Yeah, I see all these same things. Better to test against From:addr
rather than the full From: Perhaps something like:
From:addr =~ /\@[^\s]+\@/
Of course, there might still be legit cases of that kind of usage.
On Mon, 3 Dec 2018, Alan Hodgson wrote:
On Mon, 2018-12-03 at 11:15 -0700, Grant Taylor wrote:
I don't think the multiple @ signs have worked in a very long time. So
I see no reason not to add score based on multiple @ signs. Or if there
is a legitimate use for it, it should be extremely rare and the false
positive rate should be acceptable.
I've been watching these for a while, and unfortunately there are a lot of
customer-service type systems that send From: addresses with quoted @domain
addresses in them. Many of them do "user@address via"
<serviceaccount@portal.domain>, but not all.
And then there are the messages with 2 different From: addresses within <>'s
in them. I see those from Gmail sometimes.
And I see quite a few messages where the actual sender address is given in
quotes and then followed by the same address in <>'s.
So you will definitely get false positives just looking at @'s.
I've excluded the ones with " via" in them and add a bunch of extra points
if they come from phishy countries or have .doc or .pdf attachments, and
that hits fewer fps. And I'm only scoring if the domain parts don't match.
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines | sha...@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
