Note: This is an article published in Linkedin published on 2018.

This week, I saw (and friends of my reported too) a increasing of SPAM (in Spanish) coming with a double email address on “From” field. For example:

From: Monika Cucunda <mcucunda@company.com> <naseem.y@spammer.com>

or sometimes like this (with quotes on the first address):

From: “Monika Cucunda <mcucunda@company.com>” <naseem.y@spammer.com>

Looking on Internet about reports of this kind of problem, the only reference that I found is:

Double email headers

When generating spam emails, spammers use two From fields in the email header. The first From field contained a legitimate address, usually one from a well-known organization (whose reputation is untarnished by spam scandals) while the second contained the actual spammer email address, which has nothing to do with the first one. Spammers were expecting the email to be treated as legitimate by filters, forgetting that modern anti-spam solutions rely not only on the technical part of the email, but also on its content.

Well, look nice “when” the modern system catch the spam, but, when this email bypass the antispam filter and arrive at the user’s inbox, make a lot of problem, because the users usually look for the first email address and think that this email is important, because it come from a colleague.

A very easy alternative to filter this kind of spam, is to block the emails that come with the “From:" field with two "@". I have created this spamassassin’s rules with a regular expressions to all my clients:

header DOUBLE_FROM_SPAM From =~ /.+\@.+\@/i
score DOUBLE_FROM_SPAM 10
describe DOUBLE_FROM_SPAM Mails with double from

With this, we will be sure that the double "@" on the “From” field, will be filtered independent if the another checks fail.

Salu2