On Thu, 20 Aug 2015, Olivier Coutu wrote:
I got a spearphishing e-mail the other day that had a From with the following
form:
From: "Mister President <presid...@company.com>"
<phish...@freemailer.com>
I attempted to craft a SA rule to catch the "@" in the From:name but I was
unable to catch anything after the "<"
ex:
From: name =~ /Mister President/ hits
From: name =~ /Mister President \</ does not hit
From: name =~ /\@/ does not hit
From: name =~ /company/ does not hit
From =~ /\@.*\@/ hits but is inefficient
More efficient, won't backtrack:
From =~ /\@[^\@]*\@/
...but be aware that would also hit a From with multiple :addr parts
(which I have seen though rarely), which is also probably a good spam
sign.
I believe that SA may be removing the <presid...@company.com> part from the
From:name, am I correct?
Define this rule:
header __ALL_FROMNAME From:name =~ /.*/
...and run spamassassin on a test message using:
--debug area=all,rules,rules-all
You'll be able to see exactly what's available to match against.
I'd suggest for a From address like that, if it *is* dropping the email
address within the comment a bug should be filed.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
End users want eye candy and the "ooo's and aaaahhh's" experience
when reading mail. To them email isn't a tool, but an entertainment
form. -- Steve Lake
-----------------------------------------------------------------------
4 days until the 1936th anniversary of the destruction of Pompeii
