On Thu, 2019-11-21 at 14:22 -0700, Grant Taylor wrote:
> On 11/21/19 12:14 PM, Martin Gregorie wrote:
> > describe SPOOFED_MAYOR Check for spoofed mail from the Mayor
> > header __SM1 From:name /display name/
> > header __SM2 From:addr /email address/
> > meta SPOOFED_MAYOR
> > (__VM1 && ! __VM2)
> > score SPOOFED_MAYOR 5.0
>
> I like the logic.
>
> Unfortunately, you need to be very careful as you start to run into
> all the text permutations / homograph attacks.
>
> This type of rule may accidentally incur false positives too, so be
> careful.
>
In general, yes, but in this case both patterns should be plaintext
strings
>
>
