On 2016-06-28 10:48, John Wilcock wrote:
Or, if your company is a worthwhile target, it is equally easy for the
scammer to setup a lookalike domain and configure it with proper SPF,
DKIM and the like. Who's going to notice that the message came from
examp1e.com instead of example.com?
Theoretically, of course, custom SA rules could be written to detect
such lookalikes, but even then, all it takes is for a scammer to have
a slightly better imagination than the person writing the rules!
The other way to fix that is to detect the lexical distance between the
sender's domain and your organisation's domains, e.g. by building a
plugin that uses https://en.wikipedia.org/wiki/Levenshtein_distance.
That could be done for a small number of domains within a few hours. In
my experience results are impressive and it's really awesome to block
such a personalized attack, although this spoofing method is not used
that often due to its cost. Mail me if you want the core of the code to
do those checks.
In general, the problem that the scammer is trying to solve is how to
make the end user believe that he is the CEO/CFO while making sure that
the reply actually goes back to the scammer. In my experience,
Levenshtein-type domain spoofing is just one way to do it, here are
others that I have seen:
-Spoofing the content-from domain and using a different reply-to. This
may be done by using a different envelope-from domain or using the same
one if you do not have an SPF.
-Inserting the from-address in the from-name. With enough spacing, this
can be believable on certain MUAs.
-Spoofing the from name and using a bogus e-mail
(ceo_e...@freemailer.com). It's crude, but I have seen quite a few. You
can keep a list of the executive names in your SA configuration, but
good luck on catching all variations.
Of course, blocking on this basis only might create false-positives say
with web forms, so IMO some fraud-related language and exemptions must
be integrated in any custom rule. I would suggest using such a rule in
test and weeding out false-positives.
Olivier
