A customer is reporting phishing messages that are slipping through the spam filters in SurgeMail. I had them send the headers for an example message. It appears that SurgeMail is incorrectly parsing the From header and that is allowing the message to slip through. A copy of the From header and the spam log for this message is included below.
From: "towens@" <somedomain.tld steven-girard@Bbox.fr>
2018-04-03 08:39:32.00 ALLOWED  ip(220.127.116.11) from(email@example.com,firstname.lastname@example.org) subject(inv # xz-9988187676) friend is known (friend_known.deliver_local wild (*@somedomain.tld) in users friend.lst)
It looks like the spammers are sending bad From headers in order to intentionally trick your spam filter. How can we prevent this from happening?
We have had similar issues in the past with SurgeMail parsing using the "display" portion of From headers instead of only using the actual email address and this has caused other problems, including blocking emails from the Wall Street Journal. Can the From header parsing be made more strict so that it *ONLY* looks at the email address portion of the From header?