On Mon, 2018-12-03 at 11:15 -0700, Grant Taylor wrote: > I don't think the multiple @ signs have worked in a very long time. So > I see no reason not to add score based on multiple @ signs. Or if there > is a legitimate use for it, it should be extremely rare and the false > positive rate should be acceptable. >
I've been watching these for a while, and unfortunately there are a lot of customer-service type systems that send From: addresses with quoted @domain addresses in them. Many of them do "user@address via" <serviceaccount@portal.domain>, but not all. And then there are the messages with 2 different From: addresses within <>'s in them. I see those from Gmail sometimes. And I see quite a few messages where the actual sender address is given in quotes and then followed by the same address in <>'s. So you will definitely get false positives just looking at @'s. I've excluded the ones with " via" in them and add a bunch of extra points if they come from phishy countries or have .doc or .pdf attachments, and that hits fewer fps. And I'm only scoring if the domain parts don't match.
