On 8/20/2015 2:42 PM, Olivier Coutu wrote:
I got a spearphishing e-mail the other day that had a From with the
following form:
From: "Mister President <presid...@company.com>"
<phish...@freemailer.com>
I attempted to craft a SA rule to catch the "@" in the From:name but I
was unable to catch anything after the "<"
ex:
From:name =~ /Mister President/ hits
From:name =~ /Mister President \</ does not hit
From:name =~ /\@/ does not hit
From:name =~ /company/ does not hit
From =~ /\@.*\@/ hits but is inefficient
I believe that SA may be removing the <presid...@company.com> part
from the From:name, am I correct? Is there any efficient way to detect
such an occurrence of an "@" in the From:name?
Using SA version 3.4.1 on Ubuntu with debug
Good catch! If you are using a new enough perl you might try the
following which should have zero backtracking (the + modifier on
quantifiers works like a cut in prolog):
From =~ /\@[^@]*+\@/
That said, header fields are likely never going to be long enough for
what you currently have to be a performance concern.
(I was about to say it was impossible, but then I saw there is no length
limit on headers:
http://stackoverflow.com/questions/2721605/maximum-size-of-email-x-headers)
