Re: Spoofed From: names
On Sat, 11 Apr 2020 15:16:35 -0400 Rick Cooper wrote: > On April 11, 2020 3:08:15 PM EDT, RW > wrote: > >On Sat, 11 Apr 2020 19:58:02 +0100 > >RW wrote: > > > > > >> > >> The first one was cited as a format used in forwarded ham. The > >> other two are common in spam. > >> > >> The point of this spamming technique is that many clients show only > >> the display name in the message list. Consequently the three > >> headers will display like this: > >> > >> Mr Bill (mb...@legitemail.com) > >> mb...@legitemail.com > >> Mr Bill > >> > >> IMO the middle one is the most convincing as it's exactly what > >> would have been displayed if that address had been used without a > >> display name. The last one at least looks like a from header. The > >> first looks the > > > >... least convincing. > > > > Oddly enough the first is legitimate in a lot of cases. Netsuit, for > instance, uses that in the display section all the time. Yes, I know. I meant that it's the least convincing in a spam.
Re: Spoofed From: names
On April 11, 2020 3:08:15 PM EDT, RW wrote: >On Sat, 11 Apr 2020 19:58:02 +0100 >RW wrote: > > >> >> The first one was cited as a format used in forwarded ham. The other >> two are common in spam. >> >> The point of this spamming technique is that many clients show only >> the display name in the message list. Consequently the three headers >> will display like this: >> >> Mr Bill (mb...@legitemail.com) >> mb...@legitemail.com >> Mr Bill >> >> IMO the middle one is the most convincing as it's exactly what would >> have been displayed if that address had been used without a display >> name. The last one at least looks like a from header. The first looks >> the > >... least convincing. > Oddly enough the first is legitimate in a lot of cases. Netsuit, for instance, uses that in the display section all the time. >I don't know happened there, it got sent before I'd finished. > >Basically it seems likely that different formats will has different >statistics. > >There's no need for any of this to be added to any plugin, it's easiest >to simply meta header regexes with the plugin result.
Re: Spoofed From: names
On Sat, 11 Apr 2020 19:58:02 +0100 RW wrote: > > The first one was cited as a format used in forwarded ham. The other > two are common in spam. > > The point of this spamming technique is that many clients show only > the display name in the message list. Consequently the three headers > will display like this: > > Mr Bill (mb...@legitemail.com) > mb...@legitemail.com > Mr Bill > > IMO the middle one is the most convincing as it's exactly what would > have been displayed if that address had been used without a display > name. The last one at least looks like a from header. The first looks > the ... least convincing. I don't know happened there, it got sent before I'd finished. Basically it seems likely that different formats will has different statistics. There's no need for any of this to be added to any plugin, it's easiest to simply meta header regexes with the plugin result.
Re: Spoofed From: names
On Sat, 11 Apr 2020 11:46:04 -0600 Grant Taylor wrote: > On 4/11/20 9:49 AM, RW wrote: > > I see that the plugin rules don't distinguish between the > > irresponsible format of: > > > >From: "Mr Bill (mb...@legitemail.com)" > > > > > > and more seriously deceptive formats like: > > > >From: "mb...@legitemail.com" > >From: "Mr Bill " > > I feel like all three examples that you have provided include an > actual usable email address in the human friendly name of the From: > header. In my opinion, anything else in the double quotes is largely > window dressing. As such, I think that it doesn't matter if the > email address is in (...) or <...> or bare. The Mr Bill prefix also > doesn't matter. > > Given the above opinion, I would consider all three of these human > friendly names to be effectively identical. The first one was cited as a format used in forwarded ham. The other two are common in spam. The point of this spamming technique is that many clients show only the display name in the message list. Consequently the three headers will display like this: Mr Bill (mb...@legitemail.com) mb...@legitemail.com Mr Bill IMO the middle one is the most convincing as it's exactly what would have been displayed if that address had been used without a display name. The last one at least looks like a from header. The first looks the > So, what would you like the plugin to do differently? How do you > think the three examples should be handled?
RE: Spoofed From: names
Grant Taylor wrote: > On 4/11/20 9:49 AM, RW wrote: >> I see that the plugin rules don't distinguish between the >> irresponsible format of: >> >>From: "Mr Bill (mb...@legitemail.com)" >> >> >> and more seriously deceptive formats like: >> >>From: "mb...@legitemail.com" >>From: "Mr Bill " > > I feel like all three examples that you have provided include an > actual usable email address in the human friendly name of the From: > header. In my opinion, anything else in the double quotes is largely > window dressing. As such, I think that it doesn't matter if the > email address is in (...) or <...> or bare. The Mr Bill prefix also > doesn't matter. > > Given the above opinion, I would consider all three of these human > friendly names to be effectively identical. > > So, what would you like the plugin to do differently? How do you > think the three examples should be handled? I think RW makes a valid point. I just rewrote my plugin to hit one of two rules depending on if the address is formatted as "m...@mine.com " vs "Fname Lname (va...@mine.com) (give or take the parenthesis). Because the second one is more commonalty used for valid purposes (hence needing the ability to whitelist and address or domain). The first example I have never seen used in a legit fashion myself. So if it hits The first rule that is a high hit, well above threshold and the second rule is bypassed (no double dip), Hit the second rule and it's a moderate bump. Rick
Re: Spoofed From: names
On 4/11/20 9:49 AM, RW wrote: I see that the plugin rules don't distinguish between the irresponsible format of: From: "Mr Bill (mb...@legitemail.com)" and more seriously deceptive formats like: From: "mb...@legitemail.com" From: "Mr Bill " I feel like all three examples that you have provided include an actual usable email address in the human friendly name of the From: header. In my opinion, anything else in the double quotes is largely window dressing. As such, I think that it doesn't matter if the email address is in (...) or <...> or bare. The Mr Bill prefix also doesn't matter. Given the above opinion, I would consider all three of these human friendly names to be effectively identical. So, what would you like the plugin to do differently? How do you think the three examples should be handled? -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Spoofed From: names
To my remember, (as Grant, i need my caffeine truck as well) there are some MS Outlook CVEs related to the wayMS Outlook shows the "From:" information, to the extent of showing just some "piece" of it... So this kinf of "From:" may have significant impact on unpatched computers... ---Pedreter. On Saturday, April 11, 2020, 05:50:05 PM GMT+2, RW wrote: >On Thu, 9 Apr 2020 16:17:51 -0400 >Kevin A. McGrail wrote: >> On 4/9/2020 10:16 AM, micah anderson wrote: > > What is the current state of the art for dealing with tricking > > people in the From with the "Name" part? For example: > Hi Micah, I believe the FromNameSpoof plugin is the current state of > the art. > > >I see that the plugin rules don't distinguish between the irresponsible >format of: > > From: "Mr Bill (mb...@legitemail.com)" >and more seriously deceptive formats like:> From: ">mb...@legitemail.com" > > From: "Mr Bill " >
Re: Spoofed From: names
On Thu, 9 Apr 2020 16:17:51 -0400 Kevin A. McGrail wrote: > On 4/9/2020 10:16 AM, micah anderson wrote: > > What is the current state of the art for dealing with tricking > > people in the From with the "Name" part? For example: > Hi Micah, I believe the FromNameSpoof plugin is the current state of > the art. > I see that the plugin rules don't distinguish between the irresponsible format of: From: "Mr Bill (mb...@legitemail.com)" and more seriously deceptive formats like: From: "mb...@legitemail.com" From: "Mr Bill "
