This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Some malwares are implementing a technique to spoof email that consist in having two email address in the "From" header: | |
| # From: Amazon Legit Account <confirm@amazon.com> <reception.lvh@hackedemail-domain.com> | |
| # Usually the email clients only show the first email | |
| # This is a local spamassassin rule to prevent this kind of email spoofing. | |
| describe LOCAL_TWO_FROM_EMAILS The From has two emails, probably email spoofing | |
| header LOCAL_TWO_FROM_EMAILS From =~ /<.*\@.*>\s+<.*\@.*>/i | |
| score LOCAL_TWO_FROM_EMAILS 9.0 # Set this value at your discretion |