how to block

Does anyone has a rule to block this kind of message? That is when the reply address is different from the from address? Apparently it is not blocked by SPF rules. Ofcourse the X-Sender and the Reply-To can differ in several mails.

User-Agent: Workspace Webmail 6.12.19
Message-Id: <20231204082343.b8417d9fe82614c9fc1da21a2829058a.d6c3f1c6b6.wbe@email26.secureserver.net>
From: <<myname>> <<myemailaddress>
X-Sender: yj132@yeijer.vn
Reply-To: <<myname>> <acostermisty@yahoo.com>
To: <<Finance of my company>> <<finance@mycompany>>

Parents
  • Verified Answer

    +1  

    SPF isn't for this.  SPF testing is done during the SMTP transaction phase of receiving a message, which is before the MIME message has been received.  If the node in the scanner is used (rather than SPF in the SMTP interface), it is done later, but still with the information from the SMTP protocol.  As such, SPF is used to compare the senders domain from the SMTP transaction with their designated sender IP address, if defined.

    Generic address field comparison for blocking will always end up with problems.  The various 'sender' fields deliberately exist in the MIME specification and are intended specifically to allow alternative addresses for different reasons.  Bulk mail systems, notification systems and automated mail output systems utilize this service frequently.  Although less common these days, it's also used by individuals sending 'on behalf' of other people.  The most common occurrence of these mismatched addresses are found in 3rd party newsletters.  The 'from' address will be from the mailer that created the message, but the reply-to will be the person that needs to be contacted.

    Identifying specific domains that you are sure will never have a mismatch could be achieved fairly easily with a chain of filters that require all addresses to be a specific domain.  However the fact that you've used yahoo as your example suggests that you're thinking this could be done generically.

    TLDR; comparing sender addresses doesn't help like you think it might.

Reply
  • Verified Answer

    +1  

    SPF isn't for this.  SPF testing is done during the SMTP transaction phase of receiving a message, which is before the MIME message has been received.  If the node in the scanner is used (rather than SPF in the SMTP interface), it is done later, but still with the information from the SMTP protocol.  As such, SPF is used to compare the senders domain from the SMTP transaction with their designated sender IP address, if defined.

    Generic address field comparison for blocking will always end up with problems.  The various 'sender' fields deliberately exist in the MIME specification and are intended specifically to allow alternative addresses for different reasons.  Bulk mail systems, notification systems and automated mail output systems utilize this service frequently.  Although less common these days, it's also used by individuals sending 'on behalf' of other people.  The most common occurrence of these mismatched addresses are found in 3rd party newsletters.  The 'from' address will be from the mailer that created the message, but the reply-to will be the person that needs to be contacted.

    Identifying specific domains that you are sure will never have a mismatch could be achieved fairly easily with a chain of filters that require all addresses to be a specific domain.  However the fact that you've used yahoo as your example suggests that you're thinking this could be done generically.

    TLDR; comparing sender addresses doesn't help like you think it might.

Children
No Data