1

I receive fake emails with several addresses in "From:". For example:

Return-Path: <karen@reachouttransport.co.zw>
X-Original-To:  
Delivered-To:  
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=129.232.213.67; helo=peewee.webdevworld.com; envelope-from=karen@reachouttransport.co.zw; receiver=<UNKNOWN> 
Received: from peewee.webdevworld.com (peewee.webdevworld.com [129.232.213.67])
... 
Date: Tue, 13 Nov 2018 10:51:03 -0500
From:  John Sample <some@domain.com> <karen@reachouttransport.co.zw>
To:

The email seems sent by some@domain.com (It is one of our real contacts) but the real sender is karen@reachouttransport.co.zw

I want to deny emails with multiple addresses in the FROM field. What tool or postfix parameter can I use to stop this?

I use Postfix 3.3 + ESET Mail Security + RBL + SPF

Thank!

strobering
  • 21
  • 5
  • 1
    If the addresses were separated by commas, then it would be covered by RFCs, look here: https://serverfault.com/questions/554520/smtp-allows-for-multiple-from-addresses-in-the-rfc-was-this-ever-useful-why-do – marsh-wiggle Nov 13 '18 at 17:56
  • OK, SMTP allows multiple addresses in the FROM field. But in all the times these emails are fakes and I want to filter them. Finally I managed to deny these emails by postfix header_checks and regular expressions. Thank you very much anyway. – strobering Nov 15 '18 at 17:26
  • I'm very interested in your code. Can you post it as an answer? – marsh-wiggle Nov 19 '18 at 12:03
  • Yes of course. This code is not pretty but it's working. I haven't much experience with regular expressions. If someone knows how to optimize it, let me know. Add in header_checks: /From:.*"+.".+<.*@+.*>.*<.*@+.*>|From:.+<.*@+.*>.*<.*@+.*>/ REDIRECT fake@domain.com – strobering Nov 20 '18 at 14:32
  • It's better to post it as answer not as comment. Thanks anyway :) – marsh-wiggle Nov 20 '18 at 14:42

1 Answers1

1

As I said in the comment, I was able to filter these emails by adding in Postfix's header_checks:

/From:."+.".+<.@+.>.<.@+.>|From:.+<.@+.>.<.@+.*>/ REDIRECT fake@domain.com

Any improvement in this regular expression I'll be appreciated. Thank!

strobering
  • 21
  • 5