On 08/24/2018 07:02 PM, Kevin A. McGrail wrote:
On 1/18/2018 6:52 AM, Pedro David Marco wrote:
David,
This rule can do the full job... i have tested it with good results..
(Can be tested here: https://regex101.com/r/Vpmhjz/3 )
It checks if the level domain next to the TLD in the From:name matches
the domain next to the TLD in From:email
header FROM_DOMAINS_MISMATCHFrom
!~/(?:[^<].+?)\@(?:.+?\.)*?(.+?\.)(?:.+?).*?<.+?(\@\1|\@.*?\.\1)/
describe FROM_DOMAINS_MISMATCHDomain name mismatch in From header
Did this ever get considered for a sandbox.
Alan Hodgson also had a good posted on one but not tested.
Regards,
KAM
I am not sure this is going to be worth as sandbox rule. There are
going to be a high number of system-generated and mass-marketing emails
that aren't going to match the From: header.
From my experience, this is a local rule that detects high-value
display names in phishing attempts. For example, the C-level
executive's name as the Display Name when it comes from gmail.com to the
Finance department to wire money.
From: "CEO Name Here" <john...@gmail.com>
Also, DMARC is supposed to help with this spoofing of the From: header.
I handle this locally with OpenDMARC adding headers used in an SA meta
rule. This is the best way to handle this until SA natively supports DMARC.
--
David Jones
