I have been dealing with spear phishing attacks which have forged From:
addresses such as
From: [EMAIL PROTECTED]
Which looks plausable to our users, but which does not exist. Not just
for stopping spear phishing, but as a point of principle, I want to
reject messages like this.
I have a verify = header_sender ACL, but that does not block this
because the messages also have a header such as
Reply-to: [EMAIL PROTECTED]
The header_sender verify checks that first and ignores the From: header!
It appears I could explicitly check the From: header using something
like
condition = ${if eq{${domain:$header_from:}{exeter.ac.uk}{yes}{no}}
verify = sender=$header_from:
However, since the From: header can contain multiple addresses, the
above sample needs quite a bit of extra work. Further, I can only see
that I could check one of the addresses if more than one is present.
Am I missing something? If not, it might be a useful addition to extend
the verify condition to allow specific checks in individual header
address fields ('verify = header_from', 'verify = header_to and so on).
What do other people do to check headers?
Phil.
--------------------
Phil Chambers
Postmaster
University of Exeter
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
