-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RW kirjoitti 28.6.2016 16:10:
> On Tue, 28 Jun 2016 15:52:10 +0300
> Jari Fredriksson wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> David Jones kirjoitti 28.6.2016 15:46:
> 
>> > One of my customers has been hit by at least one of these emails
>> > even with good RBLs in use and properly trained Bayes.  The emails
>> > themselves are perfectly formed and score very low.  They use an
>> > envelope-from of their own domain to pass all SPF checks but they
>> > use a visible From: of "Recognized Name
>> > <recn...@otherdomain.com>".  Even DMARC checks would pass for the
>> > otherdomain.com.  The issue is the finance person sees the
>> > "Recognized Name" and doesn't look closely at the otherdomain.com.
>> > This is pure social engineering that can't be stopped by
>> > technology.  The AP dept has to have proper safeguards and out of
>> > band validation (i.e. phone call to the "Recognized Name").
> 
>> I just refuse the believe that the technology has to trust to the
>> From:.*xxx in the smtp payload and not reject this at once. Does the
>> customer use some dmarc-implementation in their mail chain at all?
> 
> There's actually nothing to link it to the recipient's domain. The
> envelope address and header from domain are whatever the sender wants
> to use. It's all down to the displayed first name and surname which is
> all most email clients display.
> 
> Almost all the phishes I've received in the last few years have done
> this - except that they have something like "paypal support" rather
> than an individual's name.


Ah, so true.


- -- 
Jari Fredriksson
Bitwell Oy
+358 400 779 440
ja...@bitwell.biz
https://www.bitwell.biz - cost effective hosting and security for
ecommerce
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAldyeuEACgkQKL4IzOyjSrZMlQCgsgwpMrayXJO7kVotYnBpF2xO
HucAnRICLQhEqEu65mVMWuBQIA08JWHe
=Npc6
-----END PGP SIGNATURE-----

Reply via email to