On 12/03/2018 11:53 AM, Alan Hodgson wrote:
I've been watching these for a while, and unfortunately there are a lot of customer-service type systems that send From: addresses with quoted @domain addresses in them. Many of them do "user@address via" <serviceaccount@portal.domain>, but not all.
Sorry, I was talking about the SMTP envelope. The unquoted part between angle brackets.
And then there are the messages with 2 different From: addresses within <>'s in them. I see those from Gmail sometimes.
I've heard tell of these, but I've not seen one myself. But I'm a SOHO operator.
And I see quite a few messages where the actual sender address is given in quotes and then followed by the same address in <>'s.
I don't see any overt problem with that. Though I do think the address in the human friendly quote is unnecessary and redundant.
So you will definitely get false positives just looking at @'s.
I was talking about only counting the @ signs in the unquoted part between angle brackets. The <jdoe@i...@ext.example.net> in the following example.
From: "John Doe <jdoe@ho...@host2.example.net>" <jdoe@i...@ext.example.net>
I've excluded the ones with " via" in them and add a bunch of extra points if they come from phishy countries or have .doc or .pdf attachments, and that hits fewer fps. And I'm only scoring if the domain parts don't match.
I feel like the contents of the human friendly quoted part of the From: header should be subject to different and distinct scrutiny than the machine parsable part outside of quotes.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
