AW: Quarantine From Header differ From Body

Peter Lemieux mailscanner at
Wed Nov 29 15:34:20 UTC 2017

Are these nessages coming in from outside your network but appear to be 
coming from people inside?  If there are no legitimate reasons why mail 
carrying your domain should come from the outside, then the simplest 
solution is to block them at the doorstep with either access rules in 
sendmail or PCRE rules in Postfix.  You can also permit specific addresses, 
say mail from an external webserver, while blocking any other mail allegedly 
coming from your domain.


On 11/29/2017 02:26 AM, Braun, Thomas [WEKAL] wrote:
>>> Hello List,
>>> is there an option/way to simply quarantine all faked  Body-From Mails when this differ case insensitive to the Header-From?
>> What do you mean by faked Body-From Mails as opposed to Header-From?
>> Do you mean the From: header as opposed to the envelope sender? If so, you could probably create SpamAssassin rules to do it, but I think it is a bad idea, Many legitimate emails have a From: header address different from the envelope sender. This reply as you receive it from the list is but one example.
> Hi Mark,
> we get phishing Mails where supposedly our own employees write another one, want him to click a link. Not all of our employees are clever enough to check this.
> I am searching for a solution to filter mails with a visible
> From: "MyKnownFellow <fellow at mycompany>" and an invisible envelope <hackedbox at othercompany>
> Those mails getting more and more lately. And they even fake our signature and having better grammar. So it is hard to spot.
> Perhaps there is a better way...

More information about the MailScanner mailing list