You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Kevin A. McGrail" <ke...@mcgrail.com> on 2018/08/25 00:02:19 UTC
Re: From name containing a spoofed email address
On 1/18/2018 6:52 AM, Pedro David Marco wrote:
> David,
>
> This rule can do the full job... i have tested it with good results..
> (Can be tested here: https://regex101.com/r/Vpmhjz/3 )
>
> It checks if the level domain next to the TLD in the From:name matches
> the domain next to the TLD in From:email
>
> header FROM_DOMAINS_MISMATCHFrom
> !~/(?:[^<].+?)\@(?:.+?\.)*?(.+?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/
> describe FROM_DOMAINS_MISMATCHDomain name mismatch in From header
Did this ever get considered for a sandbox.
Alan Hodgson also had a good posted on one but not tested.
Regards,
KAM
Re: From name containing a spoofed email address
Posted by "Kevin A. McGrail" <km...@apache.org>.
Makes sense to me. Just trying to check off boxes on open items for 3.4.2
release.
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
On Sat, Aug 25, 2018 at 9:08 AM, David Jones <dj...@ena.com> wrote:
> On 08/24/2018 07:02 PM, Kevin A. McGrail wrote:
>
>> On 1/18/2018 6:52 AM, Pedro David Marco wrote:
>>
>>> David,
>>>
>>> This rule can do the full job... i have tested it with good results..
>>> (Can be tested here: https://regex101.com/r/Vpmhjz/3 )
>>>
>>> It checks if the level domain next to the TLD in the From:name matches
>>> the domain next to the TLD in From:email
>>>
>>> header FROM_DOMAINS_MISMATCHFrom !~/(?:[^<].+?)\@(?:.+?\.)*?(.+
>>> ?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/
>>> describe FROM_DOMAINS_MISMATCHDomain name mismatch in From header
>>>
>> Did this ever get considered for a sandbox.
>>
>> Alan Hodgson also had a good posted on one but not tested.
>> Regards,
>> KAM
>>
>
> I am not sure this is going to be worth as sandbox rule. There are going
> to be a high number of system-generated and mass-marketing emails that
> aren't going to match the From: header.
>
> From my experience, this is a local rule that detects high-value display
> names in phishing attempts. For example, the C-level executive's name as
> the Display Name when it comes from gmail.com to the Finance department
> to wire money.
>
> From: "CEO Name Here" <jo...@gmail.com>
>
> Also, DMARC is supposed to help with this spoofing of the From: header. I
> handle this locally with OpenDMARC adding headers used in an SA meta rule.
> This is the best way to handle this until SA natively supports DMARC.
>
> --
> David Jones
>
Re: From name containing a spoofed email address
Posted by David Jones <dj...@ena.com>.
On 08/24/2018 07:02 PM, Kevin A. McGrail wrote:
> On 1/18/2018 6:52 AM, Pedro David Marco wrote:
>> David,
>>
>> This rule can do the full job... i have tested it with good results..
>> (Can be tested here: https://regex101.com/r/Vpmhjz/3 )
>>
>> It checks if the level domain next to the TLD in the From:name matches
>> the domain next to the TLD in From:email
>>
>> header FROM_DOMAINS_MISMATCHFrom
>> !~/(?:[^<].+?)\@(?:.+?\.)*?(.+?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/
>> describe FROM_DOMAINS_MISMATCHDomain name mismatch in From header
> Did this ever get considered for a sandbox.
>
> Alan Hodgson also had a good posted on one but not tested.
> Regards,
> KAM
I am not sure this is going to be worth as sandbox rule. There are
going to be a high number of system-generated and mass-marketing emails
that aren't going to match the From: header.
From my experience, this is a local rule that detects high-value
display names in phishing attempts. For example, the C-level
executive's name as the Display Name when it comes from gmail.com to the
Finance department to wire money.
From: "CEO Name Here" <jo...@gmail.com>
Also, DMARC is supposed to help with this spoofing of the From: header.
I handle this locally with OpenDMARC adding headers used in an SA meta
rule. This is the best way to handle this until SA natively supports DMARC.
--
David Jones