Reject mails with two different mail addresses in From Header
Matus UHLAR - fantomas
uhlar at fantomas.sk
Fri Mar 11 14:40:01 CET 2022
please, when possible, use plaintext e-mail with mailing lists.
On 11.03.22 14:35, Nikolaos Milas wrote:
> Is there a way to drop mails which have two different mail addresses in
> the From header?
>
> This is a common trick of abusers.
>
> For example, mails with a header like:
>
> From: "<John Doe> [1]john_doe at example.com"
> [2]<afom-seminyak at grandmashotels.com>
>
> This is from a real mail (with a password-protected zip attachment) which
> obviously is infected.
>
> Can you please provide some amavis/SA setting(s) and/or script doing that
> job?
I've had this problem too, in spamassassin you can:
uncomment in v343.pre:
loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
define rule:
body L_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
define meta rule for already existing __PDS_FROM_2_EMAILS:
meta L_FROM_2_EMAILS (__PDS_FROM_2_EMAILS)
- there's T_PDS_FROM_2_EMAILS which unfortunately does not hit when e.g.
DKIM signature exists
and maybe meta rule for these:
meta L_FROM_2_ENCRYPTED L_OLEMACRO_ZIP_PW && __PDS_FROM_2_EMAILS
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
More information about the amavis-users
mailing list