On 21/02/2021 13:56, RW wrote:
On Sun, 21 Feb 2021 11:28:51 +0100
Michael Storz wrote:
Am 2021-02-20 08:58, schrieb Dominic Raferd:
Is there a rule to catch cases where the domain of the Reply-To
header is a subtle variant on that in the To header. Take this
(real) example from a phishing email sent yesterday:
From: "Karen Howard" <ka...@interfacefm.com>
Reply-To: "Karen Howard" <ka...@intrefacefm.com>
Use the "Damerau–Levenshtein distance" to calcutate the similarity.
Since long I was interested to try this, but never found the time.
Did you have particular use in mind for that? The example above doesn't
seem all that useful as a phishing technique as it will fail DMARC.
My suspicion is that they are trying to exploit mail systems that
haven't yet adopted DMARC checking and that interfacefm.com was chosen
for its SPF record:
v=spf1 +a +mx +a:ns1.c57578.sgvps.net include:_spf.mailspamprotection.com
There's no -all or ~all on the end.
Yes this mail passed DMARC and it is cases like this that I want to
catch. 99% of domains have not implemented full DMARC with
p=quarantine|reject, so one can't rely on it (although it has a valuable
role).
