*Name only* spoofing messages, where an outside account like one from gmail is used but with the CEO/CFO or someone else's name in our org on the message) are becoming so common that I'd like to see ASSP be able to act on them. Often the initial phishing attempt is an innocuous sounding message "are you available?" or whatever that slips through ASSP's filtering.
An example would be a from lines like: FROM: "Ken Post" <ken.post-ourcharity....@gmail.com> FROM: "Ken Post" <president12...@gmail.com> These just show up in most email clients with "Ken Post" and people only catch on if they look at the email address when viewing the message itself. I'm wondering if there's value to having ASSP be able to have some sort of warning insertion above the body of the original message. I recognize that this would be completely new functionality, but if we can figure out a way to insert messages without breaking other functionality (don't break existing html formatting for example), it would be quite helpful. A visible cue warning the user might just be enough to stop them from falling for the phish. Office365 apparently has an advanced license that does this. Exchange allows for a transport rule to do this too. But how great would it be for ASSP to tackle this all on its own? See this old 2016 article for some visual examples: https://blogs.perficient.com/2016/04/04/office-365-providing-your-users-visual-cues-about-email-safety/ We don't want to reject these message, just warn about them. I'd say to score too, but lots of our users send mail from their personal accounts when at home. I beg them not too, but still. We'd need to maintain a list of triggers and maybe a templating system for the inserted message Initially, I'd like to see 2 types of triggers. NAMESPOOF for when someone's name is used in from line, and LOWLIMIT, when a message is below the block limit, but high enough to trigger the subject modification. First we could have the namespoof configuration file: DescriptiveSenderName,NameRegEx,ValidEmailsRegEx,ToRegex,templatetouse so for example: Joe Smith,.*Jo.* Smith.*, (JoeSmith|JSmith)@OurCharity.org,.*@OurCharity\.org,NAMESPOOFTemplate1 Would trigger for any mail sen where - the name in the FROM line matches parameter 2's regex ( .*Joe.* Smith.* ). So Joe Smith, Joseph Smith, Dr. Joe Smith, Joe Bob Smith in the from line - that isn't from joesm...@ourcharity.org or jsm...@ourcharity.org - for any user in @OurCharity.org - if that happens, use the template called NAMESPOOFTemplate1 namespooftemplate1: <div style="background:#xxx;whatevercss;">Warning: Is this message really from {DescriptiveSenderName}? This message claims to be from {EMAILFROMNAME} but was sent from {EMAILFROMADDRESS} which is not that person's email address @OurCharity.org. Before replying to this email, opening attachments, or following any instructions, please insure that this is really an email from {DescriptiveSenderName}.</div> We'd need to consider mail sent "on behalf of," or do we? We could also have a low limit config file. Any time a message is above the LOWLIMIT score, or maybe a score set in the file, use a template to insert a warning. .*@OurCharity\.org,LowLimitTemplate1 .*@OurOtherOrgdomain\.org,LowLimitTemlate2 LowLimitTemplate1: <div>Warning: This message may be spam. If it is, don't forget to forward it as an attachment to spamrep...@assp.ourcharity.org You can also contact Ken in IT for help, but remember not to forward questionable messages</div> LowLimitTemplate2: <div>Potential spam to Our Other Org. Be careful. Contact Bob in IT for help.</div> To be able to remove the warnings if an email reply is sent out through ASSP would be great too, but may be too much to ask for!! This sounds like a pretty massive project to me, but would you agree that if it could be done, that it would be useful? Should we discuss further? Thanks Ken
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
