I've got a basic plugin written for this now, but I'd like to do a
litle more testing before I make it widely available. If you have
mail samples (ham or spam) with an "@" character in the name part of
the From field that you're willing to share, let me know.
BTW, I've already run into some false-positive situations, the most
common being things from yahoogroups, which apparently writes the
"true" sender address in the name part of From (they also dkim sign,
so not too hard to work around). I started trying to handle these in
the plugin itself, but I'm beginning to think these would be better as
separate rules and then combined as metas to mitigate the actual
mismatch score.
On Wed, 17 Jan 2018, David Jones wrote:
Would a plugin need to be created (or an existing one enhanced) to be able to
detect this type of spoofed From header?
From: "h...@hulumail.com !" <lany...@hotmail.com>
https://pastebin.com/vVhGjC8H
Does anyone else think this would be a good idea to make a rule that at least
checks both the From:name and From:addr to see if there is an email address
in the From:name and if the domain is different add some points?
We are seeing more and more of this now that SPF, DKIM, and DMARC are making
it harder to spoof common/major brands that have properly implemented some or
all of them.
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines | sha...@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
