I know we've been round and round on this, but it continues to be a problem, and it's only getting worse. Spear phishing via CEO name spoofing is all too common and ASSP doesn't yet do all that much to to protect.
Today our staff got hit with another spear phishing email from a gmail account that was created with our director's name on it. The staff is trained very well and they didn't fall for it, but it was really cleverly crafted and obviously had some inside information that if followed would have been terrible for the organization. There's no way that ASSP could have detected this. It wasn't HMM/Bayesian spammy, it came from a good IP (gmail). DKIM signed, spf pass, etc. To a computer, nothing about it was bad. However, if ASSP were able to say "hey, this email has the director's name in the FROM, but it isn't from director.n...@ourcharity.org. I'd better *warn* the user" we would have been safer. My original idea was to insert an HTML warning into the body of the message like Google and other providers do. That's apparently a 100+ hour project. I tried to get funding, but got laughed at... What if instead, there were some kind of manually maintained rule based matching on the FROM line that *could modify only the subject*. instead of being overly complicated and inserting a warning in the body? Kind of like the spam prepend that low threshold mails get? Your sample rules in this thread are good, but they score the message. That's not what I'm suggesting. I do NOT want to block or even score these messages - there's plenty of times that the director sends legitimate message from personal gmail/hotmail/whatever and it of course has her name. BUT, to either have an HTML warning in the body or even just [EXTERNAL MESSAGE] or something prepended to the subject when ASSP detects this would be an outstanding feature. We really only need to check the FROM line. Sender, Reply to, etc doesn't matter. ASSP will keep doing it's job blocking spoofed headers, but the NAME of the sender is that we're considering. How about something like: to:first:last:notfrom:WarnMsg *@ourcharity:Sally:Smith:sally.sm...@ourcharity.org:Caution: External Email matches mail sent to *@OurCharity.org, with a from line where the name (not the email address, but the name itself) is a combination of FirstName & LastName.* that ASSP tests against (.*FirstName.*LastName.*, .*Lastname.*FirstName>8, where the from email isn't sally.sm...@ourcharity.org Even better: *@ourcharity:Paul:Jones:paul.jo...@ourcharity.org|pjones12...@gmail.com:Caution: External Email Not From Paul Which would catch the same thing, but not warn if the message is from either Paul's known gmail account or his @OurCharity.org account. Does this simplification of the rules and only warning in the subject instead of modifying the body make this easy enough for you to implement? I understand that this isn't simple, but based on discussions that I've had with counterparts elsewhere, they're all seeing the same problem. Would a body warning be great? Of course, but since that's too much work, I'm hopeful that subject modification based on these rules could be a possibility. Thanks On Thu, Nov 7, 2019 at 9:46 PM K Post <nntp.p...@gmail.com> wrote: > Thanks for the nudge in the right direction. I'll take a look at that > regex Showing the sender address in Outlook won't fly. It's a good idea, > but users would hate it and it doesn't solve the issue for mobile users > (where most of our users get tricked into a quick reply). > > How much would you need for a 100 hour or so sponsorship of this? I doubt > our charity can come up with the funds, but I'd try!! > > On Mon, Nov 4, 2019 at 9:12 AM Thomas Eckardt <thomas.ecka...@thockar.com> > wrote: > >> Such a feature is not worth the effort. >> >> https://www.howto-outlook.com/howto/viewsenderaddress.htm >> >> There are too many pitfalls and too many required manual configuration >> tweaks and exceptions to be handled. >> examples: >> - assp does not know user and mailbox names - requires manual tweaks >> using lists and/or regular expressions >> - to keep the manual configuration impact low, a complex and very >> variable LDAP and/or external scripting will be required >> - a per local domain configuration will be required >> - several bounce sender tagging mechanism will make problems (example: < >> *bob.jones=ourcharity....@domain.com* >> <bob.jones.ourcharity....@gmail.com>> ) >> .... >> >> So, with this feature you would have to configure matching sets for each >> user. But you can do this now already - in 'bombHeaderRe'. If you got a >> regular expression working for one user, it is easy to build them for every >> user. >> example: >> >> ~<<<(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.? >> *)?(?{local %_ = qw, fname *bob* sname *jones* domain *ourcharity.org >> <http://ourcharity.org>* ,})(?:(??{$_{'fname'}})[. >> _\-]+(??{$_{'sname'}})|(??{$_{'sname'}})[, >> ](??{$_{'fname'}})|(??{$_{'fname'}})\.(??{$_{'sname'}})\@(??{$_{'domain'}})))\s*"?[^<]*<[^\@]+\@(?!(??{$_{'domain'}}))\x3E>>>~=>YOURSCORE >> >> this example requires the hidden variable 'AllowCodeInRegex' to be set to >> 1 >> and a small change in assp.pl - will be published soon >> >> or more simple, but much more needs to be change in each line >> >> ~<<<(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.? >> *)?(?:*bob*[. _\-]+*jones*|*jones*[, ]*bob*|*bob.jones\@ourcharity\.org* >> ))\s*"?[^<]*<[^\@]+\@(?!*ourcharity\.org*)\x3E>>>~=>YOURSCORE >> >> >> >> How ever, if you think you need such a feature, you'll need to sponsor it >> or find a sponsor. I expect an effort of two weeks but not less than 100 >> hours to implement and test this feature as a level-1 plugin. >> >> Thomas >> >> >> >> >> >> Von: "K Post" <nntp.p...@gmail.com> >> An: "ASSP development mailing list" < >> assp-test@lists.sourceforge.net> >> Datum: 04.11.2019 00:28 >> Betreff: Re: [Assp-test] Message body modification >> ------------------------------ >> >> >> >> Right, but what I'm trying to accomplish (as described in detail in my >> previous thread) is flagging, maybe just with subject modification mail >> from outside senders with a name that matches one of our organization's >> senders. I'd love to be able to have ASSP insert a warning, not on all >> mail, but only when there's a suspicious name match. We can't reasonably >> quarantine all external email, the messages in question don't have links or >> attachments to block. >> >> For example Bob Jones <bob.jo...@ourcharity.org> is the real address >> within our organization. We're seeing name spoofing mail from Bob Jones < >> *bob.jones.ourcharity....@gmail.com* <bob.jones.ourcharity....@gmail.com>> >> or Bob Jones <*president123mad...@gmail.com* >> <president123mad...@gmail.com>>. It shows up in outlook as Bob Jones in >> the inbox. Lots of times, the message even had the signature that the >> person actually uses. We've had even some of our most savvy users get >> tricked. The messages slips through assp, because they're innocuous >> sounding "are you in the office? I need your help" "I've got a favor to >> ask, reply when you get this please?" Whatever, user gets fooled, replies, >> and then that gmail address is whitelisted. The next mail asks for the >> purchase of gift cards, etc. Common scheme. If we could change even just >> the subject line like [Potential Spoof]: <real subject> that would help the >> recipient. Inserting a warning into the body would be even better! >> >> To do the matching though, we'd need to list the names our people and >> their correct address and have ASSP flag only when there's a match from >> outside. Of course there are lots of legitimate instances where our >> people email from their real personal email address to our staff. Those >> would get a subject or body modification too, but that's okay. We don't >> have the budge to have a third part system do this. >> >> Would you mind taking a look at the original thread for more detail and >> explanation of what I'm thinking? I think it's at least worth discussion - >> I think there's some real value to the ASSP community being how often we're >> getting name spoofing messages. >> >> >> On Sat, Nov 2, 2019 at 3:34 AM Thomas Eckardt < >> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote: >> simple company rules are the solution: >> >> - every mail from outside the company is subject to be malicious - open >> attachments or following links in such mails, requires a full manually >> verification of the email before any action is done - on any doubt the mail >> has to be quarantained >> - qurantined mails are untouchable as long as they are not released by an >> authorisized person or system >> - every mail from outside the company passed an assp system >> - every mail from/to inside the company will never reach any assp system >> (except assp reporting) >> - every mail from outside contains a X-ASSP header but at least the ASSP >> received header - this header has to be used by the mail client and/or >> server to classify the mail >> >> >can I insert something into the bodies of selected messages as it is >> sent to the real mail server >> >> there is no such code in *assp.pl* <http://assp.pl/> - only ASSP_AFC is >> able to manipulate the mail body (replace attachments , SMIME) >> >> >without having that warning message saved in the corpus >> >> assp stores the incoming mail + assp headers - never the content sent to >> the server >> >> Thomas >> >> >> >> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>> >> An: "ASSP development mailing list" < >> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>> >> Datum: 01.11.2019 18:02 >> Betreff: [Assp-test] Message body modification >> ------------------------------ >> >> >> >> Thomas, quick question: can I insert something into the bodies of >> selected messages as it is sent to the real mail server without having that >> warning message saved in the corpus? >> >> Early last month, I sent "An idea: Visual warnings in message body" but >> received no replies. >> We're seeing SO many of these, that I might try to figure this out on my >> own if there isn't broad appeal. >> >> Thanks >> >> _______________________________________________ >> Assp-test mailing list >> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> >> *https://lists.sourceforge.net/lists/listinfo/assp-test* >> <https://lists.sourceforge.net/lists/listinfo/assp-test> >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, legally >> privileged and protected in law and are intended solely for the use of the >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> _______________________________________________ >> Assp-test mailing list >> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> >> *https://lists.sourceforge.net/lists/listinfo/assp-test* >> <https://lists.sourceforge.net/lists/listinfo/assp-test> >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, legally >> privileged and protected in law and are intended solely for the use of the >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
