[exim] Verifying header_from

Top Page
Delete this message
Reply to this message
Author: Chambers, Phil
Date:  
To: exim-users
Subject: [exim] Verifying header_from
I have been dealing with spear phishing attacks which have forged From:
addresses such as

From: custommer_support@???

Which looks plausable to our users, but which does not exist. Not just
for stopping spear phishing, but as a point of principle, I want to
reject messages like this.

I have a verify = header_sender ACL, but that does not block this
because the messages also have a header such as

Reply-to: database_upgrade@???

The header_sender verify checks that first and ignores the From: header!

It appears I could explicitly check the From: header using something
like

condition = ${if eq{${domain:$header_from:}{exeter.ac.uk}{yes}{no}}
verify = sender=$header_from:

However, since the From: header can contain multiple addresses, the
above sample needs quite a bit of extra work. Further, I can only see
that I could check one of the addresses if more than one is present.

Am I missing something? If not, it might be a useful addition to extend
the verify condition to allow specific checks in individual header
address fields ('verify = header_from', 'verify = header_to and so on).

What do other people do to check headers?

Phil.
--------------------
Phil Chambers
Postmaster
University of Exeter