Help With Regex filtering of forged/spoofed sender names in From

[Matache_Macelaru]

Recently there is an uptick in forged/spoofed e-mails, some are even virus generated and use password protected files to avoid detection.

The behavior I am after is straight forward:

From: "FakeUser@ForgedDomain.com" <actual.user@realdomain.com>​

Second Variation

From: "Fake User Name <FakeUser@ForgedDomain.com>" <actual.user@realdomain.com>​

I have already written a regex to catch if two @ are present in the From field, however this is not optimal since some clients have their e-mail configured as name, like:

From: "noreply@wizzair.com" <noreply@wizzair.com>​

And get flagged by my rule.

Can anyone please help me with writing a regex that either fully catches spoofed names while allowing the legit poorly configured ones.
Or a second regex just to check if name matches e-mail, so I can set it up before the two @ filters as an exception.

Thank you in advance

 

[Stoiko Ivanov]

If you share the logs of such a spam-mail - and the mail itself we could maybe see something else which indicates that it is spam

 

[Matache_Macelaru]

Unfortunately there is nothing more relevant with it.
It is a result of a compromised account, so DKIM, SPF, etc is legit about it, most of the time it's a reply to a related valid thread.
The only distinctive point is the FROM header field, that has an e-mail address contained in the name section.
I don't have the samples, as I instantly delete them whenever I see them


Good:

From: noreply-dmarc-support@google.com​

From: Tina Cretu <tina.cretu@pro.ro>​

From: "Tina Cretu" <tina.cretu@pro.ro>​

From: "tina.cretu@pro.ro" <tina.cretu@pro.ro>​

The last one is an odd ball because some mobile clients are misconfigured, and use the e-mail as name, but as long as name and e-mail match, it should be considered valid​

SPOOF:

From: "ion@smt.di" <tina.cretu@pro.ro>​

From: "Ion ion@smt.di" <tina.cretu@pro.ro>​

From: "ion@smt.di Ion" <tina.cretu@pro.ro>​

​

Breakdown of the logic I am after related to From: header

- string contain 2 or more @​

- if false - exit as ok​

- if true -​

- get the e-mail in <> section and compare it (case insensitive) to the e-mail address in the " " name section​

- if they are equal - exit as ok​

- if different - exit as spoof​

​

I have tried multiple times to get this working, however regex is not my strong point.

Thanks

​

​