>From: Sidney Markowitz <sid...@sidney.com> >Sent: Tuesday, June 28, 2016 3:15 AM >To: Ram; users@spamassassin.apache.org >Subject: Re: Catching well directed spear phishing messages >Ram wrote on 28/06/16 7:19 PM: >> >> >> On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote: >>> Hai! >>> >>> I dont understand why they would match your spf record either. Are they >>> sended out by a IP adres you 'approved' ?? >> SPF does not fail , because they use a different envelope address.. >> which may pass SPF >> The end recipient does not check the envelope anyway
>You should have local SpamAssassin rules that do check the envelope sender. >This is about official company mail from the company domain. You can require >that all employees use mail clients that are properly configured by the >company IT to send all official company mail. SpamAssassin can be configured >with local rules that stop anything that has a company domain header sender >address that does not also have a matching envelope sender address and passes >SPF. There is no reason to allow the CEO to send company mail without using a >proper mail server that appears on the SPF record. >The end recipient can't be expected to check all the headers, but SpamAssassin >can do that before the end recipient receives the mail. > Sidney One of my customers has been hit by at least one of these emails even with good RBLs in use and properly trained Bayes. The emails themselves are perfectly formed and score very low. They use an envelope-from of their own domain to pass all SPF checks but they use a visible From: of "Recognized Name <recn...@otherdomain.com>". Even DMARC checks would pass for the otherdomain.com. The issue is the finance person sees the "Recognized Name" and doesn't look closely at the otherdomain.com. This is pure social engineering that can't be stopped by technology. The AP dept has to have proper safeguards and out of band validation (i.e. phone call to the "Recognized Name"). In my instance, the finance person was told to wire thousands of dollars and the bad guy changed the banking information twice and the person still wasn't suspicious enough to stop and validate the request. The real problem is this is a very common practice for high-level people to request wire transfers for legitimate projects while out on the road so the AP dept lets down their guard.
