Makes sense to me. Just trying to check off boxes on open items for 3.4.2 release.
-- Kevin A. McGrail VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Sat, Aug 25, 2018 at 9:08 AM, David Jones <djo...@ena.com> wrote: > On 08/24/2018 07:02 PM, Kevin A. McGrail wrote: > >> On 1/18/2018 6:52 AM, Pedro David Marco wrote: >> >>> David, >>> >>> This rule can do the full job... i have tested it with good results.. >>> (Can be tested here: https://regex101.com/r/Vpmhjz/3 ) >>> >>> It checks if the level domain next to the TLD in the From:name matches >>> the domain next to the TLD in From:email >>> >>> header FROM_DOMAINS_MISMATCHFrom !~/(?:[^<].+?)\@(?:.+?\.)*?(.+ >>> ?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/ >>> describe FROM_DOMAINS_MISMATCHDomain name mismatch in From header >>> >> Did this ever get considered for a sandbox. >> >> Alan Hodgson also had a good posted on one but not tested. >> Regards, >> KAM >> > > I am not sure this is going to be worth as sandbox rule. There are going > to be a high number of system-generated and mass-marketing emails that > aren't going to match the From: header. > > From my experience, this is a local rule that detects high-value display > names in phishing attempts. For example, the C-level executive's name as > the Display Name when it comes from gmail.com to the Finance department > to wire money. > > From: "CEO Name Here" <john...@gmail.com> > > Also, DMARC is supposed to help with this spoofing of the From: header. I > handle this locally with OpenDMARC adding headers used in an SA meta rule. > This is the best way to handle this until SA natively supports DMARC. > > -- > David Jones >