From rbolling at elliott-turbo.com Fri Apr 4 19:08:55 2025 From: rbolling at elliott-turbo.com (Richard Bollinger (Richard A Bollinger)(ETCI)) Date: Fri, 4 Apr 2025 15:08:55 -0400 Subject: Ruleset From: address Message-ID: Is there a way in a ruleset to match on a visible from address vs the envelope from address? -- CONFIDENTIALITY NOTICE: This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ricky.boone at gmail.com Sat Apr 5 04:59:15 2025 From: ricky.boone at gmail.com (Ricky Boone) Date: Sat, 5 Apr 2025 00:59:15 -0400 Subject: Ruleset From: address In-Reply-To: References: Message-ID: I don't believe so. Alternatively, depending on what you're ultimately trying to solve for, using SpamAssassin rules or other configuration statements may work instead. On Fri, Apr 4, 2025 at 5:05?PM Richard Bollinger (Richard A Bollinger)(ETCI) via MailScanner wrote: > > Is there a way in a ruleset to match on a visible from address vs the envelope from address? > > > CONFIDENTIALITY NOTICE: This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > From rbolling at elliott-turbo.com Sun Apr 6 14:22:43 2025 From: rbolling at elliott-turbo.com (Richard Bollinger (Richard A Bollinger)(ETCI)) Date: Sun, 6 Apr 2025 10:22:43 -0400 Subject: Ruleset From: address In-Reply-To: References: Message-ID: For my purposes I came up with a quick fix, a patch to Sendmail.pm that uses the header information to overwrite the "from" data from the envelope. # diff -u Sendmail.pm.0 Sendmail.pm --- Sendmail.pm.0 2019-01-27 14:49:14.000000000 -0500 +++ Sendmail.pm 2025-04-06 10:17:35.280422217 -0400 @@ -313,6 +313,17 @@ $from =~ s/\s*>$//; # trailing <> $message->{from} = lc($from); $SFound = 1; # We have found the sender +MailScanner::Log::NoticeLog("Envelope From: %s", $message->{from}); + } + if ($Line =~ /^H\?\?[fF][rR][oO][mM]:\s/) { + $from = $Line; + #chomp $from; + $from =~ s/^H\?\?[fF][rR][oO][mM]:\s//; + $from =~ s/[^<]*<\s*//; # leading and + $from =~ s/\s*>$//; # trailing <> + $message->{from} = lc($from); +MailScanner::Log::NoticeLog("Header From: %s", $message->{from}); + $SFound = 1; # We have found the sender } if ($Line =~ /^\$_/) { $ip = $Line; Ideally this would save the header from to a different structure element, perhaps "$message->{hfrom}", with another patch so that rules could reference "HFrom:" vs "From:", but I couldn't figure out that part of the code in Message.pm On Sat, Apr 5, 2025 at 12:59?AM Ricky Boone wrote: > I don't believe so. Alternatively, depending on what you're > ultimately trying to solve for, using SpamAssassin rules or other > configuration statements may work instead. > > On Fri, Apr 4, 2025 at 5:05?PM Richard Bollinger (Richard A > Bollinger)(ETCI) via MailScanner > wrote: > > > > Is there a way in a ruleset to match on a visible from address vs the > envelope from address? > > > > > > CONFIDENTIALITY NOTICE: This E-mail, along with any attachments, is > considered confidential and may well be legally privileged. If you have > received it in error, you are on notice of its status. Please notify us > immediately by reply e-mail and then delete this message from your system. > Please do not copy it or use it for any purposes, or disclose its contents > to any other person. Thank you for your cooperation. > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > > https://urldefense.com/v3/__http://lists.mailscanner.info/mailman/listinfo/mailscanner__;!!JT12okTYBSM!ReEFHwXVe_Kikd8twNrjtKHSBqy_K9UmXrMPj5p6jvYY7mV7yf81os8W8yRyAh2gV1D3uCvvYx2n09J17EZqPybVtA$ > [lists[.]mailscanner[.]info] > > > -- CONFIDENTIALITY NOTICE: This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation. -------------- next part -------------- An HTML attachment was scrubbed... URL: From randy at camp-of-the-woods.org Wed Apr 16 12:53:32 2025 From: randy at camp-of-the-woods.org (Randy Huseland) Date: Wed, 16 Apr 2025 12:53:32 +0000 Subject: possible fraud attempt Message-ID: Have seen this message: MailScanner has detected a possible fraud attempt from "www.camp-of-the-woods.org" claiming to be [cid:image005.png at 01D8C761.630AD8C0] cotw.org We own both domains and use both interchangeably. Is there anything that can be done to keep this message from coming up for Mailscanner customers we communicate with? [cid:ef2b2b2b-1176-4814-97a6-3d4a86b705aa] Randy Huseland IT Manager [cid:fde2af59-937c-4957-afd1-e38660b2476b] P.O. Box 250 Speculator, NY 12164 [cid:8522b2a1-46b1-4c48-9a83-5ea82d390670] (518) 548-4311 ext. 4838 [cid:277ecd1b-7e81-49bf-8a58-d5a5b6333ffc] cotw.org [cid:688e42af-b9c1-4400-b45d-59a1eb08ca1e] /cotw1900 [cid:7311842b-8ba6-4e92-a933-e7af6873ff1e] @campofthewoods [cid:8b6695ba-f133-4c8e-ba74-eeda7f93af19] /cotw1900 The mission of Gospel Volunteers, Inc. is to present the Biblical truths of Jesus Christ, develop Christian leaders, strengthen the faith of individuals and families, and promote global evangelism. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 430 bytes Desc: image.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-lfrdgub4.png Type: image/png Size: 20318 bytes Desc: Outlook-lfrdgub4.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-jh3wlhlv.png Type: image/png Size: 341 bytes Desc: Outlook-jh3wlhlv.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-1bc2kajc.png Type: image/png Size: 433 bytes Desc: Outlook-1bc2kajc.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-0ph1jjuv.png Type: image/png Size: 398 bytes Desc: Outlook-0ph1jjuv.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-bj5lo4z5.png Type: image/png Size: 740 bytes Desc: Outlook-bj5lo4z5.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-pdindkup.png Type: image/png Size: 645 bytes Desc: Outlook-pdindkup.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-iioryunt.png Type: image/png Size: 534 bytes Desc: Outlook-iioryunt.png URL: From mark at msapiro.net Wed Apr 16 15:22:23 2025 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 16 Apr 2025 08:22:23 -0700 Subject: {Disarmed} possible fraud attempt In-Reply-To: References: Message-ID: <1cc70ba0-3e24-49bd-ab19-97394a83d43f@msapiro.net> On 4/16/25 5:53 AM, Randy Huseland wrote: > Have seen this message: > > *_*MailScanner has detected a possible fraud attempt from "www.camp-of- > the-woods.org" claiming to be* MailScanner has detected a possible fraud > attempt from "www.camp-of-the-woods.org" claiming to be www.camp-of-the-woods.org/>_*_*MailScanner has detected a possible fraud > attempt from "www.camp-of-the-woods.org" claiming to be* > cid:image005.png at 01D8C761.630AD8C0??cotw.org woods.org/>_ > > We own both domains and use both interchangeably.? Is there anything > that can be done to keep this message from coming up for Mailscanner > customers we communicate with? Don't include links in the email where the displayed text looks like a url with a different site. I.e., it looks like you have www.camp-of-the-woods.org or cotw.org or www.camp-of-the-woods.org Have seen this message: MailScanner has detected a possible fraud attempt from "www.camp-of-the-woods.org" claiming to be MailScanner has detected a possible fraud attempt from "www.camp-of-the-woods.org" claiming to be MailScanner has detected a possible fraud attempt from "www.camp-of-the-woods.org" claiming to be [cid:image005.png at 01D8C761.630AD8C0] cotw.org We own both domains and use both interchangeably. Is there anything that can be done to keep this message from coming up for Mailscanner customers we communicate with? [Unlabeled Image] Randy Huseland IT Manager [Unlabeled Image] P.O. Box 250 Speculator, NY 12164 [Unlabeled Image] (518) 548-4311 ext. 4838 MailScanner has detected a possible fraud attempt from "www.camp-of-the-woods.org" claiming to be [Unlabeled Image] cotw.org [Unlabeled Image] /cotw1900 [Unlabeled Image] @campofthewoods [Unlabeled Image] /cotw1900 The mission of Gospel Volunteers, Inc. is to present the Biblical truths of Jesus Christ, develop Christian leaders, strengthen the faith of individuals and families, and promote global evangelism. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- www.fonant.com - Quality web sites Tel. 01903 867 810 Fonant Ltd is registered in England and Wales, company No. 7006596 Registered office: Broadway Court, Brighton Road, Lancing, West Sussex, United Kingdom, BN15 8JT -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 430 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-lfrdgub4.png Type: image/png Size: 20318 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-jh3wlhlv.png Type: image/png Size: 341 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-1bc2kajc.png Type: image/png Size: 433 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-0ph1jjuv.png Type: image/png Size: 398 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-bj5lo4z5.png Type: image/png Size: 740 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-pdindkup.png Type: image/png Size: 645 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-iioryunt.png Type: image/png Size: 534 bytes Desc: not available URL: