Thanks for the nudge in the right direction. I'll take a look at that regex Showing the sender address in Outlook won't fly. It's a good idea, but users would hate it and it doesn't solve the issue for mobile users (where most of our users get tricked into a quick reply).
How much would you need for a 100 hour or so sponsorship of this? I doubt our charity can come up with the funds, but I'd try!! On Mon, Nov 4, 2019 at 9:12 AM Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > Such a feature is not worth the effort. > > https://www.howto-outlook.com/howto/viewsenderaddress.htm > > There are too many pitfalls and too many required manual configuration > tweaks and exceptions to be handled. > examples: > - assp does not know user and mailbox names - requires manual tweaks using > lists and/or regular expressions > - to keep the manual configuration impact low, a complex and very variable > LDAP and/or external scripting will be required > - a per local domain configuration will be required > - several bounce sender tagging mechanism will make problems (example: < > *bob.jones=ourcharity....@domain.com* <bob.jones.ourcharity....@gmail.com>> > ) > .... > > So, with this feature you would have to configure matching sets for each > user. But you can do this now already - in 'bombHeaderRe'. If you got a > regular expression working for one user, it is easy to build them for every > user. > example: > > ~<<<(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.? > *)?(?{local %_ = qw, fname *bob* sname *jones* domain *ourcharity.org > <http://ourcharity.org>* ,})(?:(??{$_{'fname'}})[. > _\-]+(??{$_{'sname'}})|(??{$_{'sname'}})[, > ](??{$_{'fname'}})|(??{$_{'fname'}})\.(??{$_{'sname'}})\@(??{$_{'domain'}})))\s*"?[^<]*<[^\@]+\@(?!(??{$_{'domain'}}))\x3E>>>~=>YOURSCORE > > this example requires the hidden variable 'AllowCodeInRegex' to be set to 1 > and a small change in assp.pl - will be published soon > > or more simple, but much more needs to be change in each line > > ~<<<(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.? > *)?(?:*bob*[. _\-]+*jones*|*jones*[, ]*bob*|*bob.jones\@ourcharity\.org* > ))\s*"?[^<]*<[^\@]+\@(?!*ourcharity\.org*)\x3E>>>~=>YOURSCORE > > > > How ever, if you think you need such a feature, you'll need to sponsor it > or find a sponsor. I expect an effort of two weeks but not less than 100 > hours to implement and test this feature as a level-1 plugin. > > Thomas > > > > > > Von: "K Post" <nntp.p...@gmail.com> > An: "ASSP development mailing list" < > assp-test@lists.sourceforge.net> > Datum: 04.11.2019 00:28 > Betreff: Re: [Assp-test] Message body modification > ------------------------------ > > > > Right, but what I'm trying to accomplish (as described in detail in my > previous thread) is flagging, maybe just with subject modification mail > from outside senders with a name that matches one of our organization's > senders. I'd love to be able to have ASSP insert a warning, not on all > mail, but only when there's a suspicious name match. We can't reasonably > quarantine all external email, the messages in question don't have links or > attachments to block. > > For example Bob Jones <bob.jo...@ourcharity.org> is the real address > within our organization. We're seeing name spoofing mail from Bob Jones < > *bob.jones.ourcharity....@gmail.com* <bob.jones.ourcharity....@gmail.com>> > or Bob Jones <*president123mad...@gmail.com* > <president123mad...@gmail.com>>. It shows up in outlook as Bob Jones in > the inbox. Lots of times, the message even had the signature that the > person actually uses. We've had even some of our most savvy users get > tricked. The messages slips through assp, because they're innocuous > sounding "are you in the office? I need your help" "I've got a favor to > ask, reply when you get this please?" Whatever, user gets fooled, replies, > and then that gmail address is whitelisted. The next mail asks for the > purchase of gift cards, etc. Common scheme. If we could change even just > the subject line like [Potential Spoof]: <real subject> that would help the > recipient. Inserting a warning into the body would be even better! > > To do the matching though, we'd need to list the names our people and > their correct address and have ASSP flag only when there's a match from > outside. Of course there are lots of legitimate instances where our > people email from their real personal email address to our staff. Those > would get a subject or body modification too, but that's okay. We don't > have the budge to have a third part system do this. > > Would you mind taking a look at the original thread for more detail and > explanation of what I'm thinking? I think it's at least worth discussion - > I think there's some real value to the ASSP community being how often we're > getting name spoofing messages. > > > On Sat, Nov 2, 2019 at 3:34 AM Thomas Eckardt < > *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote: > simple company rules are the solution: > > - every mail from outside the company is subject to be malicious - open > attachments or following links in such mails, requires a full manually > verification of the email before any action is done - on any doubt the mail > has to be quarantained > - qurantined mails are untouchable as long as they are not released by an > authorisized person or system > - every mail from outside the company passed an assp system > - every mail from/to inside the company will never reach any assp system > (except assp reporting) > - every mail from outside contains a X-ASSP header but at least the ASSP > received header - this header has to be used by the mail client and/or > server to classify the mail > > >can I insert something into the bodies of selected messages as it is > sent to the real mail server > > there is no such code in *assp.pl* <http://assp.pl/> - only ASSP_AFC is > able to manipulate the mail body (replace attachments , SMIME) > > >without having that warning message saved in the corpus > > assp stores the incoming mail + assp headers - never the content sent to > the server > > Thomas > > > > Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>> > An: "ASSP development mailing list" < > *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>> > Datum: 01.11.2019 18:02 > Betreff: [Assp-test] Message body modification > ------------------------------ > > > > Thomas, quick question: can I insert something into the bodies of selected > messages as it is sent to the real mail server without having that warning > message saved in the corpus? > > Early last month, I sent "An idea: Visual warnings in message body" but > received no replies. > We're seeing SO many of these, that I might try to figure this out on my > own if there isn't broad appeal. > > Thanks > > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
