'Re: FREEMAIL_REPLYTO'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       spamassassin-users
Subject:    Re: FREEMAIL_REPLYTO
From:       RW <rwmaillists () googlemail ! com>
Date:       2017-03-12 20:48:55
Message-ID: 20170312204855.624e4411 () gumby ! homeunix ! com
[Download RAW message or body]

On Thu, 9 Mar 2017 23:51:13 -0600 (CST)
David B Funk wrote:


> Just searching for freemail systems in the From or ReplyTo headers by
> themselves isn't as powerful as there are lots of Ham mails that have
> freemail From or ReplyTo.
> 
> So yes it is important to find those body addresses and check to see
> if they match/NOT the "From:" address (that's its strength).

I had a look at what it does, technically it's a comparison with
Reply-To, although in the most significant case where a body address is
used, Reply-To and From are the same.

# header FREEMAIL_REPLYTO eval:check_freemail_replyto(['option'])
#
#    Checks/compares freemail addresses found from headers and body.
#
#    Possible options:
#
#    replyto    From: or body address is different than Reply-To
#               (this is the default)
#    reply      as above, but if no Reply-To header is found,
#               compares From: and body


If I'm reading it right the are three cases with
check_freemail_replyto('replyto').

A) Reply-To and From are different freemail addresses.

B) Reply-To and From are the same freemail address with a different
   freemail address in the body

C) From is not freemail, Reply-To is freemail, and there is a different
   freemail address in the body
 

FREEMAIL_REPLY is a meta rule that matches only the extra case that's
the difference between the "replyto" and "reply" options. i.e. the case
where Reply-To doesn't exist, From is freemail and there is a different
freemail address in the body.

FREEMAIL_FORGED_REPLYTO handles the case where From isn't freemail and
Reply-To is freemail. 

There's no coverage for the case where an email client reply would go
to a non-freemail address, and the real freemail contact address is in
the body. Probably such a rule would have a high FP rate. There is
check_freemail_body() which is unused but might be useful in meta rules.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic