Mailing List Archive: SpamAssassin: users

Spoofed Email But Different User Name

Index | Next | Previous | View Threaded

mark at marksellsit

May 6, 2008, 6:14 PM

Post #1 of 5 (151 views)
Permalink

Spoofed Email But Different User Name

Is there a way to have Spamassassin look for spoofed email addresses being
used as the sender's address (myname[at]mydomain.com) but using a different
user name (Viagra instead of myname)? It seems like it would be simple to
check the user name and filter results from that. Thanks for any help.
--
View this message in context: http://www.nabble.com/Spoofed-Email-But-Different-User-Name-tp17093694p17093694.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

mkettler_sa at verizon

May 6, 2008, 10:15 PM

Post #2 of 5 (142 views)
Permalink

Re: Spoofed Email But Different User Name [In reply to]

mhildebr wrote:
> Is there a way to have Spamassassin look for spoofed email addresses being
> used as the sender's address (myname[at]mydomain.com) but using a different
> user name (Viagra instead of myname)? It seems like it would be simple to
> check the user name and filter results from that. Thanks for any help.
>
A quick-and-dirty way would be set up SPF records for your domain and
enable the SPF plugin.

However, to do this you would have to know all the servers that are
authorized to send mail as your domain, (ie: all your smarthosts).

This also messes with folks who run SPF after getting mail via
forwarding services. However anyone using a forwarding service to
receive their mail should be trusting the service that forwards their
mail, unless the forwarder is doing SRS.

mouss at netoyen

May 7, 2008, 6:36 AM

Post #3 of 5 (137 views)
Permalink

Re: Spoofed Email But Different User Name [In reply to]

mhildebr wrote:
> Is there a way to have Spamassassin look for spoofed email addresses being
> used as the sender's address (myname[at]mydomain.com) but using a different
> user name (Viagra instead of myname)? It seems like it would be simple to
> check the user name and filter results from that. Thanks for any help.
>

if you have the list of all valid display names, then you can write
rules for that. something like

header __FROM_MARK From =~ /<mark[at]example\.com>/
header __REALLY_FROM_MARK From =~ /.*milderbr.*<mark[at]example\.com>/

meta FAKE_FROM_MARK (__FROM_MARK && !_REALLY_FROM_MARK)
score FAKE_FROM_MARK 0.1

but this does not scale. Instead, look for other patterns that catch
this spam. you can show (or use pastebin...) a sample if you want hints.

stpierre at NebrWesleyan

May 7, 2008, 8:42 AM

Post #4 of 5 (136 views)
Permalink

Re: Spoofed Email But Different User Name [In reply to]

On Tue, 6 May 2008, mhildebr wrote:

> Is there a way to have Spamassassin look for spoofed email addresses being
> used as the sender's address (myname[at]mydomain.com) but using a different
> user name (Viagra instead of myname)? It seems like it would be simple to
> check the user name and filter results from that. Thanks for any help.

Bad idea. My name can be easily and legitimately displayed in dozens
of different ways, without even considering typos:

Chris St. Pierre
Chris St Pierre
Chris St-Pierre
Chris Saint Pierre
Chris Saint-Pierre
Christopher St. Pierre
...
Christopher A. St. Pierre
...
Chris A. St. Pierre
...

And so on and so forth. And if someone accidentally mistypes my name,
suddenly I'm Chirs St. Pierre or something like that, and your filter
blocks the message.

A better idea would be to just let Bayes do its thing and notice the
token -- in this case, 'Viagra' -- and score accordingly.

Or, you can manually list out the various spellings of each users'
name, and then come up with a fancy algorithm to route around
misspellings, perhaps using something like Levenshtein distance to
figure out how egregiously misspelled a name is. It'll be way more
work than it's worth, but if that's what tickles you, go for it.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

mouss at netoyen

May 7, 2008, 9:11 AM

Post #5 of 5 (136 views)
Permalink

Re: Spoofed Email But Different User Name [In reply to]

Chris St. Pierre wrote:
> On Tue, 6 May 2008, mhildebr wrote:
>
>> Is there a way to have Spamassassin look for spoofed email addresses
>> being
>> used as the sender's address (myname[at]mydomain.com) but using a different
>> user name (Viagra instead of myname)? It seems like it would be
>> simple to
>> check the user name and filter results from that. Thanks for any help.
>
> Bad idea. My name can be easily and legitimately displayed in dozens
> of different ways, without even considering typos:
>
> Chris St. Pierre
> Chris St Pierre
> Chris St-Pierre
> Chris Saint Pierre
> Chris Saint-Pierre
> Christopher St. Pierre
> ...
> Christopher A. St. Pierre
> ...
> Chris A. St. Pierre
> ...

they all match
chris.*pierre
or to be more conservative
[chris]{3}.*[pierre]{3}

>
> And so on and so forth. And if someone accidentally mistypes my name,

they aren't supposed to use your name in their From header, are they?
> suddenly I'm Chirs St. Pierre or something like that, and your filter
> blocks the message.
>
> A better idea would be to just let Bayes do its thing and notice the
> token -- in this case, 'Viagra' -- and score accordingly.

agreed.
>
> Or, you can manually list out the various spellings of each users'
> name, and then come up with a fancy algorithm to route around
> misspellings, perhaps using something like Levenshtein distance to
> figure out how egregiously misspelled a name is. It'll be way more
> work than it's worth, but if that's what tickles you, go for it.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com