On Fri, 23 Nov 2018 at 16:43, Luca Bertoncello via Exim-users <
exim-users@???> wrote:
> Hi list,
>
> we receive many E-Mails with faked From (Header), and I'm trying to
> block them.
> Currenty I extract the domain (most our own domain) and check it for
> SPF.
>
> Hier my code to extract the From:
>
> warn set acl_m_from =
> ${extract{2}{@}{${reduce{${addresses:$h_from:}}{}{$item}}}}
>
> Unfortunately we receive E-Mail with TWO From addresses, such:
>
> From: Blah <blah@???> <blub@???>
>
> and then my code does not work anymore...
>
> Can someone help me to extract the FIRST address from the faked header?
>
How about keeping it simple (or this doesn't work for you)? :
# A remote host using my Domain is wrong
deny
hosts = ! : !+relay_from_hosts
message = Using my domain is identity theft.
condition = ${if match{${lc:$h_from:}}{${lc:$qualify_domain}}}
condition = ${if match{${lc:$h_from:}}{\NYOUR.MAIL.DOMAIN.NAME\N}}
condition = ${if match_domain{$sender_address_domain}{+local_domains}}
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
