Phishing From Own Domain

From Roaring Penguin
Revision as of 14:20, 27 November 2015 by JohnMertz (talk | contribs)

Jump to: navigation, search

A common tactic for more advanced phishing techniques is for the spammer to identify key figures within an organization and spoof a conversation among them. The message will generally show up in the inbox of someone in the financial department - for instance, cfo@example - and will appear to be from a trusted sender, say ceo@example.com.

There is already a rule in SpamAssassin that detects this behaviour (HEADER_FROM_DIFFERENT_DOMAINS) but we set it to have negligible effect on the score because of its huge potential to create false-positives. This is because it will be triggered by any source that delivers through a relay or that disguises it's true sender for good reasons as well. The score of this rule can be increased using Rules->Score Overrides, but a more specific rule is better. This rule is, however, a good indicator that a message has been spoofed so that better rules can be created.

Recommended Rule

The best solution for this is usually to create a compound rule that is triggered only when a sender spoofs the domain of the recipient.

  • From the default realm, navigate to Rules->Compound Rules. Add new as follows:
(Domain of Header From) is example.com AND (Domain of Envelope Sender) is not example.com
  • Apply enough points to get trapped.

This rule will also trigger for some valid sources such as Mailchimp that are not spam, but will still pretend to be sending from your domain to limit confusion for recipients. You can create exceptions for these by appending to the rule above:

AND (Domain of Envelope Sender) is not exception.com