On Fri, 12 May 2023, Matija Nalis wrote:
On Thu, May 11, 2023 at 09:41:34PM +0000, Marc wrote:
I was wondering if spamassassin is applying some sort of algorithm to
comparing sender domain against recipient domain to detect a phishing
attempt?
[snip..]
That is because those domains are not EQUAL? Od did you wanted a
rule that checks only on SIMILAR domain names (e.g. with lowercase
letter "L" replaced with number "1" as in your example)?
Now I get it, the OP is looking for some kind of comparison function that does
an "apparent linguistic distance" evaluation of two strings and returns a score
that indicates a "visual similarity" value.
(EG replacing 'l' with '1' or 'O' with '0', etc).
several years ago there were a flood of phish messages that had a 'From' address
that used 'PayPaI' to try to fool people.
I've also seen attempts using European character sets with letters that look
like O or e to fake common domain names.
I've hand coded rules to check for this stuff when frequently abused but I don't
know of a programmatic algorithm to do it automagically.
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
