Hi, On Wed, Jun 29, 2016 at 12:58 AM, Chip M. <sa_c...@iowahoneypot.com> wrote: > On Tue, 28 Jun 2016 14:13:57 +0000 David Jones wrote: >>If I search the Internet for the CEO/CIO/CTO/etc of a company >>and send and email from my domain but make the displayed name >>in the visible From: be that CEO/CIO/CTO/etc's full name that >>the recipient is used to seeing in the mail client, then I have >>spoofed nothing detectable in advance by SA or any mail filter >>technology. > > Excellent summary! > The key is that the number of spoofed people is extremely SMALL, > and we _CAN_ anticipate who they are. > > It's easy to write a CUSTOM set of rules just for actual/likely > targeted senders (CEO/etc). > For each person/target, create a rule that tests an explicit > list of that person's normal Realname(s) (including reasonable > variations), against the Realname part of the From header, and > if there's a match, test whether the From Address is in a list > of allowed addresses. Score only if it's a probable phish > Realname from an unknown/unallowed address.
I've also been battling this for a long time. Those unknown/unallowed addresses are basically the list of permissible domains, I would think, correct? How about the case where the From: is spoofed (both real name and email) to be a CXO and SPF passes for another domain? Do you rely on DKIM/DMARC, or do you have rules that block those? I would then think you'd also need rules that exclude the cases where SPF passes for your own domain. > I have not yet noticed any fuzzing "in the wild", however all of > my targets have extremely "anglo" names. I recommend looking at > tools that create fuzzy variations. Does such a tool exist for domains? Perhaps you have some example tools? Thanks, Alex