On Mon, 2018-12-03 at 13:17 -0600, sha...@shanew.net wrote: > Yeah, I see all these same things. Better to test against From:addr > rather than the full From: Perhaps something like: > > From:addr =~ /\@[^\s]+\@/ > > Of course, there might still be legit cases of that kind of usage. >
The problem though for phishes is that some user agents (ie. Outlook) only display the quoted user-friendly part of the address, not the rest of the From: header. So phishers specifically put a fake @domainbeingphished.com in quotes so your users will see that. I don't think I've ever seen multiple @'s in any single address part, not since the mid-90s anyway. It would definitely be safe to block on that for any single address.