On Wed, 2018-01-17 at 13:31 -0600, David Jones wrote: > Would a plugin need to be created (or an existing one enhanced) to > be > able to detect this type of spoofed From header? > > From: "h...@hulumail.com !" <lany...@hotmail.com> > > https://pastebin.com/vVhGjC8H > > Does anyone else think this would be a good idea to make a rule that > at > least checks both the From:name and From:addr to see if there is an > email address in the From:name and if the domain is different add > some > points? > > We are seeing more and more of this now that SPF, DKIM, and DMARC > are > making it harder to spoof common/major brands that have properly > implemented some or all of them.
I've been testing this: header __LOCAL_CRAZY_MULTI_ATS From =~ /.*\@.*\@.*\@/ header __LOCAL_MULTI_ATS From =~ /.*\@.*\..*["\s].*\@[a-zA-Z0-9\- ]+\.[a-zA-Z0-9\-]+/ header __LOCAL_MULTI_ATS_SAME_DOMAIN From =~ /.*\@([a-zA-Z0-9\.\- ]+\.[a-zA-Z0-9\.\-]+).+\@\1[^a-zA-Z0-9\.\-]/i meta LOCAL_FORGED_DISPLAY_DOMAIN ( __LOCAL_CRAZY_MULTI_ATS || ( __LOCAL_MULTI_ATS && ! __LOCAL_MULTI_ATS_SAME_DOMAIN ) ) describe LOCAL_FORGED_DISPLAY_DOMAIN From header appears to have a forged domain in part of the address ... which tries to see if there are two @domain.names in the From and score if they aren't the same domain. I doubt it's usable yet, and I don't have the mail volume to look for all the ways it breaks, but it's a start. I would appreciate tweaks.
