Jump to content


Photo

Sanity checks for sender address needed

Security Filtering

  • Please log in to reply
3 replies to this topic

#1 Ulrich Sieveking

Ulrich Sieveking
  • Members
  • 10 posts

Posted 12 October 2017 - 06:34 AM

Hello all,

 

for some weeks we've seen large amounts of Phishing attemps with manipulated From: lines in their headers. Earlier we saw this only in those rare cases of CEO fraud, but it now has become commonplace. Additionally those mails consist of hardly more than a malicious link, which is by far not often enough recognized by Intent Analysis, and come from hijacked legitimate mail servers, so the IP based reputation lists don't stop these mails, too.

 

The net result is that way too much of these mails are allowed by the ESG and that's why I propose to implement some sanity checks for the From field as soon as possible.

 

The usual case looks like this:

 

From: mailto:user@well-known-or-trusted-domain.tld <mailto:otheruser@hijacked-domain.tld>

 

Sometimes the first part is enclosed in quotation marks, but the main point is that it should be possible to block or at least quarantine mails in which the real name contains an email address, whose domain differs from the domain of the smtp address in brackets.

As we see it nearly all cases of CEO fraud and most if not all Phishing mails that currently go right through the ESG could be blocked with this check, so it would be great to see this feature in the ESG soon.

 

Best regards,

Ulrich Sieveking

 



#2 Ulrich Sieveking

Ulrich Sieveking
  • Members
  • 10 posts

Posted 06 December 2017 - 06:08 AM

Hello all,

 

even if one shouldn't follow up his own postings, I'll have to do it this time because nothing seems to happen here and the problem keeps getting worse. www[.]mailsploit[.]com has published lots of material regarding sender spoofing recently and we now see the first malware campaigns using this information. We also see that more and more often hijacked real mail accounts are used to send these mails, which means that SPF and similar tools are useless against them.

 

So it is more urgent than ever to have an effective and comprehensive sanity check for the whole From: field.

 

Best regards,

Ulrich Sieveking



#3 Daniel Petrak

Daniel Petrak
  • Members
  • 3 posts

Posted 29 December 2017 - 12:52 PM

Have you checked the setting under Advanced...Email Protocol for Sender Spoof Protection?



#4 Ulrich Sieveking

Ulrich Sieveking
  • Members
  • 10 posts

Posted 11 January 2018 - 07:09 AM

Yes, of course. But this setting only turns checking the real mail address on or off. It has nothing to do with RFC822 phrases, which are the focus of this FRQ.