On Tue, 17 Dec 2019 16:15:37 -0500 AJ Weber wrote: > Just looking at a phishing email I received and at first glance I > wasn't sure how SA (or more-specifically my SA install/configuration) > didn't score this as spam. > > Looks like I have a whitelist setup for alerts from comcast (probably > a bad idea, but let's address that separately). > > The following header is the FROM in the message envelope. > > From: =?utf-8?Q?B=CC=B7B=CC=B7&T?= > <online.communicati...@alerts.comcast.net> > > And the email is supposedly one telling me my credit card has been > compromised, click here to restore access, yada, yada, yada. (I do > not bank with BB&T at all.) > > I am using the KAM and many of the other rules recommended by those > on this list. Besides the whitelist mistake, would this "disguised > From" be detected by some of the other rulesets (I also use KAM)? I > thought I read a post or announcement that this type of disguise was > detected pretty-well?
I'm not sure what you mean by disguise, and what you expect should have been done. The MIME encoding is legitimate and normal for a header with a non-ascii character, and SA decodes it for header and body rules. The 'B' characters have been overlaid with a clearly visible slash, which isn't very clever in a phishing email.
