On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
I recently stumbled onto a mail with a Spam link where the FROM header
field looked like this:
From: "Firstname Lastname@" <recipient-domain.com
sendern...@real-senders-domain.com>
Jakob, just wanted to let you know I identified this issue as well and
just opened a ticket about it yesterday to try and figure out a rule
against it. Can you send me spamples via pastebin, please?
Regards,
KAM
I am seeing this more and more on my SA filters and being reported by my
customers:
https://pastebin.com/f07Gq1kZ
https://pastebin.com/FMsJNGba
This is catching this pretty well so far:
header FROM_SPOOF_EMAIL_DISPLAY From =~
/\@[a-z_]+?\.[a-z]{2,3} \</i
describe FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an
email address in the display name
score FROM_SPOOF_EMAIL_DISPLAY 4.2
P.S. I am sure that someone will suggest an improvement to the above
rule and they are welcome. I know it won't catch all email addresses
based on that regex so it probably should be adjusted to handle new TLDs
with more than 3 characters.
P.S.S. Standard disclaimer to adjust the score down until you have done
some testing in your environment then score it how you see fit.
--
David Jones
