On Mon, 2 Oct 2017, David Jones wrote:
On 10/02/2017 01:11 PM, John Hardin wrote:
On Mon, 2 Oct 2017, David Jones wrote:
> On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
> >
> > > I recently stumbled onto a mail with a Spam link where the FROM
> > header > field looked like this:
> > > > From: "Firstname Lastname@" <recipient-domain.com >
> > sendern...@real-senders-domain.com>
> >
> > Jakob, just wanted to let you know I identified this issue as well
> > and
> > just opened a ticket about it yesterday to try and figure out a rule
> > against it. Can you send me spamples via pastebin, please?
> >
> >
> > Regards,
> > KAM
> >
>
> I am seeing this more and more on my SA filters and being reported by my
> customers:
>
> https://pastebin.com/f07Gq1kZ
>
> https://pastebin.com/FMsJNGba
>
> This is catching this pretty well so far:
>
> header FROM_SPOOF_EMAIL_DISPLAY From =~
> /\@[a-z_]+?\.[a-z]{2,3} \</i
> describe FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an
> email address in the display name
You probably want to let SA do the header parsing and write your rule
against From:name or From:addr instead.
Thank you for the suggestions. I didn't know about the From:name and
From:addr parsing by SA. As it turns out, the double quotes missing are very
important. When I use the From:name which properly has the quotes, I am
hitting many false positives. It appears that legit sending people or mail
clients are putting email addresses in their "Display Name". It's the ones
without quotes that are spam a high percentage of the time in my mail flow.
Not surprising.
I have gone back to my original rule that catches senders that put an email
addresss in the Display Name and do not have quotes.
How about:
header __FROM_QUOTES From =~ /"/
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
meta __FROM_SPOOF __FROM_MAYBE_SPOOF && !__FROM_QUOTES
(warning: totally untested)
If you're testing your rules in a sandbox using debug mode, this may help:
header __FROM_NAME From:name =~ /.*/
header __FROM_ADDR From:addr =~ /.*/
That way you can see what's actually being parsed from the header.
Potentially this might be as simple as:
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
or
header __FROM_MULTIPLE_ADDR From:addr =~ /\s/
No idea how FP-prone those might be, though, so it's probably prudent to
meta them with other stuff as well...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The world has enough Mouse Clicking System Engineers.
-- Dave Pooser
-----------------------------------------------------------------------
186 days since the first commercial re-flight of an orbital booster (SpaceX)
