Bug 6487 - checking for From and EnvelopeFrom headers
Summary: checking for From and EnvelopeFrom headers
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (Eval Tests) (show other bugs)
Version: 3.3.1
Hardware: All All
: P2 blocker
Target Milestone: 3.4.0
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-08 00:39 UTC by afk
Modified: 2014-11-15 15:02 UTC (History)
3 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
patch for spamassassin 3.3.1: new eval check_equal_from_domains patch None afk [NoCLA]
rules for new check_equal_from_domains eval check patch None afk [NoCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description afk 2010-09-08 00:39:03 UTC 
Created attachment 4802 [details]
patch for spamassassin 3.3.1: new eval check_equal_from_domains

I added new eval check to verify that From and EnvelopeFrom 2nd level domains are different.

This eval is especially useful in case if FREEMAIL_FROM is detected.

I am not sure about scores.
Comment 1 afk 2010-09-08 00:39:45 UTC 
Created attachment 4803 [details]
rules for new check_equal_from_domains eval check
Comment 2 Kevin A. McGrail 2011-11-01 20:26:43 UTC 
Best I can tell, this is an interesting idea and I'm sorry it wasn't acted on sooner. 

I've put it into trunk and added rules to the sandbox to see if it shows any merit in mass checks.

svn commit -m 'Committing rule for mass check tests from bug 6487'
Sending        lib/Mail/SpamAssassin/Plugin/HeaderEval.pm
Transmitting file data .
Committed revision 1196259.

&

svn commit -m 'Committing rule for mass check tests from bug 6487'
Adding         rulesrc/sandbox/kmcgrail/20_freemail.cf
Transmitting file data .
Committed revision 1196260.
Comment 3 Mark Martinec 2011-11-02 15:43:59 UTC 
> Committed revision 1196259.

Just a nitpick:

This is not the best way to fetch a domain name from an e-mail address:
  $fromdomain = $1 if ($from =~ /^[^@]+@(.+)$/);

The local part is allowed to contain '@' characters.
And the @ needs to be quoted. I also prefer to use \z if
'end of string' in intended, instead of a $ with its
newline magic.

Something like:

  $fromdomain = $1  if $from =~ /\@([^@]*)\z/;
Comment 4 Kevin A. McGrail 2011-12-10 14:19:51 UTC 
This check broke rules update because the rule required code that only existed in trunk.  See Bug 6702.
Comment 6 Kevin A. McGrail 2011-12-10 14:42:25 UTC 
Added a version check on the rule and implemented the revised regex from Mark. 

svn commit -m 'Bug 6487 - This is a commit with version encapsulation as this code broke updates in bug 6702.  Also implemented small regex change from Mark'
Sending        lib/Mail/SpamAssassin/Plugin/HeaderEval.pm
Sending        rulesrc/sandbox/kmcgrail/20_freemail.cf
Transmitting file data ..
Committed revision 1212803.

Keeping an eye on updates and need to see how this rule performs.

NOTE: Marked comment 5 as private I mixed up pasting my commit info for another bug.
Comment 7 Mark Martinec 2012-05-14 18:28:32 UTC 
trunk (3.4.0):

Bug 6487: checking for From and EnvelopeFrom headers
  (the other regexp too, as per comment 3)
  Sending lib/Mail/SpamAssassin/Plugin/HeaderEval.pm
Committed revision 1338329.


Close?
Comment 8 Kevin A. McGrail 2013-01-20 16:47:30 UTC 
Considering resolved per patches from mark and myself.
Comment 9 RW 2014-11-15 15:02:12 UTC 
This rule currently has a score of 0.001. I don't know whether there's any merit in it, but it's not going to be possible to tell until the rule takes account of various bounce-handling and  envelope-rewriting schemes (e.g. SRS). 

It needs at least to exclude mail with:

- a list-id header
- a string like "reply", "bounce" etc in the envelope local-part
- the "From:" header domain in the local-part of the envelope (between word boundaries)

It should also be looping over various headers in addition to "from" such  as sender, resent-from, resent-sender. This is not just to reduce FPs, but more importantly to prevent the rule working just by being a surrogate check for a sender header.