I got a spearphishing e-mail the other day that had a From with the
following form:
From: "Mister President <presid...@company.com>"
<phish...@freemailer.com>
I attempted to craft a SA rule to catch the "@" in the From:name but I
was unable to catch anything after the "<"
ex:
From:name =~ /Mister President/ hits
From:name =~ /Mister President \</ does not hit
From:name =~ /\@/ does not hit
From:name =~ /company/ does not hit
From =~ /\@.*\@/ hits but is inefficient
I believe that SA may be removing the <presid...@company.com> part from
the From:name, am I correct? Is there any efficient way to detect such
an occurrence of an "@" in the From:name?
Using SA version 3.4.1 on Ubuntu with debug