On 11/21/19 12:14 PM, Martin Gregorie wrote:
describe SPOOFED_MAYOR Check for spoofed mail from the Mayor header __SM1 From:name /display name/ header __SM2 From:addr /email address/ meta SPOOFED_MAYOR (__VM1 && ! __VM2) score SPOOFED_MAYOR 5.0
I like the logic.Unfortunately, you need to be very careful as you start to run into all the text permutations / homograph attacks.
This type of rule may accidentally incur false positives too, so be careful. -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature