jhardin at impsec
Jul 2, 2012, 6:00 PM
Post #2 of 5
(364 views)
Permalink
|
On Mon, 2 Jul 2012, Alex wrote:
> I have a spamassassin-3.3.2 on fc15 with postfix-2.8 and amavisd-2.6,
> and can't figure out how this message with multiple From: headers is
> making it through:
>
> http://pastebin.com/raw.php?i=sRpJn8qn
>
> The From and To addresses are the same, with multiple From users.
> Should I be blocking this with postfix? I was surprised there wasn't
> an existing rule for this..
>
> I otherwise don't see any other possible ideas for blocking these, so
> any advice would be greatly appreciated.
Off the top of my head:
header MANY_FROM From =~ />,/
I don't see anything for this in the standard rules. There's a
T_FROM_2_EMAILS in khopesh's sandbox, but it looks like there's not enough
in the corpus to promote it.
There was some discussion of this a few weeks back, you might search the
recent archives for "reply_to". One thing that discussion brought up was
that this is apparently valid under RFC2822.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
WSJ on the Financial Stimulus package: "...today there are 700,000
fewer jobs than [the administration] predicted we would have if we
had done nothing at all."
-----------------------------------------------------------------------
2 days until the 236th anniversary of the Declaration of Independence
|
