On Thu, 5 Oct 2017 07:38:23 -0400
Kevin A. McGrail wrote:
On 10/5/2017 7:19 AM, Jakob Curdes wrote:
Not a lot, but the trick is that Outlooks displays both parts, and
users think that it is an internal mail because the "Firstname
Lastname" is real in the company and the "recipient-domain.com" is
the real recipient domain.
So it is a trick to circumvent SPF denials which prevent a spammer
from sending "internal" mails from external addresses.
So I think it is not a mistake, I suppose this is carefully crafted
to achieve exactly this result.
I can also confirm user behavior consistent with your description of
this issue as well where it tricked them into thinking it was an
internal message. We had 1 case as well that this thread
coincidentally hit.
So while the spam engine rule is nice, a rule to work on 2 email
address in the from header that is generic is likely still an
indicator of spam that is a "good idea"(tm).
It's not two addresses it's a single address with a space in it. It's
actually a legal header, but in the real world it's as rare as hen's
teeth:
From:addr =~ /\s/
is probably worth scoring in it's own right, but it could be combined
with a test for the @ in the display name.
Well my
meta FROM_SPOOF_SENDER1 __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
does exactly this. I did not want to assign a single score as we do not
know who else (legit mass mailers..) might construct strange display
names or strangely formatted address fields.
JC
