On Mon, 2 Oct 2017, David Jones wrote:
On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
> I recently stumbled onto a mail with a Spam link where the FROM header
> field looked like this:
>
> From: "Firstname Lastname@" <recipient-domain.com
> sendern...@real-senders-domain.com>
Jakob, just wanted to let you know I identified this issue as well and
just opened a ticket about it yesterday to try and figure out a rule
against it. Can you send me spamples via pastebin, please?
Regards,
KAM
I am seeing this more and more on my SA filters and being reported by my
customers:
https://pastebin.com/f07Gq1kZ
https://pastebin.com/FMsJNGba
This is catching this pretty well so far:
header FROM_SPOOF_EMAIL_DISPLAY From =~ /\@[a-z_]+?\.[a-z]{2,3}
\</i
describe FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an email
address in the display name
You probably want to let SA do the header parsing and write your rule
against From:name or From:addr instead.
If you're testing your rules in a sandbox using debug mode, this may help:
header __FROM_NAME From:name =~ /.*/
header __FROM_ADDR From:addr =~ /.*/
That way you can see what's actually being parsed from the header.
Potentially this might be as simple as:
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
or
header __FROM_MULTIPLE_ADDR From:addr =~ /\s/
No idea how FP-prone those might be, though, so it's probably prudent to
meta them with other stuff as well...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you ask amateurs to act as front-line security personnel,
you shouldn't be surprised when you get amateur security.
-- Bruce Schneier
-----------------------------------------------------------------------
186 days since the first commercial re-flight of an orbital booster (SpaceX)
