a way to filter messages based on whether From header matches X-Envelope-From? Either during SMTP phase or SpamAssassin rule or Sieve script? So many spam messages are just send from a valid source passing SPF but with fake From header.

Seth
Site Admin
Posts: 293
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: Filter based on From matching X-Envelope-From

Post by Seth » Sun Dec 01, 2013 3:52 pm

Sieve should be able to with the "variables" extension. I have thought of this issue many times myself, but never made much progress. A source of false positives with this method is mailing lists where the X-Envelope-From is almost always going to be some unique sender (for the list server to handle bounces), but the "From" header will be any valid list subscriber. Or even our own automated messages if you look at the headers: the envelope is unique to each rollernet account so we can trap bounces, but the from header that's displayed is support@ or billing@.

I apologize for the much delayed response. Due to spam issues (spam posts and spammer registrations) we stopped monitoring/maintaining the forums for almost a year.
Seth Mattinen, Roller Network LLC

Seth
Site Admin
Posts: 293
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: Filter based on From matching X-Envelope-From

Post by Seth » Sun Dec 01, 2013 4:01 pm

Here's a Sieve snippet that is syntax valid but I didn't test it:

Code: Select all

require ["variables", "fileinto"];

if header :contains "X-Envelope-From" "*" {
  set "envelopefrom" "${1}";
}
if not header :contains "From" "${envelopefrom}" {
  fileinto "Junk";
}
Seth Mattinen, Roller Network LLC

minsk
Posts: 10
Joined: Sun Nov 02, 2008 11:58 am

Re: Filter based on From matching X-Envelope-From

Post by minsk » Wed Dec 18, 2013 11:14 am

This is very helpful. I can at least mark the message as a suspect. Thank you for the tip.

I, personally, want to know when the From address that I see is spoofed. There are valid reasons to do this sometimes but this should raise a red flag. That's why, in my opinion, SpamAssassin should have test like this.
Another option is to re-write the From header with the envelope address. Let the end-user see where message actually came from. Will this be difficult to provide as an option?

Seth
Site Admin
Posts: 293
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: Filter based on From matching X-Envelope-From

Post by Seth » Wed Dec 18, 2013 12:07 pm

minsk wrote:Another option is to re-write the From header with the envelope address. Let the end-user see where message actually came from. Will this be difficult to provide as an option?
That should actually be easy. We can just delete any "From" header and add a new one with the content of the envelope sender (SMTP MAIL FROM). I don't see why I can't make that an option.

I don't know how to duplicate the function of that Sieve script in SpamAssassin off the top of my head. Maybe I can have our system add a header like "X-Rollernet-EnvFromMatch: (Yes|No)" which is a simple rule in SA.
Seth Mattinen, Roller Network LLC

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests