Re: FROM header with two email addresses

[Karsten Bräckelmann]

On Tue, 2017-10-24 at 13:22 +0200, Merijn van den Kroonenberg wrote:
> > Hello all, I was the original poster of this topic but was away for a
> > couple of days.
> > I find it amazing to see the number of suggestions and ideas that have
> > come up here.
> > 
> > However none of the constuctions matched "my" From: lines of the form
> > 
> > From: "Firstname Lastname@"  > sendern...@real-senders-domain.com
> > >

> My comments in this mail are only about the
> "us...@companya.com" 
> situation, not about actual double from addresses.

Indeed, in this thread multiple different forms of "email address alike
in From: sender real name" have surfaced. This type is occasionally
used to try to look legit by using real, valid addresses of the
recipient's domain (a colleague) instead of a real name, wich is harder
to get correct and easier for humans to spot irregularities in.

The OP's form looks like a broken From header and an intermediate SMTP
choking on and rewriting it.


-- 
Karsten Bräckelmann  -- open source. hacker. assassin.

Re: FROM header with two email addresses

[Merijn van den Kroonenberg]

> Hello all, I was the original poster of this topic but was away for a
> couple of days.
> I find it amazing to see the number of suggestions and ideas that have
> come up here.
>
> However none of the constuctions matched "my" From: lines of the form
>
> From: "Firstname Lastname@"  sendern...@real-senders-domain.com
> >
>
> I therefore now constructed the following rules:
>
> describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign
> header  __FROM_NAME_CONTAINS_AT From:name =~ /\@/
> describe __FROM_MULTIPLE_ADDR address part of FROM contains more than
> one mail address (additional text)
> header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/
>

My comments in this mail are only about the
"us...@companya.com" 
situation, not about actual double from addresses.

> describe __FROM_NAME_ADDRESS_EQUAL constructions like
> "us...@companya.com" 
> header  __FROM_NAME_ADDRESS_EQUAL From =~
> /["']?(\w+@\w+\.\w+)["']?\s*\<\1\>/i
> header  __FROM_NAME_CONTAINS_ADDRESS From =~
> /["']?(\w+@\w+\.\w+)["']?\s*\
"us...@company-a.com" 

And give false positive on:
"first.l...@companya.com" 
(or other non word chars in the user part)

So you could allow more characters in the user part of the e-mail address
and dots and dashes in the domain part. Also anchor the beginning to
prevent partial matches (which caused the false positives on
first.l...@companya.com instead of just not hitting at all).

header  __FROM_NAME_ADDRESS_EQUAL From =~
/^["']?([\w\.\+\-]+@[\w\-\.]+\.\w+)["']?\s*\<\1\>/i
header  __FROM_NAME_CONTAINS_ADDRESS From =~
/^["']?([\w\.\+\-]+@[\w\-\.]+\.\w+)["']?\s*\
> meta FROM_SPOOF_SENDER1  __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
> meta FROM_SPOOF_SENDER2  __FROM_NAME_CONTAINS_ADDRESS && !
> __FROM_NAME_ADDRESS_EQUAL

It looks like the FROM_SPOOF_SENDER2 rule has the same intention as a rule
currently in testing: T_PDS_FROM_2_EMAILS

Which is in john hardins sandbox with note: Paul Stead on SA list 11/2014

header __PDS_FROM_2_EMAILS  From =~
/^\W+([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
meta   PDS_FROM_2_EMAILS__PDS_FROM_2_EMAILS && !__VIA_ML &&
!__VIA_RESIGNER && !__CLICK_HERE && !__BUGGED_IMG && !__RP_MATCHES_RCVD



> meta FROM_ADDRESS_TWICE  __FROM_NAME_CONTAINS_ADDRESS &&
> __FROM_NAME_ADDRESS_EQUAL
>
> (the last META could even get a slightly negative score, I occasionally
> see people entering their email address in the name field).
>
> and am now waiting to see some hits. I consider the risk of false
> positives low in this case, if these METAs are matched somebody is
> trying to trick you.
>
> Regards JC
>
>

Re: FROM header with two email addresses

[RW]

On Mon, 16 Oct 2017 13:19:06 -0400
Mark London wrote:

> Hi - I received a spam message with the following double From address:
> 
> From: struth...@psfc.mit.edu, "Lorraine M."
> 
> 
> But neither of the 2 previously suggested rules were triggered by
> it. I'm sure a simple modification to the rules will cause it to
> trigger.

Those rules are looking for a email address in the display name plus
a specific RFC violation; so they only hit a subset of that type. This
one is quite different.

> Can we get an official rule to test for invalid double addresses?


It's unusual, but it's not an invalid header. An email can have
multiple authors in the from header provided there is a Sender header.

It was discussed here:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6781 


It does seem to be triggering a bug in SA.

From: struth...@psfc.mit.edu, "Lorraine M." 

is parsed as one address


__FROM_ADDR ==> got hit: "alexa.mora...@glcamerica.com"
__FROM_NAME ==> got hit: "struth...@psfc.mit.edu, Lorraine M."


Reported here:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7479

Re: FROM header with two email addresses

[Mark London]

Hi - I received a spam message with the following double From address:

From: struth...@psfc.mit.edu, "Lorraine M." 

But neither of the 2 previously suggested rules were triggered by it.   
I'm sure a simple modification to the rules will cause it to trigger.


Can we get an official rule to test for invalid double addresses? Do I 
need to open a ticket? - Mark



header  __FROM_QUOTES   From =~ /"/
header  __FROM_MAYBE_SPOOF  From:name =~ /\w@\w/
meta__FROM_SPOOF__FROM_MAYBE_SPOOF && !__FROM_QUOTE




describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign

header  __FROM_NAME_CONTAINS_AT From:name =~ /\@/
describe __FROM_MULTIPLE_ADDR address part of FROM contains more than 
one mail address (additional text)

header  __FROM_MULTIPLE_ADDRFrom:addr =~ /\s/

describe __FROM_NAME_ADDRESS_EQUAL constructions like 
"us...@companya.com" 
header  __FROM_NAME_ADDRESS_EQUAL From =~ 
/["']?(\w+@\w+\.\w+)["']?\s*\<\1\>/i
header  __FROM_NAME_CONTAINS_ADDRESS From =~ 
/["']?(\w+@\w+\.\w+)["']?\s*\

meta FROM_SPOOF_SENDER1  __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
meta FROM_SPOOF_SENDER2  __FROM_NAME_CONTAINS_ADDRESS && ! 
__FROM_NAME_ADDRESS_EQUAL
meta FROM_ADDRESS_TWICE  __FROM_NAME_CONTAINS_ADDRESS && 
__FROM_NAME_ADDRESS_EQUAL

Re: FROM header with two email addresses

[Jakob Curdes]

On Thu, 5 Oct 2017 07:38:23 -0400
Kevin A. McGrail wrote:


On 10/5/2017 7:19 AM, Jakob Curdes wrote:

Not a lot, but the trick is that Outlooks displays both parts, and
users think that it is an internal mail because the "Firstname
Lastname" is real in the company and the "recipient-domain.com" is
the real recipient domain.
So it is a trick to circumvent SPF denials which prevent a spammer
from sending "internal" mails from external addresses.
So I think it is not a mistake, I suppose this is carefully crafted
to achieve exactly this result.

I can also confirm user behavior consistent with your description of
this issue as well where it tricked them into thinking it was an
internal message.  We had 1 case as well that this thread
coincidentally hit.

So while the spam engine rule is nice, a rule to work on 2 email
address in the from header that is generic is likely still an
indicator of spam that is a "good idea"(tm).

It's not two addresses it's a single address with a space in it. It's
actually a legal header, but in the real world it's as rare as hen's
teeth:

 From:addr =~ /\s/

is probably worth scoring in it's own right, but it could be combined
with a test for the @ in the display name.

Well my

meta FROM_SPOOF_SENDER1  __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR

does exactly this. I did not want to assign a single score as we do not 
know who else (legit mass mailers..) might construct strange display 
names or strangely formatted address fields.


JC

Re: FROM header with two email addresses

[RW]

On Thu, 5 Oct 2017 07:38:23 -0400
Kevin A. McGrail wrote:

> On 10/5/2017 7:19 AM, Jakob Curdes wrote:
> > Not a lot, but the trick is that Outlooks displays both parts, and 
> > users think that it is an internal mail because the "Firstname 
> > Lastname" is real in the company and the "recipient-domain.com" is
> > the real recipient domain.
> > So it is a trick to circumvent SPF denials which prevent a spammer 
> > from sending "internal" mails from external addresses.
> > So I think it is not a mistake, I suppose this is carefully crafted
> > to achieve exactly this result.   
> 
> I can also confirm user behavior consistent with your description of 
> this issue as well where it tricked them into thinking it was an 
> internal message.  We had 1 case as well that this thread
> coincidentally hit.
> 
> So while the spam engine rule is nice, a rule to work on 2 email
> address in the from header that is generic is likely still an
> indicator of spam that is a "good idea"(tm).

It's not two addresses it's a single address with a space in it. It's
actually a legal header, but in the real world it's as rare as hen's
teeth:

From:addr =~ /\s/

is probably worth scoring in it's own right, but it could be combined
with a test for the @ in the display name.   

Re: FROM header with two email addresses

[Kevin A. McGrail]

On 10/5/2017 7:19 AM, Jakob Curdes wrote:
Not a lot, but the trick is that Outlooks displays both parts, and 
users think that it is an internal mail because the "Firstname 
Lastname" is real in the company and the "recipient-domain.com" is the 
real recipient domain.
So it is a trick to circumvent SPF denials which prevent a spammer 
from sending "internal" mails from external addresses.
So I think it is not a mistake, I suppose this is carefully crafted to 
achieve exactly this result. 


I can also confirm user behavior consistent with your description of 
this issue as well where it tricked them into thinking it was an 
internal message.  We had 1 case as well that this thread coincidentally 
hit.


So while the spam engine rule is nice, a rule to work on 2 email address 
in the from header that is generic is likely still an indicator of spam 
that is a "good idea"(tm).


Regards,

KAM

Re: FROM header with two email addresses

[Jakob Curdes]

Hello all, I was the original poster of this topic but was away for a
couple of days.
I find it amazing to see the number of suggestions and ideas that
have come up here.

However none of the constuctions matched "my" From: lines of the form

From: "Firstname Lastname@" mailto:sendern...@real-senders-domain.com>>


Are you getting a lot of these? It looks more like a mistake than a
tactic.


Not a lot, but the trick is that Outlooks displays both parts, and users 
think that it is an internal mail because the "Firstname Lastname" is 
real in the company and the "recipient-domain.com" is the real recipient 
domain.
So it is a trick to circumvent SPF denials which prevent a spammer from 
sending "internal" mails from external addresses.
So I think it is not a mistake, I suppose this is carefully crafted to 
achieve exactly this result.


JC

Re: FROM header with two email addresses

[RW]

On Thu, 5 Oct 2017 12:41:26 +0200
Jakob Curdes wrote:

> Hello all, I was the original poster of this topic but was away for a 
> couple of days.
> I find it amazing to see the number of suggestions and ideas that
> have come up here.
> 
> However none of the constuctions matched "my" From: lines of the form
> 
> From: "Firstname Lastname@"  sendern...@real-senders-domain.com 
> >
> 

Are you getting a lot of these? It looks more like a mistake than a
tactic.

Re: FROM header with two email addresses

[Jakob Curdes]

Hello all, I was the original poster of this topic but was away for a 
couple of days.
I find it amazing to see the number of suggestions and ideas that have 
come up here.


However none of the constuctions matched "my" From: lines of the form

From: "Firstname Lastname@" sendern...@real-senders-domain.com 
>


I therefore now constructed the following rules:

describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign
header  __FROM_NAME_CONTAINS_AT From:name =~ /\@/
describe __FROM_MULTIPLE_ADDR address part of FROM contains more than 
one mail address (additional text)

header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/

describe __FROM_NAME_ADDRESS_EQUAL constructions like 
"us...@companya.com" 
header  __FROM_NAME_ADDRESS_EQUAL From =~ 
/["']?(\w+@\w+\.\w+)["']?\s*\<\1\>/i
header  __FROM_NAME_CONTAINS_ADDRESS From =~ 
/["']?(\w+@\w+\.\w+)["']?\s*\

meta FROM_SPOOF_SENDER1  __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
meta FROM_SPOOF_SENDER2  __FROM_NAME_CONTAINS_ADDRESS && ! 
__FROM_NAME_ADDRESS_EQUAL
meta FROM_ADDRESS_TWICE  __FROM_NAME_CONTAINS_ADDRESS && 
__FROM_NAME_ADDRESS_EQUAL


(the last META could even get a slightly negative score, I occasionally 
see people entering their email address in the name field).


and am now waiting to see some hits. I consider the risk of false 
positives low in this case, if these METAs are matched somebody is 
trying to trick you.


Regards JC

Re: FROM header with two email addresses

[Michael Storz]

Am 2017-10-02 19:43, schrieb David Jones:

On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:


I recently stumbled onto a mail with a Spam link where the FROM 
header field looked like this:


From: "Firstname Lastname@" sendern...@real-senders-domain.com>


Jakob, just wanted to let you know I identified this issue as well and 
just opened a ticket about it yesterday to try and figure out a rule 
against it.  Can you send me spamples via pastebin, please?



Regards,
KAM



I am seeing this more and more on my SA filters and being reported by
my customers:

https://pastebin.com/f07Gq1kZ

https://pastebin.com/FMsJNGba



These are typical examples for the emails send by a botnet since at 
least May this year. You can catch these mostly with a simple rule:


header __LRZ_BND_MSContent-Type =~ 
/boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/

header __LRZ_MSGID_SPAM_99 MESSAGEID =~ /<\d{8,13}\.2017\d{6,11}\@/
meta   LRZ_HEADER_SPAM_99  (__LRZ_MSGID_SPAM_99 && __LRZ_BND_MS)

Regards,
Michael

Re: FROM header with two email addresses

[Martin Gregorie]

On Mon, 2017-10-02 at 23:18 +0200, Benny Pedersen wrote:
> John Hardin skrev den 2017-10-02 23:13:
> 
> > Where?  \w is not case-sensitive.
> 
> perfect then, i had not know that, learning still so
>
Do you have a copy of the 'Camel Book'? AKA "Programming Perl" by Larry
Wall, Tom Christiansen & Jon Orwant, pub O'Reilly.

If you don't have it, you need a copy. Its never failed to explain
anything I've needed to know about Perl and its chapter on regexes will
help you to solve all regex-based SA rule problems. 

Or there's an online reference: http://www.regular-expressions.info/

Also worth knowing:
 
- if you're running Linux, you can use the grep command to test
  regexes. Use the -P or --perl-regexp option to make grep use Perl
  regexes, so it is possible to quickly test regexes you want to use
  in SA rules by running the spam, saved as a file, through the
 
 grep -P 'regex' https://regex101.com/ 
  by typing in your regex and then pasting the relevant part of the
  spam message you're testing against into its 'Test String' box.

Martin

Re: FROM header with two email addresses

[Benny Pedersen]

John Hardin skrev den 2017-10-02 23:13:


Where?  \w is not case-sensitive.


perfect then, i had not know that, learning still so

Re: FROM header with two email addresses

[John Hardin]

On Mon, 2 Oct 2017, Benny Pedersen wrote:


John Hardin skrev den 2017-10-02 21:07:


 How about:

 header  __FROM_QUOTES   From =~ /"/
 header  __FROM_MAYBE_SPOOF  From:name =~ /\w@\w/
 meta__FROM_SPOOF__FROM_MAYBE_SPOOF && !__FROM_QUOTES

 (warning: totally untested)


+1

i can only see one problem with it, that is that email adresses is 
caSeinsensitive, and you test casEsensitive


Where?  \w is not case-sensitive.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Homeland Security: Specializing in Tactical Band-aids
  for Strategic Problems. -- Eric K. in Bruce Schneier's blog
---
 186 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: FROM header with two email addresses

[Benny Pedersen]

John Hardin skrev den 2017-10-02 21:07:


How about:

header  __FROM_QUOTES   From =~ /"/
header  __FROM_MAYBE_SPOOF  From:name =~ /\w@\w/
meta__FROM_SPOOF__FROM_MAYBE_SPOOF && !__FROM_QUOTES

(warning: totally untested)


+1

i can only see one problem with it, that is that email adresses is 
caSeinsensitive, and you test casEsensitive


it is basicly a rule i like to keep

Re: FROM header with two email addresses

[Benny Pedersen]

David Jones skrev den 2017-10-02 20:54:


I have gone back to my original rule that catches senders that put an
email addresss in the Display Name and do not have quotes.


also matches what i see, non spam have " around from:name while spam 
have not


testing if there is a @ in from:name is 2nd test to possible use in meta

Re: FROM header with two email addresses

[John Hardin]

On Mon, 2 Oct 2017, David Jones wrote:


On 10/02/2017 01:11 PM, John Hardin wrote:

 On Mon, 2 Oct 2017, David Jones wrote:

>  On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
> > 
> > >   I recently stumbled onto a mail with a Spam link where the FROM 
> > header >   field looked like this:
> > > >   From: "Firstname Lastname@"  
> >  sendern...@real-senders-domain.com>
> > 
> >   Jakob, just wanted to let you know I identified this issue as well 
> >  and

> >   just opened a ticket about it yesterday to try and figure out a rule
> >   against it.  Can you send me spamples via pastebin, please?
> > 
> > 
> >   Regards,

> >   KAM
> > 
> 
>  I am seeing this more and more on my SA filters and being reported by my 
>  customers:
> 
>  https://pastebin.com/f07Gq1kZ
> 
>  https://pastebin.com/FMsJNGba
> 
>  This is catching this pretty well so far:
> 
>  header  FROM_SPOOF_EMAIL_DISPLAY    From =~ 
>  /\@[a-z_]+?\.[a-z]{2,3} \>  describe    FROM_SPOOF_EMAIL_DISPLAY    From trying to spoof an 
>  email address in the display name


 You probably want to let SA do the header parsing and write your rule
 against From:name or From:addr instead.



Thank you for the suggestions.  I didn't know about the From:name and 
From:addr parsing by SA.  As it turns out, the double quotes missing are very 
important.  When I use the From:name which properly has the quotes, I am 
hitting many false positives.  It appears that legit sending people or mail 
clients are putting email addresses in their "Display Name". It's the ones 
without quotes that are spam a high percentage of the time in my mail flow.


Not surprising.

I have gone back to my original rule that catches senders that put an email 
addresss in the Display Name and do not have quotes.


How about:

header  __FROM_QUOTES   From =~ /"/
header  __FROM_MAYBE_SPOOF  From:name =~ /\w@\w/
meta__FROM_SPOOF__FROM_MAYBE_SPOOF && !__FROM_QUOTES

(warning: totally untested)


 If you're testing your rules in a sandbox using debug mode, this may help:

    header   __FROM_NAME  From:name =~ /.*/
    header   __FROM_ADDR  From:addr =~ /.*/

 That way you can see what's actually being parsed from the header.


 Potentially this might be as simple as:

    header  __FROM_MAYBE_SPOOF  From:name =~ /\w@\w/

 or

    header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/

 No idea how FP-prone those might be, though, so it's probably prudent to
 meta them with other stuff as well...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The world has enough Mouse Clicking System Engineers.
   -- Dave Pooser
---
 186 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: FROM header with two email addresses

[David Jones]

On 10/02/2017 01:11 PM, John Hardin wrote:

On Mon, 2 Oct 2017, David Jones wrote:


On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:


>  I recently stumbled onto a mail with a Spam link where the FROM 
header >  field looked like this:
> >  From: "Firstname Lastname@"   
sendern...@real-senders-domain.com>


 Jakob, just wanted to let you know I identified this issue as well and
 just opened a ticket about it yesterday to try and figure out a rule
 against it.  Can you send me spamples via pastebin, please?


 Regards,
 KAM



I am seeing this more and more on my SA filters and being reported by 
my customers:


https://pastebin.com/f07Gq1kZ

https://pastebin.com/FMsJNGba

This is catching this pretty well so far:

header  FROM_SPOOF_EMAIL_DISPLAY    From =~ 
/\@[a-z_]+?\.[a-z]{2,3} \describe    FROM_SPOOF_EMAIL_DISPLAY    From trying to spoof an 
email address in the display name


You probably want to let SA do the header parsing and write your rule 
against From:name or From:addr instead.




Thank you for the suggestions.  I didn't know about the From:name and 
From:addr parsing by SA.  As it turns out, the double quotes missing are 
very important.  When I use the From:name which properly has the quotes, 
I am hitting many false positives.  It appears that legit sending people 
or mail clients are putting email addresses in their "Display Name". 
It's the ones without quotes that are spam a high percentage of the time 
in my mail flow.


I have gone back to my original rule that catches senders that put an 
email addresss in the Display Name and do not have quotes.



If you're testing your rules in a sandbox using debug mode, this may help:

   header   __FROM_NAME  From:name =~ /.*/
   header   __FROM_ADDR  From:addr =~ /.*/

That way you can see what's actually being parsed from the header.


Potentially this might be as simple as:

   header  __FROM_MAYBE_SPOOF  From:name =~ /\w@\w/

or

   header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/

No idea how FP-prone those might be, though, so it's probably prudent to 
meta them with other stuff as well...




--
David Jones

Re: FROM header with two email addresses

[John Hardin]

On Mon, 2 Oct 2017, David Jones wrote:


On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:


>  I recently stumbled onto a mail with a Spam link where the FROM header 
>  field looked like this:
> 
>  From: "Firstname Lastname@" >  sendern...@real-senders-domain.com>


 Jakob, just wanted to let you know I identified this issue as well and
 just opened a ticket about it yesterday to try and figure out a rule
 against it.  Can you send me spamples via pastebin, please?


 Regards,
 KAM



I am seeing this more and more on my SA filters and being reported by my 
customers:


https://pastebin.com/f07Gq1kZ

https://pastebin.com/FMsJNGba

This is catching this pretty well so far:

header  FROM_SPOOF_EMAIL_DISPLAYFrom =~ /\@[a-z_]+?\.[a-z]{2,3} 
\describeFROM_SPOOF_EMAIL_DISPLAYFrom trying to spoof an email 
address in the display name


You probably want to let SA do the header parsing and write your rule 
against From:name or From:addr instead.


If you're testing your rules in a sandbox using debug mode, this may help:

  header   __FROM_NAME  From:name =~ /.*/
  header   __FROM_ADDR  From:addr =~ /.*/

That way you can see what's actually being parsed from the header.


Potentially this might be as simple as:

  header  __FROM_MAYBE_SPOOF  From:name =~ /\w@\w/

or

  header  __FROM_MULTIPLE_ADDRFrom:addr =~ /\s/

No idea how FP-prone those might be, though, so it's probably prudent to 
meta them with other stuff as well...



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  If you ask amateurs to act as front-line security personnel,
  you shouldn't be surprised when you get amateur security.
-- Bruce Schneier
---
 186 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: FROM header with two email addresses

[Benny Pedersen]

David Jones skrev den 2017-10-02 19:43:


https://pastebin.com/f07Gq1kZ
https://pastebin.com/FMsJNGba

This is catching this pretty well so far:

header  FROM_SPOOF_EMAIL_DISPLAYFrom =~ 
/\@[a-z_]+?\.[a-z]{2,3} \
describeFROM_SPOOF_EMAIL_DISPLAYFrom trying to spoof an
email address in the display name
score   FROM_SPOOF_EMAIL_DISPLAY4.2


From:  some...@example.com 

also imho from:name must be with qouted content like

From: "some...@example.com" 

for being rfc valid, was the extra space from from: added by you ?, i 
have only seen spam bots do this


you miss hits on tld with the above tests with only support 3 chars 
tlds, no ?

Re: FROM header with two email addresses

[David Jones]

On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:


I recently stumbled onto a mail with a Spam link where the FROM header 
field looked like this:


From: "Firstname Lastname@" sendern...@real-senders-domain.com> 


Jakob, just wanted to let you know I identified this issue as well and 
just opened a ticket about it yesterday to try and figure out a rule 
against it.  Can you send me spamples via pastebin, please?



Regards,
KAM



I am seeing this more and more on my SA filters and being reported by my 
customers:


https://pastebin.com/f07Gq1kZ

https://pastebin.com/FMsJNGba

This is catching this pretty well so far:

header  FROM_SPOOF_EMAIL_DISPLAYFrom =~ 
/\@[a-z_]+?\.[a-z]{2,3} \describeFROM_SPOOF_EMAIL_DISPLAYFrom trying to spoof an 
email address in the display name

score   FROM_SPOOF_EMAIL_DISPLAY4.2

P.S. I am sure that someone will suggest an improvement to the above 
rule and they are welcome.  I know it won't catch all email addresses 
based on that regex so it probably should be adjusted to handle new TLDs 
with more than 3 characters.


P.S.S. Standard disclaimer to adjust the score down until you have done 
some testing in your environment then score it how you see fit.


--
David Jones

Re: FROM header with two email addresses

[Benny Pedersen]

Miles Fidelman skrev den 2017-09-27 20:42:

This could also be an attempt to get a mailing list to work.


i have seen few mails get dkim fail from apache.org, very few, but its 
not normaly not dmarc fail for me on this, what is worse is that 
opendmarc have still brokken spf support :(


even google does not care in reports


There's a continuing problem with email list traffic getting bounced
by DKIM, and various work-arounds - the gist is that the mail has to
come from the list manager, but you still need a way to indicate the
original author of the message.  Hacks abound. But basically, DKIM is
just broken.


i have added patch to opendmarc that ignore domains that have policy 
reject on dmarc if its a known maillist sender mta, this way i would 
stay on maillists and have policy reject, if i turn down to quarantine 
policy, people would not see the forrest for trees


i will still keep postfix maillist never breaked dkim for a good 
reference

Re: FROM header with two email addresses

[Alan Hodgson]

On Wed, 2017-09-27 at 11:42 -0700, Miles Fidelman wrote:
> This could also be an attempt to get a mailing list to work.
> 
> There's a continuing problem with email list traffic getting bounced by 
> DKIM, and various work-arounds - the gist is that the mail has to come 
> from the list manager, but you still need a way to indicate the original 
> author of the message.  Hacks abound. But basically, DKIM is just broken.
> 

DKIM works fine. It is in fact working as intended when a signature
fails to validate against a message that has been modified in transit.

Mailing lists or other forwarders that modify signed portions of the
message without taking ownership of the From: header are just not
compatible with DKIM or DMARC-reject senders.

Re: FROM header with two email addresses

[Miles Fidelman]

This could also be an attempt to get a mailing list to work.

There's a continuing problem with email list traffic getting bounced by 
DKIM, and various work-arounds - the gist is that the mail has to come 
from the list manager, but you still need a way to indicate the original 
author of the message.  Hacks abound. But basically, DKIM is just broken.


Miles Fidelman


On 9/27/17 12:16 AM, Jakob Curdes wrote:

Hello all,

I recently stumbled onto a mail with a Spam link where the FROM header 
field looked like this:


From: "Firstname Lastname@" sendern...@real-senders-domain.com>


which is displayed in different ways on different devices but most do 
display something resembling an internal from address, maybe with an 
additional second external address.
So it is a way to make users think this is an internal sender - 
probably it gets harder and harder to circumvent the ever-growing SPF 
rejections.

(The real sender domain has a valid SPF and DKIM entry).

I wonder whether it is possible to detect such a header with 
spamassassin means? I only see the following rules that hit:


[BAYES_50=1.85,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VERIFIED=-0.2,FSL_HELO_BARE_IP_2=1.999,NAME_EMAIL_DIFF=1.043,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_NOT_IN_IPREPDNS=0.0001,SPF_PASS=-0.5,URIBL_BLOCKED=0.001 



I looked into the NAME_EMAIL_DIFF rule but this seems to be a slightly 
different scope and I would not want to just raise the score for that 
rule, it would probably give many false positives.

This is spamassassin 3.3.1 on Centos 6.

Regards and thanks, JC


--
In theory, there is no difference between theory and practice.
In practice, there is.   Yogi Berra

Re: FROM header with two email addresses

[Jakob Curdes]

Am 27.09.2017 16:54 schrieb "Kevin A. McGrail" :
 
 I recently stumbled onto a mail with a Spam link where the FROM header field 
looked like this: 
 
 From: "Firstname Lastname@" mailto:sendern...@real-senders-domain.com> 
> 

Jakob, just wanted to let you know I identified this issue as well and just 
opened a ticket about it yesterday to try and figure out a rule against it.  
Can you send me spamples via pastebin, please?

Yes will try to, have to ask customer first though. JC

Re: FROM header with two email addresses

[Benny Pedersen]

Kevin A. McGrail skrev den 2017-09-27 16:52:

I recently stumbled onto a mail with a Spam link where the FROM
header field looked like this:

From: "Firstname Lastname@" 


Jakob, just wanted to let you know I identified this issue as well and
just opened a ticket about it yesterday to try and figure out a rule
against it.  Can you send me spamples via pastebin, please?


untested:

header FROM_NAME_HAVE_SNABLE_A from:name /\@/i

who would test this ?

the above sample is doubble from domain in from:addr and from:name

both should be meta'ed

sorry if my syntax is not right, write it here on windows, so sorry 
trying to help

Re: FROM header with two email addresses

[Kevin A. McGrail]

I recently stumbled onto a mail with a Spam link where the FROM header 
field looked like this:


From: "Firstname Lastname@" sendern...@real-senders-domain.com> 


Jakob, just wanted to let you know I identified this issue as well and 
just opened a ticket about it yesterday to try and figure out a rule 
against it.  Can you send me spamples via pastebin, please?



Regards,
KAM

Re: FROM header with two email addresses

[Bill Cole]

On 27 Sep 2017, at 3:16, Jakob Curdes wrote:


Hello all,

I recently stumbled onto a mail with a Spam link where the FROM header 
field looked like this:


From: "Firstname Lastname@" sendern...@real-senders-domain.com>


which is displayed in different ways on different devices but most do 
display something resembling an internal from address, maybe with an 
additional second external address.


Or if the MUA is minimally competent, it displays the whole broken 
pathological From header, not some misparsed deception. But like 
poverty, it seems that Outlook will always be with us...


So it is a way to make users think this is an internal sender - 
probably it gets harder and harder to circumvent the ever-growing SPF 
rejections.

(The real sender domain has a valid SPF and DKIM entry).


SPF has nothing to do with From headers.
I find it amazing that a DKIM implementation would not choke on that 
From, since it is syntactically improper.


I wonder whether it is possible to detect such a header with 
spamassassin means?


A custom rule would work.


I only see the following rules that hit:

[BAYES_50=1.85,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VERIFIED=-0.2,FSL_HELO_BARE_IP_2=1.999,NAME_EMAIL_DIFF=1.043,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_NOT_IN_IPREPDNS=0.0001,SPF_PASS=-0.5,URIBL_BLOCKED=0.001


Ok, so you do realize that URIBL_BLOCKED is a serious problem, right? I 
mean, you're trying to do checks of URL's against a URIDNSBL that won't 
give you a real answer until you fix your DNS, reduce your query volume, 
or pay for a direct datafeed. Fix hthat problem and you are likely to 
catch a bunch more spam.


I looked into the NAME_EMAIL_DIFF rule but this seems to be a slightly 
different scope and I would not want to just raise the score for that 
rule, it would probably give many false positives.


Indeed, NAME_EMAIL_DIFF is not part of the default ruleset, so I'd be 
very careful with it.



This is spamassassin 3.3.1 on Centos 6.


Antique aficionado? :)

I don't think you'd solve this particular case by updating to a modern 
version of SA but it is possible, since the are a number of rules that 
only work in 3.4.x

FROM header with two email addresses

[Jakob Curdes]

Hello all,

I recently stumbled onto a mail with a Spam link where the FROM header field 
looked like this:

From: "Firstname Lastname@" 

which is displayed in different ways on different devices but most do display something resembling 
an internal from address, maybe with an additional second external address.
So it is a way to make users think this is an internal sender - probably it gets harder and harder 
to circumvent the ever-growing SPF rejections.

(The real sender domain has a valid SPF and DKIM entry).

I wonder whether it is possible to detect such a header with spamassassin means? I only see the 
following rules that hit:


[BAYES_50=1.85,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VERIFIED=-0.2,FSL_HELO_BARE_IP_2=1.999,NAME_EMAIL_DIFF=1.043,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_NOT_IN_IPREPDNS=0.0001,SPF_PASS=-0.5,URIBL_BLOCKED=0.001

I looked into the NAME_EMAIL_DIFF rule but this seems to be a slightly different scope and I would 
not want to just raise the score for that rule, it would probably give many false positives.

This is spamassassin 3.3.1 on Centos 6.

Regards and thanks, JC