From, X-Sender and Reply-To all point to different domains.

[DanAtCCD]

Is there some way to add extra filtering when the From, X-Sender and Reply-To of an e-mail all point to different domains? We had a very convincing (albeit terse) e-mail slip through today, many of our staff reported it, and on closer inspection, although the From address was completely valid, the Reply-To was not, and the X-Sender was something altogether completely different.

If there is a way to set up a filter to parse out the domain of these fields, compare them, and increase the chance of spam for every time it doesn't match?

[Sidewinder]

It sound like you should be able to add a Filter, select Header, and then specify the domains that you want to block or use a negative approach and enable only domains that you are interested in.

[DanAtCCD]

Yes, this would work, if there were a specific list of domains I was interested in.

However, I'm interested in the comparison of the domains that are represented in an e-mail, with no regard for what the values are.

For example:

From: Dan@ccdsystems.com, X-Sender: webadmin@ccdsystems.com, Reply-To: bob@ccdsystems.com
ccdsystems.com = ccdsystems.com = ccdsystems.com -- This would be valid, no "spam points"

The e-mail we received today:

From: "Bob" <smythe@ccdsystems.com>, X-Sender: katie@katiefosterinteriordesign.com, Reply-To: "Bob Smythe" <ceoexecutiveinfo@gmail.com>
ccdsystems.com <> katiefosterinteriordesign.com <> gmail.com -- This should have major spam points.

[Sidewinder]

Yes, this would work, if there were a specific list of domains I was interested in.

However, I'm interested in the comparison of the domains that are represented in an e-mail, with no regard for what the values are.

For example:

From: Dan@ccdsystems.com, X-Sender: webadmin@ccdsystems.com, Reply-To: bob@ccdsystems.com
ccdsystems.com = ccdsystems.com = ccdsystems.com -- This would be valid, no "spam points"

The e-mail we received today:

From: "Bob" <smythe@ccdsystems.com>, X-Sender: katie@katiefosterinteriordesign.com, Reply-To: "Bob Smythe" <ceoexecutiveinfo@gmail.com>
ccdsystems.com <> katiefosterinteriordesign.com <> gmail.com -- This should have major spam points.

I think what you want is doable using Regex expressions.

[Sidewinder]

You might want to check out the REGEX filters here or consult with this user:

http://www.wizcrafts.net/mwp-filters.html#filterz

[DanAtCCD]

Thanks, Sidewinder, for your input.

I haven't seen anywhere that describes how you can use RegEx to compare one field against another field, only how you can parse the contents of the selected field, and compare it against a known list of output.

That Custom MailWasher Pro Spam Filters list is impressive, and it's obvious that Wizcraft has put a lot of work into it, and I'll be certain to use it. It may have caught the e-mail in question, if it happened to drop into one of the many buckets he's set up, but I'm looking for a heuristic-type filter that doesn't compare actual content, but the relationship between content.

This way, I'm not blocking gmail.com, but if a mail claims to come from gmail.com, but its Return-To path is spandex.ru, then that will raise a flag. If it's X-Sender is also different, say to yahoo.ca, then it's 100% guaranteed spam.

Doesn't matter what the content of the fields are, if they all don't agree (a common trait among spam) then I don't care, throw it.

[Sidewinder]

Thanks, Sidewinder, for your input.

I haven't seen anywhere that describes how you can use RegEx to compare one field against another field, only how you can parse the contents of the selected field, and compare it against a known list of output.

That Custom MailWasher Pro Spam Filters list is impressive, and it's obvious that Wizcraft has put a lot of work into it, and I'll be certain to use it. It may have caught the e-mail in question, if it happened to drop into one of the many buckets he's set up, but I'm looking for a heuristic-type filter that doesn't compare actual content, but the relationship between content.

This way, I'm not blocking gmail.com, but if a mail claims to come from gmail.com, but its Return-To path is spandex.ru, then that will raise a flag. If it's X-Sender is also different, say to yahoo.ca, then it's 100% guaranteed spam.

Doesn't matter what the content of the fields are, if they all don't agree (a common trait among spam) then I don't care, throw it.

I would suggest that you confer with Wizcrafts about the issue. He is a Beta Tester here.
User ID is Wizcrafts, PM him and refer to your topic with what you are trying to do.

[TrustFire]

Is there some way to add extra filtering when the From, X-Sender and Reply-To of an e-mail all point to different domains?

If there is a way to set up a filter to parse out the domain of these fields, compare them, and increase the chance of spam for every time it doesn't match?

I haven't seen anywhere that describes how you can use RegEx to compare one field against another field, only how you can parse the contents of the selected field, and compare it against a known list of output.

You don't need to — it is better to keep things uncomplicated (moreover, introducing complex RegEx can slow down MWP auditing.)

You might rather want to copy the contents of the offending mails from under the Source tab of MWP onto Notepad and then compare them for the common denominator which you can then use to form the basis of your filter field.

We had a very convincing (albeit terse) e-mail slip through today, many of our staff reported it, and on closer inspection, although the From address was completely valid, the Reply-To was not, and the X-Sender was something altogether completely different.

The From and the Reply-To fields are the most susceptible ones — unfortunately, most folks tend to depend upon the From field for their filtration. You may want to check out various other filter fields which are far more reliable and also less likely to be abused by spammers — my favorite one is the Return Path field.

but I'm looking for a heuristic-type filter that doesn't compare actual content, but the relationship between content.

Matter of fact, everything about MWP is heuristic — whichever way you choose to look at it and that exactly is my pet peeve with MWP.

[DanAtCCD]

So, I can't extract the domain from the Return Path, compare it against the domain extracted from the From, and flag it if the two domains don't match?

Trustfire, you do a wonderful job of keeping your growing list of filters relevant, but I see that it takes work. Me, I'm just looking for one more tool in a toolbox that I don't have to look after.

[TrustFire]

So, I can't extract the domain from the Return Path, compare it against the domain extracted from the From, and flag it if the two domains don't match?

You can play the senseless and never-ending domain matching game — but, that is just like using a hammer against a swarm of ant.

Trustfire, you do a wonderful job of keeping your growing list of filters relevant, but I see that it takes work.

My filters over the past 5 years have actually reduced because unlike 99.99% of MWP Users, I am not dependent on its heuristic powers — also for most part, those filters are maintenance-free.

Here is a reality check, for you — just navigate to your User Files (C:\Users\Your_Profile_Name\AppData\Roaming) and measure the size of your Firetrust directory.

User_Files__(SIZE).png (213.48 KiB) Viewed 8320 times

[/center]

Me, I'm just looking for one more tool in a toolbox that I don't have to look after.

The hammer movie never comes to its logical end — you will have to continue playing Thor because quite a few bonafide Senders (like me) exploit the benefits of dual domains.

Crafting exception rules & filters to whitelist bonafide Senders will grow into your part-time job.

ps:—

• Don't forget — MWP is bearing the brunt of the hammer, too.

[DanAtCCD]

I think we are agreeing, but we're getting stuck on the terminology.

I don't want to play "whack-a-mole" with domain names. There are thousands of them, and most of the time they are fictitious.
I just want to compare the text of "From: Bob@[----A----]" to "Reply-To: Bill@[----B----]" and "Return-Path: Mary@[----C----]"

If [----A----] <> [----B----] <> [----C----], flag it as spam.

I don't care *what* [----A----] is (it could be gmail.com, hotmail.com, ccdsystems.com, or NSA.gov). I just want to know how well the three values agree or disagree.
If they all disagree, flag it. If one out of the three disagree, mark it down. If all three agree, then let it ride.

If there is no way to extract values from 3 separate fields and compare them, then just tell me -- that's the answer. No matter what I want, I just can't get there from here.

[TrustFire]

Oh yes, sure . . . . . . . . . . why not — that sort of filter can be done . . . . . . . . . . go right ahead.

[DanAtCCD]

...but, how? When I look at creating the filter, I can pick a field to process, but I don't see what the syntax is like to compare against a different field?

[DanAtCCD]

TrustFire, you suggest that it is possible to compare the results of a function to the results of another function. If it is, could you please elaborate?