Sebastian Arcus via Exim-users wrote on 21.11.2023 13:50:
> Hello everyone. Currently I use the ACL below to look for domain
> impersonation in From: header of inbound email:
>
> condition = ${if match_domain{${domain:$h_from:}}
> {+local_domains}{true}{false}}
>
> This has been working very well, but the spammers are getting cleverer,
> and now we are receiving emails with the From header formatted like so:
>
> From: "Joe Bloggs <joe.bloggs@???> via iPhone"
> <some_random@???>
>
> The above ACL doesn't kick in, as I assume it matches only against the
> email part, not the name/description part.
>
> Is there another way of using regular expressions to match against the
> description/name part of the From: header? The difficulty I suppose is
> that I need to match against the +local_domain list, not just a single
> domain. Anyone knows if the $rh_from includes the description part in
> between quotes? I've been going through the documentation, but can't
> work out if it does.
>
> I realise the above might bounce emails from mailing lists which include
> the recipient's email in between the quotes - but this site never uses
> any mailing lists, so that should be safe.
>
> Any hints much appreciated
Try this to find local domains in any part of the From header:
condition = ${if forany {<;
${sg{$h_From:}{\N[<>\s:@'"/]+\N}{;}}}{match_domain{$item}{+local_domains}}{true}{false}}
--
Best wishes Victor Ustugov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key:
https://victor.corvax.kiev.ua/corvax.asc
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/