On Thu, 5 Oct 2017 07:38:23 -0400
Kevin A. McGrail wrote:
> On 10/5/2017 7:19 AM, Jakob Curdes wrote:
> > Not a lot, but the trick is that Outlooks displays both parts, and
> > users think that it is an internal mail because the "Firstname
> > Lastname" is real in the company and the "recipient-domain.com" is
> > the real recipient domain.
> > So it is a trick to circumvent SPF denials which prevent a spammer
> > from sending "internal" mails from external addresses.
> > So I think it is not a mistake, I suppose this is carefully crafted
> > to achieve exactly this result.
>
> I can also confirm user behavior consistent with your description of
> this issue as well where it tricked them into thinking it was an
> internal message. We had 1 case as well that this thread
> coincidentally hit.
>
> So while the spam engine rule is nice, a rule to work on 2 email
> address in the from header that is generic is likely still an
> indicator of spam that is a "good idea"(tm).
It's not two addresses it's a single address with a space in it. It's
actually a legal header, but in the real world it's as rare as hen's
teeth:
From:addr =~ /\s/
is probably worth scoring in it's own right, but it could be combined
with a test for the @ in the display name.
