Phishing From Own Domain

From Roaring Penguin
Revision as of 16:48, 1 February 2017 by MCoyne (talk | contribs)

Jump to: navigation, search

A common tactic for more advanced phishing techniques is for the spammer to identify key figures within an organization and spoof a conversation among them. The message will generally show up in the inbox of someone in the financial department - for instance, - and will appear to be from a trusted sender, say

There is already a rule in SpamAssassin that detects this behaviour (HEADER_FROM_DIFFERENT_DOMAINS) but we set it to have negligible effect on the score because of its huge potential to create false-positives. This is because it will be triggered by any source that delivers through a relay or that disguises it's true sender for good reasons as well. The score of this rule can be increased using Rules->Score Overrides, but a more specific rule is better. This rule is, however, a good indicator that a message has been spoofed so that better rules can be created.

Best Practices

Depending on the nature of the spam - if the spammer doesn't require you to reply - they may spoof both of the Header Address and Envelope Address in which case the above rule will NOT trigger, nor will any of the rules below.

These messages will be caught if you maintain a valid SPF Record. This is a DNS record that advertises what machines are allowed to deliver mail using your domain name.

An SPF record will often make the below rules redundant, however they remain helpful if only the Header Address is spoofed, which is common for more targeted attacks.

Recommended Rule

The best solution for this is usually to create a custom(compound prior to version 10.1.0) rule that is triggered only when a sender spoofs the domain of the recipient.

  • From the default stream, navigate to Rules->Custom Rules (Compound Rules prior to version 10.1.0). Add new as follows (where is your own domain):
(Domain of Header From is AND (Domain of Envelope Sender is not
  • Apply enough points to get trapped.

This rule will also trigger for some valid sources such as Mailchimp that are not spam, but will still pretend to be sending from your domain to limit confusion for recipients. You can create exceptions for these by appending to the rule above:

AND (Domain of Envelope Sender is not

General Rule

To avoid creating the above rule for a bunch of domains you can create an alternate version that takes the recipient domain as a variable so that it can be used to apply to mail spoofing any recipient's own domain.

Please use caution with this rule due to the exceptions mentioned above. If you add an exception to this rule it will apply to all domains that are effected by it. It is best to leave this rule, as below, with no exceptions and if you need a specific domain to have exceptions then create the above rule local to that realm and override the score of this rule to 0.

  • From the default stream of the top-level realm, navigate to Rules->Custom Rules (Compound Rules prior to version 10.1.0). Add the following (the percent and curly braces string should be taken literally):
(Envelope Recipient Ends with %{domain_of_header_from}) AND (Envelope Recipient Does not end with %{domain_of_envelope_sender}) 
  • Apply a small score, not more than your reject threshold (S-100), to future-proof against false-positives being completely rejected.

This is different from the HEADER_FROM_DIFFERENT_DOMAINS rule above in that it only applies to the recipient's domain; it will not trigger if the sender is spoofing any domain except the exact one they are sending to, including aliases domains. It will, however, match sub-domains given that it uses the "Ends with" condition. This is mandatory, as there is no "Domain of Envelope Recipient" clause and so the rule must query the full recipient address.

Spoofing From Other Domains

See Spoofed Addresses