Re: From name containing a spoofed email address

["Kevin A. McGrail" <ke...@mcgrail.com>]

On 1/18/2018 6:52 AM, Pedro David Marco wrote:
> David,
>
> This rule can do the full job... i have tested it with good results.. 
>  (Can be tested here: https://regex101.com/r/Vpmhjz/3 )
>
> It checks if the level domain next to the TLD in the From:name matches
> the domain next to the TLD in From:email
>
> header       FROM_DOMAINS_MISMATCHFrom
> !~/(?:[^<].+?)\@(?:.+?\.)*?(.+?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/
> describe    FROM_DOMAINS_MISMATCHDomain name mismatch in From header
Did this ever get considered for a sandbox.

Alan Hodgson also had a good posted on one but not tested.
Regards,
KAM

Re: From name containing a spoofed email address

["Kevin A. McGrail" <km...@apache.org>]

Makes sense to me.  Just trying to check off boxes on open items for 3.4.2
release.

--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Sat, Aug 25, 2018 at 9:08 AM, David Jones <dj...@ena.com> wrote:

> On 08/24/2018 07:02 PM, Kevin A. McGrail wrote:
>
>> On 1/18/2018 6:52 AM, Pedro David Marco wrote:
>>
>>> David,
>>>
>>> This rule can do the full job... i have tested it with good results..
>>>  (Can be tested here: https://regex101.com/r/Vpmhjz/3 )
>>>
>>> It checks if the level domain next to the TLD in the From:name matches
>>> the domain next to the TLD in From:email
>>>
>>> header       FROM_DOMAINS_MISMATCHFrom !~/(?:[^<].+?)\@(?:.+?\.)*?(.+
>>> ?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/
>>> describe    FROM_DOMAINS_MISMATCHDomain name mismatch in From header
>>>
>> Did this ever get considered for a sandbox.
>>
>> Alan Hodgson also had a good posted on one but not tested.
>> Regards,
>> KAM
>>
>
> I am not sure this is going to be worth as sandbox rule.  There are going
> to be a high number of system-generated and mass-marketing emails that
> aren't going to match the From: header.
>
> From my experience, this is a local rule that detects high-value display
> names in phishing attempts.  For example, the C-level executive's name as
> the Display Name when it comes from gmail.com to the Finance department
> to wire money.
>
> From: "CEO Name Here" <jo...@gmail.com>
>
> Also, DMARC is supposed to help with this spoofing of the From: header. I
> handle this locally with OpenDMARC adding headers used in an SA meta rule.
> This is the best way to handle this until SA natively supports DMARC.
>
> --
> David Jones
>

Re: From name containing a spoofed email address

[David Jones <dj...@ena.com>]

On 08/24/2018 07:02 PM, Kevin A. McGrail wrote:
> On 1/18/2018 6:52 AM, Pedro David Marco wrote:
>> David,
>>
>> This rule can do the full job... i have tested it with good results..  
>>  (Can be tested here: https://regex101.com/r/Vpmhjz/3 )
>>
>> It checks if the level domain next to the TLD in the From:name matches 
>> the domain next to the TLD in From:email
>>
>> header       FROM_DOMAINS_MISMATCHFrom 
>> !~/(?:[^<].+?)\@(?:.+?\.)*?(.+?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/
>> describe    FROM_DOMAINS_MISMATCHDomain name mismatch in From header
> Did this ever get considered for a sandbox.
> 
> Alan Hodgson also had a good posted on one but not tested.
> Regards,
> KAM

I am not sure this is going to be worth as sandbox rule.  There are 
going to be a high number of system-generated and mass-marketing emails 
that aren't going to match the From: header.

 From my experience, this is a local rule that detects high-value 
display names in phishing attempts.  For example, the C-level 
executive's name as the Display Name when it comes from gmail.com to the 
Finance department to wire money.

From: "CEO Name Here" <jo...@gmail.com>

Also, DMARC is supposed to help with this spoofing of the From: header. 
I handle this locally with OpenDMARC adding headers used in an SA meta 
rule.  This is the best way to handle this until SA natively supports DMARC.

-- 
David Jones