On Tue, 28 Jun 2016 14:13:57 +0000 David Jones wrote:
>If I search the Internet for the CEO/CIO/CTO/etc of a company
>and send and email from my domain but make the displayed name
>in the visible From: be that CEO/CIO/CTO/etc's full name that
>the recipient is used to seeing in the mail client, then I have
>spoofed nothing detectable in advance by SA or any mail filter
>technology.
Excellent summary!
The key is that the number of spoofed people is extremely SMALL,
and we _CAN_ anticipate who they are.
It's easy to write a CUSTOM set of rules just for actual/likely
targeted senders (CEO/etc).
For each person/target, create a rule that tests an explicit
list of that person's normal Realname(s) (including reasonable
variations), against the Realname part of the From header, and
if there's a match, test whether the From Address is in a list
of allowed addresses. Score only if it's a probable phish
Realname from an unknown/unallowed address.
There's lots of potential metas for even a low-scoring rule
(e.g John Hardin's tip).
I've been doing this since 2009, both on a generic basis
(built into my "phishy tokens in headers" anti-phish system),
and on a custom domain level as we notice/anticipate targeted
individuals (all in my post-SA filter - sorry, I have no
examples of SA rules, and am ASSuming they'll be easy to write).
It works extremely well and is easy to maintain. :)
*** Implementation issues:
1. There's potential for name collision, however these would be
manually generated rules, so the maintainer would use his/her
judgement to assign scores. For example, "Mark Sheppard" is
more likely to have a collision than "Chiwetel Ejiofor". :)
It would be straight forward to add an explicit list of (sender
verified) email addresses to exclude from testing.
In the seven years I've been doing this, I have had zero
collisions, however I have had an occasional FP when a targeted
sender starts sending stuff from himself using a new personal
email address, and does not notify the email admin. In those
cases, even without a quarantine, the sender should notice it.
A smart quarantine always makes life better.
2. Ideally, one should remove chaff (including potentially
obfuscatory middle initials) and excess whitespace from each
email's From Realname before doing the comparisons.
3. A big issue is fuzzing of Realnames, which is name dependant.
For most Westerners, most spelling variations in "Mark Sheppard"
are much easier to notice than in "Chiwetel Ejiofor". Leaving
out one of the double-ps in "Sheppard" would be a sensible
variation to add to his (hypothetical) list.
I have not yet noticed any fuzzing "in the wild", however all of
my targets have extremely "anglo" names. I recommend looking at
tools that create fuzzy variations.
I have seen MANY fuzzes of big non-spear phish targets
(e.g. "paypa1" "paypa"), and have been adding them as they occur.
I plan to add a fuzzy algorithm during my next dev cycle.
4. As John Wilcock mentions, fuzzy domains are an issue.
If you're a target, it's worth generating a list of most likely
variations, then score/block the un-registered ones, and make an
informed decision on the rest.
5. I STRONGLY recommend scoring all "ACE prefix" domains, to
reduce/eliminate all the subtle and/or invisible variations.
We've been doing that for two years, and so far have had
zero "skip" domain requests. Note that all our domains are
"Western" centric, though we have a few accounts who do have
regular contact with Unicode-type nations.
You all know your own email ecologies. :)
+1 to all the sensible remarks about good authorization policies.
The best defense has as many layers as practical. :)
- "Chip"
