David, This rule can do the full job... i have tested it with good results.. (Can be tested here: https://regex101.com/r/Vpmhjz/3 ) It checks if the level domain next to the TLD in the From:name matches the domain next to the TLD in From:email header FROM_DOMAINS_MISMATCH From !~ /(?:[^<].+?)\@(?:.+?\.)*?(.+?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/describe FROM_DOMAINS_MISMATCH Domain name mismatch in From header
>Would a plugin need to be created (or an existing one enhanced) to be >able to detect this type of spoofed From header? >From: "h...@hulumail.com !" <lany...@hotmail.com> >https://pastebin.com/vVhGjC8H >>Does anyone else think this would be a good idea to make a rule that at >least checks both the From:name and From:addr to see if there is an >email address in the From:name and if the domain is different add some >points? >We are seeing more and more of this now that SPF, DKIM, and DMARC are >making it harder to spoof common/major brands that have properly >implemented some or all of them. >-- >David Jones ----------PedroD
