AW: Quarantine From Header differ From Body

Braun, Thomas [WEKAL] thomas.braun at
Wed Nov 29 07:26:16 UTC 2017

>> Hello List,
>> is there an option/way to simply quarantine all faked  Body-From Mails when this differ case insensitive to the Header-From?
> What do you mean by faked Body-From Mails as opposed to Header-From?
> Do you mean the From: header as opposed to the envelope sender? If so, you could probably create SpamAssassin rules to do it, but I think it is a bad idea, Many legitimate emails have a From: header address different from the envelope sender. This reply as you receive it from the list is but one example.

Hi Mark,

we get phishing Mails where supposedly our own employees write another one, want him to click a link. Not all of our employees are clever enough to check this.
I am searching for a solution to filter mails with a visible
From: "MyKnownFellow <fellow at mycompany>" and an invisible envelope <hackedbox at othercompany>

Those mails getting more and more lately. And they even fake our signature and having better grammar. So it is hard to spot.
Perhaps there is a better way...

More information about the MailScanner mailing list