Thank you for the reply Thomas,

Being able to include sender:, reply to: and errors-to: would be handy in my 
opinion

However, in this case the local domain was not in any of the from: fields 
whatsoever. By using 
n...@recipientdomain.tld-1.me<mailto:n...@recipientdomain.tld-1.me>, this hits 
a stupid bug in Outlook where in some places it will only display 
n...@recipientdomain.tld<mailto:n...@recipientdomain.tld>. The -1.me is 
completely fictional and varies from message to message. I thought this would 
not be caught by nospoofing because that would only match if the RHS ended in 
the entry from localdomains.

All the best,
Colin.

From: Thomas Eckardt <thomas.ecka...@thockar.com>
Sent: 13 April 2018 16:55
To: ASSP development mailing list <assp-test@lists.sourceforge.net>
Subject: Re: [Assp-test] Multiple From headers/regex based on localdomains

Colin,

'DoNoSpoofing4From' should do it - but it is'nt. Only the first 'From:' address 
is currently checked and this will not prevent this attack.
But it is possible to include 'sender: , reply-to: and errors-to:' in to this 
check - which would catch this mails.

What do you think?

Thomas





Von:        "Colin Waring" 
<co...@dolphinict.co.uk<mailto:co...@dolphinict.co.uk>>
An:        "ASSP development mailing list" 
<assp-test@lists.sourceforge.net<mailto:assp-test@lists.sourceforge.net>>
Datum:        13.04.2018 17:17
Betreff:        [Assp-test] Multiple From headers/regex based on localdomains
________________________________


Hi,



I’ve a couple of fun ones at the moment. Basically I’m getting reports of 
phishing emails that get past everything.



The headers are like this:



Reply-to: Sender Name 
<n...@recipientdomain.tld-1.me<mailto:n...@recipientdomain.tld-1.me>>

To: recipi...@recipientdomain.tld<mailto:recipi...@recipientdomain.tld>

From: Sender Name <f...@domain.tld<mailto:f...@domain.tld>>

From: Sender Name <f...@domain2.tld<mailto:f...@domain2.tld>>

From: Sender Name 
<actualsmtpfromaddr...@legitimatebutcompromiseddomain.tld<mailto:actualsmtpfromaddr...@legitimatebutcompromiseddomain.tld>>



These bypass no spoofing as none of the from/SMTP header domains are actually 
the recipient domain. Annoyingly, Outlook chooses the Reply-to address to 
display so it appears almost legitimate.



I’m aware that the RFCs allow multiple from headers, though I can’t see of any 
legitimate reason for this so I was considering blocking or increasing spam 
score based on this – is this possible with ASSP at the moment or not?



The second thing I was looking at doing was coming up with a regex. 
Essentially, all recipient domains are in localdomains.txt so I’d want a regex 
that would take all lines from localdomains. If the reply to or smtp from 
address is a line from localdomains with anything else after it, then bin it. I 
accept that there may in some extremely obscure cases be a clash with a 
legitimate domain but do not believe that to be likely. I’ll have a look next 
week as to if I can figure out a way to do it but if there’s something obvious 
that you could let me know that’d be great.



All the best,

Colin.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net<mailto:Assp-test@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/assp-test





DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known 
virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to