I swear I came across a rule like this just the other day, but now I
can't find it, which is probably a sign of faulty memory. In any
case, the existing HeaderEval Plugin seems like a good place for this
(it already does a check for EnvFrom and From domain mismatches).
On Wed, 17 Jan 2018, David Jones wrote:
Would a plugin need to be created (or an existing one enhanced) to be able to
detect this type of spoofed From header?
From: "h...@hulumail.com !" <lany...@hotmail.com>
https://pastebin.com/vVhGjC8H
Does anyone else think this would be a good idea to make a rule that at least
checks both the From:name and From:addr to see if there is an email address
in the From:name and if the domain is different add some points?
We are seeing more and more of this now that SPF, DKIM, and DMARC are making
it harder to spoof common/major brands that have properly implemented some or
all of them.
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines | sha...@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew