Phishing From Own Domain

From Roaring Penguin
Revision as of 13:04, 3 May 2016 by JohnMertz (talk | contribs)

Jump to: navigation, search

A common tactic for more advanced phishing techniques is for the spammer to identify key figures within an organization and spoof a conversation among them. The message will generally show up in the inbox of someone in the financial department - for instance, cfo@example.com - and will appear to be from a trusted sender, say ceo@example.com.

There is already a rule in SpamAssassin that detects this behaviour (HEADER_FROM_DIFFERENT_DOMAINS) but we set it to have negligible effect on the score because of its huge potential to create false-positives. This is because it will be triggered by any source that delivers through a relay or that disguises it's true sender for good reasons as well. The score of this rule can be increased using Rules->Score Overrides, but a more specific rule is better. This rule is, however, a good indicator that a message has been spoofed so that better rules can be created.

Best Practices

Depending on the nature of the spam - if the spammer doesn't require you to reply - they may spoof both of the Header Address and Envelope Address in which case the above rule will NOT trigger, nor will any of the rules below.

These messages will be caught if you maintain a valid SPF Record. This is a DNS record that advertises what machines are allowed to deliver mail using your domain name.

An SPF record will often make the below rules redundant, however they remain helpful if only the Header Address is spoofed, which is common for more targeted attacks.

Recommended Rule

The best solution for this is usually to create a compound rule that is triggered only when a sender spoofs the domain of the recipient.

  • From the default stream, navigate to Rules->Compound Rules. Add new as follows (where example.com is your own domain):
(Domain of Header From is example.com) AND (Domain of Envelope Sender is not example.com)
  • Apply enough points to get trapped.

This rule will also trigger for some valid sources such as Mailchimp that are not spam, but will still pretend to be sending from your domain to limit confusion for recipients. You can create exceptions for these by appending to the rule above:

AND (Domain of Envelope Sender is not exception.com)

General Rule

To avoid creating the above rule for a bunch of domains you can create an alternate version that takes the recipient domain as a variable so that it can be used to apply to mail spoofing any recipient's own domain.

Please use caution with this rule due to the exceptions mentioned above. If you add an exception to this rule it will apply to all domains that are effected by it. It is best to leave this rule, as below, with no exceptions and if you need a specific domain to have exceptions then create the above rule local to that realm and override the score of this rule to 0.

  • From the default stream of the top-level realm, navigate to Rules->compound Rules. Add the following (the percent and curly braces string should be taken literally):
(Envelope Recipient Ends with %{domain_of_header_from}) AND (Envelope Recipient Does not end with %{domain_of_envelope_sender}) 
  • Apply a small score, not more than your hold threshold, to future-proof against false-positives being completely rejected.

Spoofing From Other Domains

See Spoofed Addresses