I started working on this, and quickly realized the hard part is
determining/parsing the domain out of the From:name variable.
Is there any existing code in SA that "recognizes" email addresses
that can be called and/or re-used?
On Wed, 17 Jan 2018, David Jones wrote:
Would a plugin need to be created (or an existing one enhanced) to be able to
detect this type of spoofed From header?
From: "h...@hulumail.com !" <lany...@hotmail.com>
https://pastebin.com/vVhGjC8H
Does anyone else think this would be a good idea to make a rule that at least
checks both the From:name and From:addr to see if there is an email address
in the From:name and if the domain is different add some points?
We are seeing more and more of this now that SPF, DKIM, and DMARC are making
it harder to spoof common/major brands that have properly implemented some or
all of them.
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines | sha...@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
