On Sun, 21 Feb 2021 11:28:51 +0100 Michael Storz wrote: > Am 2021-02-20 08:58, schrieb Dominic Raferd: > > Is there a rule to catch cases where the domain of the Reply-To > > header is a subtle variant on that in the To header. Take this > > (real) example from a phishing email sent yesterday: > > > > From: "Karen Howard" <ka...@interfacefm.com> > > Reply-To: "Karen Howard" <ka...@intrefacefm.com>
> Use the "Damerau–Levenshtein distance" to calcutate the similarity. > Since long I was interested to try this, but never found the time. Did you have particular use in mind for that? The example above doesn't seem all that useful as a phishing technique as it will fail DMARC. My suspicion is that they are trying to exploit mail systems that haven't yet adopted DMARC checking and that interfacefm.com was chosen for its SPF record: v=spf1 +a +mx +a:ns1.c57578.sgvps.net include:_spf.mailspamprotection.com There's no -all or ~all on the end.
