You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Jones <dj...@ena.com> on 2017/10/02 17:43:50 UTC
Re: FROM header with two email addresses
On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
>
>> I recently stumbled onto a mail with a Spam link where the FROM header
>> field looked like this:
>>
>> From: "Firstname Lastname@" <recipient-domain.com
>> sendername@real-senders-domain.com>
>
> Jakob, just wanted to let you know I identified this issue as well and
> just opened a ticket about it yesterday to try and figure out a rule
> against it. Can you send me spamples via pastebin, please?
>
>
> Regards,
> KAM
>
I am seeing this more and more on my SA filters and being reported by my
customers:
https://pastebin.com/f07Gq1kZ
https://pastebin.com/FMsJNGba
This is catching this pretty well so far:
header FROM_SPOOF_EMAIL_DISPLAY From =~
/\@[a-z_]+?\.[a-z]{2,3} \</i
describe FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an
email address in the display name
score FROM_SPOOF_EMAIL_DISPLAY 4.2
P.S. I am sure that someone will suggest an improvement to the above
rule and they are welcome. I know it won't catch all email addresses
based on that regex so it probably should be adjusted to handle new TLDs
with more than 3 characters.
P.S.S. Standard disclaimer to adjust the score down until you have done
some testing in your environment then score it how you see fit.
--
David Jones
Re: FROM header with two email addresses
Posted by Benny Pedersen <me...@junc.eu>.
David Jones skrev den 2017-10-02 19:43:
> https://pastebin.com/f07Gq1kZ
> https://pastebin.com/FMsJNGba
>
> This is catching this pretty well so far:
>
> header FROM_SPOOF_EMAIL_DISPLAY From =~
> /\@[a-z_]+?\.[a-z]{2,3} \</i
> describe FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an
> email address in the display name
> score FROM_SPOOF_EMAIL_DISPLAY 4.2
From: someone@example.com <ma...@soldive.fr>
also imho from:name must be with qouted content like
From: "someone@example.com" <ma...@soldive.fr>
for being rfc valid, was the extra space from from: added by you ?, i
have only seen spam bots do this
you miss hits on tld with the above tests with only support 3 chars
tlds, no ?
Re: FROM header with two email addresses
Posted by Jakob Curdes <jc...@info-systems.de>.
> On Thu, 5 Oct 2017 07:38:23 -0400
> Kevin A. McGrail wrote:
>
>> On 10/5/2017 7:19 AM, Jakob Curdes wrote:
>>> Not a lot, but the trick is that Outlooks displays both parts, and
>>> users think that it is an internal mail because the "Firstname
>>> Lastname" is real in the company and the "recipient-domain.com" is
>>> the real recipient domain.
>>> So it is a trick to circumvent SPF denials which prevent a spammer
>>> from sending "internal" mails from external addresses.
>>> So I think it is not a mistake, I suppose this is carefully crafted
>>> to achieve exactly this result.
>> I can also confirm user behavior consistent with your description of
>> this issue as well where it tricked them into thinking it was an
>> internal message. We had 1 case as well that this thread
>> coincidentally hit.
>>
>> So while the spam engine rule is nice, a rule to work on 2 email
>> address in the from header that is generic is likely still an
>> indicator of spam that is a "good idea"(tm).
> It's not two addresses it's a single address with a space in it. It's
> actually a legal header, but in the real world it's as rare as hen's
> teeth:
>
> From:addr =~ /\s/
>
> is probably worth scoring in it's own right, but it could be combined
> with a test for the @ in the display name.
Well my
meta FROM_SPOOF_SENDER1 __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
does exactly this. I did not want to assign a single score as we do not
know who else (legit mass mailers..) might construct strange display
names or strangely formatted address fields.
JC
Re: FROM header with two email addresses
Posted by RW <rw...@googlemail.com>.
On Thu, 5 Oct 2017 07:38:23 -0400
Kevin A. McGrail wrote:
> On 10/5/2017 7:19 AM, Jakob Curdes wrote:
> > Not a lot, but the trick is that Outlooks displays both parts, and
> > users think that it is an internal mail because the "Firstname
> > Lastname" is real in the company and the "recipient-domain.com" is
> > the real recipient domain.
> > So it is a trick to circumvent SPF denials which prevent a spammer
> > from sending "internal" mails from external addresses.
> > So I think it is not a mistake, I suppose this is carefully crafted
> > to achieve exactly this result.
>
> I can also confirm user behavior consistent with your description of
> this issue as well where it tricked them into thinking it was an
> internal message. We had 1 case as well that this thread
> coincidentally hit.
>
> So while the spam engine rule is nice, a rule to work on 2 email
> address in the from header that is generic is likely still an
> indicator of spam that is a "good idea"(tm).
It's not two addresses it's a single address with a space in it. It's
actually a legal header, but in the real world it's as rare as hen's
teeth:
From:addr =~ /\s/
is probably worth scoring in it's own right, but it could be combined
with a test for the @ in the display name.
Re: FROM header with two email addresses
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 10/5/2017 7:19 AM, Jakob Curdes wrote:
> Not a lot, but the trick is that Outlooks displays both parts, and
> users think that it is an internal mail because the "Firstname
> Lastname" is real in the company and the "recipient-domain.com" is the
> real recipient domain.
> So it is a trick to circumvent SPF denials which prevent a spammer
> from sending "internal" mails from external addresses.
> So I think it is not a mistake, I suppose this is carefully crafted to
> achieve exactly this result.
I can also confirm user behavior consistent with your description of
this issue as well where it tricked them into thinking it was an
internal message. We had 1 case as well that this thread coincidentally
hit.
So while the spam engine rule is nice, a rule to work on 2 email address
in the from header that is generic is likely still an indicator of spam
that is a "good idea"(tm).
Regards,
KAM
Re: FROM header with two email addresses
Posted by Jakob Curdes <jc...@info-systems.de>.
>> Hello all, I was the original poster of this topic but was away for a
>> couple of days.
>> I find it amazing to see the number of suggestions and ideas that
>> have come up here.
>>
>> However none of the constuctions matched "my" From: lines of the form
>>
>> From: "Firstname Lastname@" <recipient-domain.com
>> sendername@real-senders-domain.com
>> <ma...@real-senders-domain.com>>
>>
> Are you getting a lot of these? It looks more like a mistake than a
> tactic.
Not a lot, but the trick is that Outlooks displays both parts, and users
think that it is an internal mail because the "Firstname Lastname" is
real in the company and the "recipient-domain.com" is the real recipient
domain.
So it is a trick to circumvent SPF denials which prevent a spammer from
sending "internal" mails from external addresses.
So I think it is not a mistake, I suppose this is carefully crafted to
achieve exactly this result.
JC
Re: FROM header with two email addresses
Posted by RW <rw...@googlemail.com>.
On Thu, 5 Oct 2017 12:41:26 +0200
Jakob Curdes wrote:
> Hello all, I was the original poster of this topic but was away for a
> couple of days.
> I find it amazing to see the number of suggestions and ideas that
> have come up here.
>
> However none of the constuctions matched "my" From: lines of the form
>
> From: "Firstname Lastname@" <recipient-domain.com
> sendername@real-senders-domain.com
> <ma...@real-senders-domain.com>>
>
Are you getting a lot of these? It looks more like a mistake than a
tactic.
Re: FROM header with two email addresses
Posted by Karsten Bräckelmann <kb...@pccc.com>.
On Tue, 2017-10-24 at 13:22 +0200, Merijn van den Kroonenberg wrote:
> > Hello all, I was the original poster of this topic but was away for a
> > couple of days.
> > I find it amazing to see the number of suggestions and ideas that have
> > come up here.
> >
> > However none of the constuctions matched "my" From: lines of the form
> >
> > From: "Firstname Lastname@" <recipient-domain.com
> > sendername@real-senders-domain.com
> > <ma...@real-senders-domain.com>>
> My comments in this mail are only about the
> "user1@companya.com" <us...@companyb.com>
> situation, not about actual double from addresses.
Indeed, in this thread multiple different forms of "email address alike
in From: sender real name" have surfaced. This type is occasionally
used to try to look legit by using real, valid addresses of the
recipient's domain (a colleague) instead of a real name, wich is harder
to get correct and easier for humans to spot irregularities in.
The OP's form looks like a broken From header and an intermediate SMTP
choking on and rewriting it.
--
Karsten Bräckelmann -- open source. hacker. assassin.
Re: FROM header with two email addresses
Posted by Merijn van den Kroonenberg <me...@web2all.nl>.
> Hello all, I was the original poster of this topic but was away for a
> couple of days.
> I find it amazing to see the number of suggestions and ideas that have
> come up here.
>
> However none of the constuctions matched "my" From: lines of the form
>
> From: "Firstname Lastname@" <recipient-domain.com
> sendername@real-senders-domain.com
> <ma...@real-senders-domain.com>>
>
> I therefore now constructed the following rules:
>
> describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign
> header __FROM_NAME_CONTAINS_AT From:name =~ /\@/
> describe __FROM_MULTIPLE_ADDR address part of FROM contains more than
> one mail address (additional text)
> header __FROM_MULTIPLE_ADDR   From:addr =~ /\s/
>
My comments in this mail are only about the
"user1@companya.com" <us...@companyb.com>
situation, not about actual double from addresses.
> describe __FROM_NAME_ADDRESS_EQUAL constructions like
> "user1@companya.com" <us...@companyb.com>
> header __FROM_NAME_ADDRESS_EQUAL From =~
> /["']?(\w+@\w+\.\w+)["']?\s*\<\1\>/i
> header __FROM_NAME_CONTAINS_ADDRESS From =~
> /["']?(\w+@\w+\.\w+)["']?\s*\</i
The above rules do not catch:
"user1@sub.companya.com" <us...@companyb.com>
"user1@company-a.com" <us...@companyb.com>
And give false positive on:
"first.last@companya.com" <fi...@companya.com>
(or other non word chars in the user part)
So you could allow more characters in the user part of the e-mail address
and dots and dashes in the domain part. Also anchor the beginning to
prevent partial matches (which caused the false positives on
first.last@companya.com instead of just not hitting at all).
header __FROM_NAME_ADDRESS_EQUAL From =~
/^["']?([\w\.\+\-]+@[\w\-\.]+\.\w+)["']?\s*\<\1\>/i
header __FROM_NAME_CONTAINS_ADDRESS From =~
/^["']?([\w\.\+\-]+@[\w\-\.]+\.\w+)["']?\s*\</i
>
> meta FROM_SPOOF_SENDER1Â __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
> meta FROM_SPOOF_SENDER2Â __FROM_NAME_CONTAINS_ADDRESS && !
> __FROM_NAME_ADDRESS_EQUAL
It looks like the FROM_SPOOF_SENDER2 rule has the same intention as a rule
currently in testing: T_PDS_FROM_2_EMAILS
Which is in john hardins sandbox with note: Paul Stead on SA list 11/2014
header __PDS_FROM_2_EMAILS From =~
/^\W+([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML &&
!__VIA_RESIGNER && !__CLICK_HERE && !__BUGGED_IMG && !__RP_MATCHES_RCVD
> meta FROM_ADDRESS_TWICEÂ __FROM_NAME_CONTAINS_ADDRESS &&
> __FROM_NAME_ADDRESS_EQUAL
>
> (the last META could even get a slightly negative score, I occasionally
> see people entering their email address in the name field).
>
> and am now waiting to see some hits. I consider the risk of false
> positives low in this case, if these METAs are matched somebody is
> trying to trick you.
>
> Regards JC
>
>
Re: FROM header with two email addresses
Posted by Jakob Curdes <jc...@info-systems.de>.
Hello all, I was the original poster of this topic but was away for a
couple of days.
I find it amazing to see the number of suggestions and ideas that have
come up here.
However none of the constuctions matched "my" From: lines of the form
From: "Firstname Lastname@" <recipient-domain.com
sendername@real-senders-domain.com
<ma...@real-senders-domain.com>>
I therefore now constructed the following rules:
describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign
header __FROM_NAME_CONTAINS_AT From:name =~ /\@/
describe __FROM_MULTIPLE_ADDR address part of FROM contains more than
one mail address (additional text)
header __FROM_MULTIPLE_ADDR From:addr =~ /\s/
describe __FROM_NAME_ADDRESS_EQUAL constructions like
"user1@companya.com" <us...@companyb.com>
header __FROM_NAME_ADDRESS_EQUAL From =~
/["']?(\w+@\w+\.\w+)["']?\s*\<\1\>/i
header __FROM_NAME_CONTAINS_ADDRESS From =~
/["']?(\w+@\w+\.\w+)["']?\s*\</i
meta FROM_SPOOF_SENDER1 __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
meta FROM_SPOOF_SENDER2 __FROM_NAME_CONTAINS_ADDRESS && !
__FROM_NAME_ADDRESS_EQUAL
meta FROM_ADDRESS_TWICE __FROM_NAME_CONTAINS_ADDRESS &&
__FROM_NAME_ADDRESS_EQUAL
(the last META could even get a slightly negative score, I occasionally
see people entering their email address in the name field).
and am now waiting to see some hits. I consider the risk of false
positives low in this case, if these METAs are matched somebody is
trying to trick you.
Regards JC
Re: FROM header with two email addresses
Posted by Michael Storz <Mi...@lrz.de>.
Am 2017-10-02 19:43, schrieb David Jones:
> On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
>>
>>> I recently stumbled onto a mail with a Spam link where the FROM
>>> header field looked like this:
>>>
>>> From: "Firstname Lastname@" <recipient-domain.com
>>> sendername@real-senders-domain.com>
>>
>> Jakob, just wanted to let you know I identified this issue as well and
>> just opened a ticket about it yesterday to try and figure out a rule
>> against it. Can you send me spamples via pastebin, please?
>>
>>
>> Regards,
>> KAM
>>
>
> I am seeing this more and more on my SA filters and being reported by
> my customers:
>
> https://pastebin.com/f07Gq1kZ
>
> https://pastebin.com/FMsJNGba
>
These are typical examples for the emails send by a botnet since at
least May this year. You can catch these mostly with a simple rule:
header __LRZ_BND_MS Content-Type =~
/boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/
header __LRZ_MSGID_SPAM_99 MESSAGEID =~ /<\d{8,13}\.2017\d{6,11}\@/
meta LRZ_HEADER_SPAM_99 (__LRZ_MSGID_SPAM_99 && __LRZ_BND_MS)
Regards,
Michael
Re: FROM header with two email addresses
Posted by Benny Pedersen <me...@junc.eu>.
David Jones skrev den 2017-10-02 20:54:
> I have gone back to my original rule that catches senders that put an
> email addresss in the Display Name and do not have quotes.
also matches what i see, non spam have " around from:name while spam
have not
testing if there is a @ in from:name is 2nd test to possible use in meta
Re: FROM header with two email addresses
Posted by Martin Gregorie <ma...@gregorie.org>.
On Mon, 2017-10-02 at 23:18 +0200, Benny Pedersen wrote:
> John Hardin skrev den 2017-10-02 23:13:
>
> > Where? \w is not case-sensitive.
>
> perfect then, i had not know that, learning still so
>
Do you have a copy of the 'Camel Book'? AKA "Programming Perl" by Larry
Wall, Tom Christiansen & Jon Orwant, pub O'Reilly.
If you don't have it, you need a copy. Its never failed to explain
anything I've needed to know about Perl and its chapter on regexes will
help you to solve all regex-based SA rule problems.
Or there's an online reference: http://www.regular-expressions.info/
Also worth knowing:
- if you're running Linux, you can use the grep command to test
regexes. Use the -P or --perl-regexp option to make grep use Perl
regexes, so it is possible to quickly test regexes you want to use
in SA rules by running the spam, saved as a file, through the
grep -P 'regex' <spam
command as a really fast check on whether the regex is any good
before you add a rule using it to a .cf file. I use this quite a
lot.
- if you don't like bash command lines or use some other OS, you can
do the same with the online regex tester at https://regex101.com/
by typing in your regex and then pasting the relevant part of the
spam message you're testing against into its 'Test String' box.
Martin
Re: FROM header with two email addresses
Posted by Benny Pedersen <me...@junc.eu>.
John Hardin skrev den 2017-10-02 23:13:
> Where? \w is not case-sensitive.
perfect then, i had not know that, learning still so
Re: FROM header with two email addresses
Posted by John Hardin <jh...@impsec.org>.
On Mon, 2 Oct 2017, Benny Pedersen wrote:
> John Hardin skrev den 2017-10-02 21:07:
>
>> How about:
>>
>> header __FROM_QUOTES From =~ /"/
>> header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
>> meta __FROM_SPOOF __FROM_MAYBE_SPOOF && !__FROM_QUOTES
>>
>> (warning: totally untested)
>
> +1
>
> i can only see one problem with it, that is that email adresses is
> caSeinsensitive, and you test casEsensitive
Where? \w is not case-sensitive.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Homeland Security: Specializing in Tactical Band-aids
for Strategic Problems. -- Eric K. in Bruce Schneier's blog
-----------------------------------------------------------------------
186 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: FROM header with two email addresses
Posted by Benny Pedersen <me...@junc.eu>.
John Hardin skrev den 2017-10-02 21:07:
> How about:
>
> header __FROM_QUOTES From =~ /"/
> header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
> meta __FROM_SPOOF __FROM_MAYBE_SPOOF && !__FROM_QUOTES
>
> (warning: totally untested)
+1
i can only see one problem with it, that is that email adresses is
caSeinsensitive, and you test casEsensitive
it is basicly a rule i like to keep
Re: FROM header with two email addresses
Posted by John Hardin <jh...@impsec.org>.
On Mon, 2 Oct 2017, David Jones wrote:
> On 10/02/2017 01:11 PM, John Hardin wrote:
>> On Mon, 2 Oct 2017, David Jones wrote:
>>
>> > On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
>> > >
>> > > > I recently stumbled onto a mail with a Spam link where the FROM
>> > > header > field looked like this:
>> > > > > From: "Firstname Lastname@" <recipient-domain.com >
>> > > sendername@real-senders-domain.com>
>> > >
>> > > Jakob, just wanted to let you know I identified this issue as well
>> > > and
>> > > just opened a ticket about it yesterday to try and figure out a rule
>> > > against it. Can you send me spamples via pastebin, please?
>> > >
>> > >
>> > > Regards,
>> > > KAM
>> > >
>> >
>> > I am seeing this more and more on my SA filters and being reported by my
>> > customers:
>> >
>> > https://pastebin.com/f07Gq1kZ
>> >
>> > https://pastebin.com/FMsJNGba
>> >
>> > This is catching this pretty well so far:
>> >
>> > header FROM_SPOOF_EMAIL_DISPLAY From =~
>> > /\@[a-z_]+?\.[a-z]{2,3} \</i
>> > describe FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an
>> > email address in the display name
>>
>> You probably want to let SA do the header parsing and write your rule
>> against From:name or From:addr instead.
>>
>
> Thank you for the suggestions. I didn't know about the From:name and
> From:addr parsing by SA. As it turns out, the double quotes missing are very
> important. When I use the From:name which properly has the quotes, I am
> hitting many false positives. It appears that legit sending people or mail
> clients are putting email addresses in their "Display Name". It's the ones
> without quotes that are spam a high percentage of the time in my mail flow.
Not surprising.
> I have gone back to my original rule that catches senders that put an email
> addresss in the Display Name and do not have quotes.
How about:
header __FROM_QUOTES From =~ /"/
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
meta __FROM_SPOOF __FROM_MAYBE_SPOOF && !__FROM_QUOTES
(warning: totally untested)
>> If you're testing your rules in a sandbox using debug mode, this may help:
>>
>> header __FROM_NAME From:name =~ /.*/
>> header __FROM_ADDR From:addr =~ /.*/
>>
>> That way you can see what's actually being parsed from the header.
>>
>>
>> Potentially this might be as simple as:
>>
>> header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
>>
>> or
>>
>> header __FROM_MULTIPLE_ADDR From:addr =~ /\s/
>>
>> No idea how FP-prone those might be, though, so it's probably prudent to
>> meta them with other stuff as well...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The world has enough Mouse Clicking System Engineers.
-- Dave Pooser
-----------------------------------------------------------------------
186 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: FROM header with two email addresses
Posted by David Jones <dj...@ena.com>.
On 10/02/2017 01:11 PM, John Hardin wrote:
> On Mon, 2 Oct 2017, David Jones wrote:
>
>> On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
>>>
>>> > I recently stumbled onto a mail with a Spam link where the FROM
>>> header > field looked like this:
>>> > > From: "Firstname Lastname@" <recipient-domain.com >
>>> sendername@real-senders-domain.com>
>>>
>>> Jakob, just wanted to let you know I identified this issue as well and
>>> just opened a ticket about it yesterday to try and figure out a rule
>>> against it. Can you send me spamples via pastebin, please?
>>>
>>>
>>> Regards,
>>> KAM
>>>
>>
>> I am seeing this more and more on my SA filters and being reported by
>> my customers:
>>
>> https://pastebin.com/f07Gq1kZ
>>
>> https://pastebin.com/FMsJNGba
>>
>> This is catching this pretty well so far:
>>
>> header FROM_SPOOF_EMAIL_DISPLAY From =~
>> /\@[a-z_]+?\.[a-z]{2,3} \</i
>> describe FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an
>> email address in the display name
>
> You probably want to let SA do the header parsing and write your rule
> against From:name or From:addr instead.
>
Thank you for the suggestions. I didn't know about the From:name and
From:addr parsing by SA. As it turns out, the double quotes missing are
very important. When I use the From:name which properly has the quotes,
I am hitting many false positives. It appears that legit sending people
or mail clients are putting email addresses in their "Display Name".
It's the ones without quotes that are spam a high percentage of the time
in my mail flow.
I have gone back to my original rule that catches senders that put an
email addresss in the Display Name and do not have quotes.
> If you're testing your rules in a sandbox using debug mode, this may help:
>
> header __FROM_NAME From:name =~ /.*/
> header __FROM_ADDR From:addr =~ /.*/
>
> That way you can see what's actually being parsed from the header.
>
>
> Potentially this might be as simple as:
>
> header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
>
> or
>
> header __FROM_MULTIPLE_ADDR From:addr =~ /\s/
>
> No idea how FP-prone those might be, though, so it's probably prudent to
> meta them with other stuff as well...
>
>
--
David Jones
Re: FROM header with two email addresses
Posted by John Hardin <jh...@impsec.org>.
On Mon, 2 Oct 2017, David Jones wrote:
> On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
>>
>> > I recently stumbled onto a mail with a Spam link where the FROM header
>> > field looked like this:
>> >
>> > From: "Firstname Lastname@" <recipient-domain.com
>> > sendername@real-senders-domain.com>
>>
>> Jakob, just wanted to let you know I identified this issue as well and
>> just opened a ticket about it yesterday to try and figure out a rule
>> against it. Can you send me spamples via pastebin, please?
>>
>>
>> Regards,
>> KAM
>>
>
> I am seeing this more and more on my SA filters and being reported by my
> customers:
>
> https://pastebin.com/f07Gq1kZ
>
> https://pastebin.com/FMsJNGba
>
> This is catching this pretty well so far:
>
> header FROM_SPOOF_EMAIL_DISPLAY From =~ /\@[a-z_]+?\.[a-z]{2,3}
> \</i
> describe FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an email
> address in the display name
You probably want to let SA do the header parsing and write your rule
against From:name or From:addr instead.
If you're testing your rules in a sandbox using debug mode, this may help:
header __FROM_NAME From:name =~ /.*/
header __FROM_ADDR From:addr =~ /.*/
That way you can see what's actually being parsed from the header.
Potentially this might be as simple as:
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
or
header __FROM_MULTIPLE_ADDR From:addr =~ /\s/
No idea how FP-prone those might be, though, so it's probably prudent to
meta them with other stuff as well...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you ask amateurs to act as front-line security personnel,
you shouldn't be surprised when you get amateur security.
-- Bruce Schneier
-----------------------------------------------------------------------
186 days since the first commercial re-flight of an orbital booster (SpaceX)