Phishing From Own Domain

From Roaring Penguin
Revision as of 14:15, 26 September 2017 by JohnMertz (talk | contribs) (Display Name Only (Variant))

Jump to: navigation, search

A common tactic for more advanced phishing techniques is for the spammer to identify key figures within an organization and spoof a conversation among them. The message will generally show up in the inbox of someone in the financial department - for instance, - and will appear to be from a trusted sender, say

There is already a rule in SpamAssassin that detects this behaviour (HEADER_FROM_DIFFERENT_DOMAINS) but we set it to have negligible effect on the score because of its huge potential to create false-positives. This is because it will be triggered by any source that delivers through a relay or that disguises it's true sender for good reasons as well. The score of this rule can be increased using Rules->Score Overrides, but a more specific rule is better. This rule is, however, a good indicator that a message has been spoofed so that better rules can be created.

Best Practices

Depending on the nature of the spam - if the spammer doesn't require you to reply - they may spoof both of the Header Address and Envelope Address in which case the above rule will NOT trigger, nor will any of the rules below.

These messages will be caught if you maintain a valid SPF Record. This is a DNS record that advertises what machines are allowed to deliver mail using your domain name.

An SPF record will often make the below rules redundant, however they remain helpful if only the Header Address is spoofed, which is common for more targeted attacks.

Recommended Rule

The best solution for this is usually to create a Custom Rule (Compound Rule prior to version 10.1.0) that is triggered only when a sender spoofs the domain of the recipient.

  • From the default stream, navigate to Rules->Custom Rules (Compound Rules prior to version 10.1.0). Add new as follows (where is your own domain):
(Domain of Header From is AND (Domain of Envelope Sender is not
  • Apply enough points to get trapped.

This rule will also trigger for some valid sources such as Mailchimp that are not spam, but will still pretend to be sending from your domain to limit confusion for recipients. You can will need to add an additional clause for each of these sources, if any, that apply to your domain. The clause follows the same format as the second clause above, but should instead use the name of the domain that you would like to make the exception for. If that domain were '' it would look like this:

AND (Domain of Envelope Sender is not

You can add as many exceptions as you like so long as you use that logic and replace '' with the actual sending domain.

General Rule

To avoid creating the above rule for a bunch of domains you can create an alternate version that takes the recipient domain as a variable so that it can be used to apply to mail spoofing any recipient's own domain.

Please use caution with this rule due to the exceptions mentioned above. If you add an exception to this rule it will apply to all domains that are effected by it. It is best to leave this rule, as below, with no exceptions and if you need a specific domain to have exceptions then create the above rule local to that realm and override the score of this rule to 0.

  • From the default stream of the top-level realm, navigate to Rules->Custom Rules (Compound Rules prior to version 10.1.0). Add the following (the percent and curly braces string should be taken literally):
(Envelope Recipient Ends with %{domain_of_header_from}) AND (Envelope Recipient Does not end with %{domain_of_envelope_sender}) 
  • Apply a small score, not more than your reject threshold (S-100), to future-proof against false-positives being completely rejected.

This is different from the HEADER_FROM_DIFFERENT_DOMAINS rule above in that it only applies to the recipient's domain; it will not trigger if the sender is spoofing any domain except the exact one they are sending to, including aliases domains. It will, however, match sub-domains given that it uses the "Ends with" condition. This is mandatory, as there is no "Domain of Envelope Recipient" clause and so the rule must query the full recipient address.

Display Name Only (Variant)

It is also possible for the spammer to spoof both the Envelope address and the Header address without using appropriate formatting. For instance:

  From: [mailto:]

A 'mailto' is optional and will be interpreted by some mail readers as a link and thus it will not actually appear but it will be used to reply if clicked. The spammer will usually then use their own email address as the Envelope Sender address in order to pass SPF. Using the 'mailto' structure above, CanIt is not able to determine the Header From address because it is expecting the format:

  From: Display Name <>

This means that the recommended rule would not be able to hit. Therefore a supplementary rule for:

  (Header Matches RegExp From:[^@]* AND (Domain of Envelope Sender is not

will help in this situation. Again, should be replaced with your own domain. The RegExp pattern will match if your domain is anywhere in the From Header line.

This rule will also catch:

  From: John Doe [mailto:]

where the envelope sender is not Again, the Header From for the recommended rule will not match a "mailto", so the recommended rule does not work in this case.

The final way that a message can be spoofed is the least likely to fool a user, but is also almost impossible to catch. This is the case where the display name is a person you know, but neither the Header address, nor the envelope address is theirs. Thus it is only spoofed in the sense that they have the same name (legitimate or not). The only way to target this would be to write a rule for every sender's name (including 'Last, First', 'F. Last', etc.) and reject if it doesn't come from the address you expect. This could cause lots of false-positives for common names or if a sender changes email addresses.

Spoofing From Other Domains

See Spoofed Addresses