On 10/02/2017 01:11 PM, John Hardin wrote:
On Mon, 2 Oct 2017, David Jones wrote:
On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
> I recently stumbled onto a mail with a Spam link where the FROM
header > field looked like this:
> > From: "Firstname Lastname@" <recipient-domain.com >
sendern...@real-senders-domain.com>
Jakob, just wanted to let you know I identified this issue as well and
just opened a ticket about it yesterday to try and figure out a rule
against it. Can you send me spamples via pastebin, please?
Regards,
KAM
I am seeing this more and more on my SA filters and being reported by
my customers:
https://pastebin.com/f07Gq1kZ
https://pastebin.com/FMsJNGba
This is catching this pretty well so far:
header FROM_SPOOF_EMAIL_DISPLAY From =~
/\@[a-z_]+?\.[a-z]{2,3} \</i
describe FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an
email address in the display name
You probably want to let SA do the header parsing and write your rule
against From:name or From:addr instead.
Thank you for the suggestions. I didn't know about the From:name and
From:addr parsing by SA. As it turns out, the double quotes missing are
very important. When I use the From:name which properly has the quotes,
I am hitting many false positives. It appears that legit sending people
or mail clients are putting email addresses in their "Display Name".
It's the ones without quotes that are spam a high percentage of the time
in my mail flow.
I have gone back to my original rule that catches senders that put an
email addresss in the Display Name and do not have quotes.
If you're testing your rules in a sandbox using debug mode, this may help:
header __FROM_NAME From:name =~ /.*/
header __FROM_ADDR From:addr =~ /.*/
That way you can see what's actually being parsed from the header.
Potentially this might be as simple as:
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
or
header __FROM_MULTIPLE_ADDR From:addr =~ /\s/
No idea how FP-prone those might be, though, so it's probably prudent to
meta them with other stuff as well...
--
David Jones
