-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RW kirjoitti 28.6.2016 16:10: > On Tue, 28 Jun 2016 15:52:10 +0300 > Jari Fredriksson wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> David Jones kirjoitti 28.6.2016 15:46: > >> > One of my customers has been hit by at least one of these emails >> > even with good RBLs in use and properly trained Bayes. The emails >> > themselves are perfectly formed and score very low. They use an >> > envelope-from of their own domain to pass all SPF checks but they >> > use a visible From: of "Recognized Name >> > <recn...@otherdomain.com>". Even DMARC checks would pass for the >> > otherdomain.com. The issue is the finance person sees the >> > "Recognized Name" and doesn't look closely at the otherdomain.com. >> > This is pure social engineering that can't be stopped by >> > technology. The AP dept has to have proper safeguards and out of >> > band validation (i.e. phone call to the "Recognized Name"). > >> I just refuse the believe that the technology has to trust to the >> From:.*xxx in the smtp payload and not reject this at once. Does the >> customer use some dmarc-implementation in their mail chain at all? > > There's actually nothing to link it to the recipient's domain. The > envelope address and header from domain are whatever the sender wants > to use. It's all down to the displayed first name and surname which is > all most email clients display. > > Almost all the phishes I've received in the last few years have done > this - except that they have something like "paypal support" rather > than an individual's name.
Ah, so true. - -- Jari Fredriksson Bitwell Oy +358 400 779 440 ja...@bitwell.biz https://www.bitwell.biz - cost effective hosting and security for ecommerce -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAldyeuEACgkQKL4IzOyjSrZMlQCgsgwpMrayXJO7kVotYnBpF2xO HucAnRICLQhEqEu65mVMWuBQIA08JWHe =Npc6 -----END PGP SIGNATURE-----