Hi Thomas,
Looks like a good feature. I'll have to double check the headers for this
message. I think the domains in all three from headers actually exist but
have no relation to the recipient.
As the smtp address & from headers are a legitimate but compromised account
the only header that would fail a legitimate domain check would be the
reply to header.
These are carefully crafted phishing emails that are targeted, I've seen
them sent to many accounts departments pretending to be from company
directors requesting bank payments of up to £10,000. Of course the accounts
department goes straight to said director who comes to us wanting to know
why we aren't blocking them.
All the best,
Colin
On Sat, 14 Apr 2018, 08:26 Thomas Eckardt, <thomas.ecka...@thockar.com>
wrote:
> > I thought this would not be caught by nospoofing because that would
> only match if the RHS ended in the entry from localdomains.
>
> OK.
>
> And what if the 'DoNoFrom' feature would work like this:
>
> Check for Existing and Valid From: and Sender: Header Tag and Address
> (DoNoFrom)
>
> If enabled, the MIME header is checked for valid From: and Sender: header
> tags.
> This header check fails and faults are counted, if both headers (From: and
> Sender:) are missing - or if any of these headers contains not a valid
> email address - or if multiple of the same headers are found.
> The scoring value nofromValencePB is added for each detected fault.
>
>
> In your example:
>
> Reply-to: Sender Name <*n...@recipientdomain.tld-1.me*
> <n...@recipientdomain.tld-1.me>>
>
> To: *recipi...@recipientdomain.tld* <recipi...@recipientdomain.tld>
>
> From: Sender Name <*f...@domain.tld* <f...@domain.tld>>
>
> From: Sender Name <*f...@domain2.tld* <f...@domain2.tld>>
>
> From: Sender Name <
> *actualsmtpfromaddr...@legitimatebutcompromiseddomain.tld*
> <actualsmtpfromaddr...@legitimatebutcompromiseddomain.tld>>
>
> 'nofromValencePB' would be added two times - one time for each
> additionally From: header.
>
>
>
> Thomas
>
>
>
>
>
> Von: "Colin Waring" <co...@dolphinict.co.uk>
> An: "ASSP development mailing list" <
> assp-test@lists.sourceforge.net>
> Datum: 13.04.2018 20:55
> Betreff: Re: [Assp-test] Multiple From headers/regex based on
> localdomains
> ------------------------------
>
>
> Thank you for the reply Thomas,
>
>
>
> Being able to include sender:, reply to: and errors-to: would be handy in
> my opinion
>
>
>
> However, in this case the local domain was not in any of the from: fields
> whatsoever. By using *n...@recipientdomain.tld-1.me*
> <n...@recipientdomain.tld-1.me>, this hits a stupid bug in Outlook where
> in some places it will only display *n...@recipientdomain.tld*
> <n...@recipientdomain.tld>. The -1.me is completely fictional and varies
> from message to message. I thought this would not be caught by nospoofing
> because that would only match if the RHS ended in the entry from
> localdomains.
>
>
>
> All the best,
>
> Colin.
>
>
>
> *From:* Thomas Eckardt <thomas.ecka...@thockar.com>
> * Sent:* 13 April 2018 16:55
> * To:* ASSP development mailing list <assp-test@lists.sourceforge.net>
> * Subject:* Re: [Assp-test] Multiple From headers/regex based on
> localdomains
>
>
>
> Colin,
>
> 'DoNoSpoofing4From' should do it - but it is'nt. Only the first 'From:'
> address is currently checked and this will not prevent this attack.
> But it is possible to include 'sender: , reply-to: and errors-to:' in to
> this check - which would catch this mails.
>
> What do you think?
>
> Thomas
>
>
>
>
>
> Von: "Colin Waring" <*co...@dolphinict.co.uk*
> <co...@dolphinict.co.uk>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 13.04.2018 17:17
> Betreff: [Assp-test] Multiple From headers/regex based on
> localdomains
> ------------------------------
>
>
>
> Hi,
>
>
>
> I’ve a couple of fun ones at the moment. Basically I’m getting reports of
> phishing emails that get past everything.
>
>
>
> The headers are like this:
>
>
>
> Reply-to: Sender Name <*n...@recipientdomain.tld-1.me*
> <n...@recipientdomain.tld-1.me>>
>
> To: *recipi...@recipientdomain.tld* <recipi...@recipientdomain.tld>
>
> From: Sender Name <*f...@domain.tld* <f...@domain.tld>>
>
> From: Sender Name <*f...@domain2.tld* <f...@domain2.tld>>
>
> From: Sender Name <
> *actualsmtpfromaddr...@legitimatebutcompromiseddomain.tld*
> <actualsmtpfromaddr...@legitimatebutcompromiseddomain.tld>>
>
>
>
> These bypass no spoofing as none of the from/SMTP header domains are
> actually the recipient domain. Annoyingly, Outlook chooses the Reply-to
> address to display so it appears almost legitimate.
>
>
>
> I’m aware that the RFCs allow multiple from headers, though I can’t see of
> any legitimate reason for this so I was considering blocking or increasing
> spam score based on this – is this possible with ASSP at the moment or not?
>
>
>
> The second thing I was looking at doing was coming up with a regex.
> Essentially, all recipient domains are in localdomains.txt so I’d want a
> regex that would take all lines from localdomains. If the reply to or smtp
> from address is a line from localdomains with anything else after it, then
> bin it. I accept that there may in some extremely obscure cases be a clash
> with a legitimate domain but do not believe that to be likely. I’ll have a
> look next week as to if I can figure out a way to do it but if there’s
> something obvious that you could let me know that’d be great.
>
>
>
> All the best,
>
> Colin.
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
