On Mon, 3 Dec 2018, Alan Hodgson wrote:
On Mon, 2018-12-03 at 13:17 -0600, sha...@shanew.net wrote:
Yeah, I see all these same things. Better to test against From:addr
rather than the full From: Perhaps something like:
From:addr =~ /\@[^\s]+\@/
Of course, there might still be legit cases of that kind of usage.
The problem though for phishes is that some user agents (ie. Outlook) only
display the quoted user-friendly part of the address, not the rest of the
From: header. So phishers specifically put a fake @domainbeingphished.com in
quotes so your users will see that.
There were several different plugins started about a year ago to
detect that sort of thing. I know of:
https://github.com/enkidushane/sa-frommismatch
https://github.com/fmbla/spamassassin-fromnamespoof
and I think someone has implemented some of this in a regex rule, but
I don't recall off the top of my head who that was.
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines | sha...@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
