On 4/04/2018 3:35 AM, Jim Lohiser wrote:
A customer is reporting phishing messages that are slipping
through the spam filters in SurgeMail. I had them send the
headers for an example message. It appears that SurgeMail is
incorrectly parsing the From header and that is allowing the
message to slip through. A copy of the From header and the spam
log for this message is included below.
From: "towens@" <somedomain.tld steven-girard@Bbox.fr>
2018-04-03 08:39:32.00 ALLOWED  ip(22.214.171.124) from(email@example.com,firstname.lastname@example.org)
subject(inv # xz-9988187676) friend is known
(friend_known.deliver_local wild (*@somedomain.tld) in users
It looks like the spammers are sending bad From headers in order
to intentionally trick your spam filter. How can we prevent this
Yes remove the *@somedomani.tld from the exceptions if at all
We have had similar issues in the past with SurgeMail parsing
using the "display" portion of From headers instead of only using
the actual email address and this has caused other problems,
including blocking emails from the Wall Street Journal. Can the
From header parsing be made more strict so that it *ONLY* looks at the email address
portion of the From header?
Can you give the headers of an example message and I'll run some
tests. But fundamentally that isn't going to make a big difference I
don't think. The problem is the wild card rule means the spammers
random guess of a return address will usually work.
There are some other settings that may help, if I can see the full
headers of a problem message then I may be able to offer something
useful to cut these down.
Send headers etc to email@example.com