On Mon, 3 Dec 2018, sha...@shanew.net wrote:
On Mon, 3 Dec 2018, Alan Hodgson wrote:
On Mon, 2018-12-03 at 13:17 -0600, sha...@shanew.net wrote:
Yeah, I see all these same things. Better to test against From:addr
rather than the full From: Perhaps something like:
From:addr =~ /\@[^\s]+\@/
Of course, there might still be legit cases of that kind of usage.
The problem though for phishes is that some user agents (ie. Outlook) only
display the quoted user-friendly part of the address, not the rest of the
From: header. So phishers specifically put a fake @domainbeingphished.com
in
quotes so your users will see that.
There were several different plugins started about a year ago to
detect that sort of thing. I know of:
https://github.com/enkidushane/sa-frommismatch
https://github.com/fmbla/spamassassin-fromnamespoof
and I think someone has implemented some of this in a regex rule, but
I don't recall off the top of my head who that was.
I was provided a spample by private email (and suggested they post it
here) and it hits T_FROM_2_EMAILS from 20_khop_experimental.cf
https://ruleqa.spamassassin.org/20181211-r1848660-n/T_FROM_2_EMAILS/detail
Perhaps I'll do some FP-avoidance tuning and see if it can be made
publishable.
I'm not sure whether it's hitting on a From header like:
"Johnny Fnord <fn...@example.com>" <fn...@example.com>
I'll review that, too.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...a great many people are not fit for Liberty, it scares the crap
out of them and they'd much rather be ruled. As Loki said in the
Avengers movie, kneeling is their natural state. -- Mark D @ TSM
-----------------------------------------------------------------------
4 days until Bill of Rights day
