Detecting mail with multiple From: lines

Junior Member
Posts: 47
Joined: Thu Apr 04, 2013 8:16 am

Detecting mail with multiple From: lines

Postby alexbromo » Fri Sep 13, 2013 11:58 am

Is there a way, I can test whether a message has multiple *senders* ?
Recently we receive a lot of SPAM using multiple local (spoofed) senders.

ALex.

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: Detecting mail with multiple From: lines

Postby Alexander Telegin » Fri Sep 13, 2013 12:50 pm

Alex, why mail server allows invalid local senders? Or eWall proxy work in relay mode?

Junior Member
Posts: 47
Joined: Thu Apr 04, 2013 8:16 am

Re: Detecting mail with multiple From: lines

Postby alexbromo » Mon Sep 16, 2013 9:13 am

Alexander, below the header of SPAM mail (our Domain Name is translated as "mydomain.com"):

"Received: from spooler by mydomain.com (Mercury/32 v4.74); 13 Sep 2013 12:38:07 +0200
X-Envelope-To: <postmaster@mydomain.com>
Return-path: <groundbreakingskx4420@davisandsons.net>
Received: from [5.190.44.179] (192.168.10.3) by mercury.mydomain.com (Mercury/32 v4.74) with ESMTP ID MG01F742;
13 Sep 2013 12:37:58 +0200
Received: from [109.118.44.111] (account untreated803@atainvest.com HELO itmijyymkx.utuufqteu.su)
by (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 355489820 for bmazzocchi@mydomain.com; Fri, 13 Sep 2013 14:04:58 +0330
Date: Fri, 13 Sep 2013 14:04:58 +0330
From: <bmazzocchi@mydomain.com>,
<rmoriani@mydomain.com>,
<bgentili@mydomain.com>,
<gpaccione@mydomain.com>,
<adefazio@mydomain.com>,
<info@mydomain.com>,
<scaccia@mydomain.com>,
<m_malerba@mydomain.com>,
<rgabellieri@mydomain.com>,
<vparmeggiani@mydomain.com>,
<rmalfatti@mydomain.com>,
<cmonari@mydomain.com>,
<cdipaola@mydomain.com>,
<postmaster@mydomain.com>,
<pmessina@mydomain.com>,
<mgraziosi@mydomain.com>,
<lagostini@mydomain.com>,
<mpungetti@mydomain.com>,
<lzagni@mydomain.com>
... "


HTH

ALex.

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: Detecting mail with multiple From: lines

Postby Alexander Telegin » Mon Sep 16, 2013 10:29 pm

Please try the following OnMessage condition:

if header field From matches regexp .*@mydomain.com.*[2,]

It should trigger if @mydomain.com occurs > 2 times.

Return to Filters and scripts

Who is online

Users browsing this forum: No registered users and 1 guest