On Thu, 5 Oct 2017 07:38:23 -0400 Kevin A. McGrail wrote: > On 10/5/2017 7:19 AM, Jakob Curdes wrote: > > Not a lot, but the trick is that Outlooks displays both parts, and > > users think that it is an internal mail because the "Firstname > > Lastname" is real in the company and the "recipient-domain.com" is > > the real recipient domain. > > So it is a trick to circumvent SPF denials which prevent a spammer > > from sending "internal" mails from external addresses. > > So I think it is not a mistake, I suppose this is carefully crafted > > to achieve exactly this result. > > I can also confirm user behavior consistent with your description of > this issue as well where it tricked them into thinking it was an > internal message. We had 1 case as well that this thread > coincidentally hit. > > So while the spam engine rule is nice, a rule to work on 2 email > address in the from header that is generic is likely still an > indicator of spam that is a "good idea"(tm).
It's not two addresses it's a single address with a space in it. It's actually a legal header, but in the real world it's as rare as hen's teeth: From:addr =~ /\s/ is probably worth scoring in it's own right, but it could be combined with a test for the @ in the display name.