Regex Reply to?

[killmasta93]

Hi
Currently im having an issue that emails are being sent from user@domain.com but when they do a reply to its a different email

I was wondering if its possible to add a Regex for incoming emails, this is an example,

the return path is what i assume the attacker email masking of the client domain
But when they click on respond it goes to the jessica@fakedomain.com

Return-Path: <yocailimatos@peynadoga.com>

Reply-To: "julian@client.com" <julian@fakedomain.com>

From: <julian@client.com>

To: "MYUSER" <EMAIL@MYDOMAIN.com>

Cc: "jessica@realclientdomain.com" <jessica@fakedomain.com>

 

[hata_ph]

Pls show the original spam mail in raw format.

 

[killmasta93]

thanks for the reply, attaching the raw headers, as you see here when you click reply it automatic goes to the bad fake email

i assume that the bad email is yocailimatos@peynadoga.com but they mask it

Received: from mail.mydomain.com.com.co (localhost.localdomain [127.0.0.1])
    by mail.mydomain.com.com.co (Proxmox) with ESMTP id D84A93C18E6
    for <ha@mydomain.com>; Fri, 25 Feb 2022 07:45:16 -0500 (-05)
Received: from mail.mydomain.com.com.co (unknown [192.168.3.169])
    by mail.mydomain.com (Postfix) with ESMTPS id 1FD8E368370F
    for <ha@mydomain.com>; Fri, 25 Feb 2022 07:45:17 -0500 (-05)
Received: from p3plwbeout25-04.prod.phx3.secureserver.net (p3plsmtp25-04-2.prod.phx3.secureserver.net [216.69.139.18])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail.mydomain.com.com.co (Proxmox) with ESMTPS id 2FAD93C1619
    for <ha@mydomain.com>; Fri, 25 Feb 2022 07:45:07 -0500 (-05)
Received: (qmail 24044 invoked by uid 99); 25 Feb 2022 12:44:36 -0000
Received: from p3plgemwbe25-07.prod.phx3.secureserver.net ([10.36.152.37])
    by :WBEOUT: with SMTP
    id NZxcn77YD2OJRNZxcnbTbh; Fri, 25 Feb 2022 05:44:36 -0700
Received: from mail.mydomain.com (LHLO mail.mydomain.com)
 (192.168.3.170) by mail.mydomain.com with LMTP; Fri, 25 Feb 2022
 07:45:17 -0500 (COT)
Return-Path: <yocailimatos@peynadoga.com>
Reply-To: "jessica" <jessica@badomain.com>
From: "jessica" <jessica@realclientdomain.com>
To: "compras" <comprasinternacionales@mydomain.com>
Cc: "my user" <ha@mydomain.com>,
    "julian" <julian@badomain.com>
Subject: RE: XXX
Date: Fri, 25 Feb 2022 07:44:35 -0500
Message-ID: <20220225054435.342f2f18cbbee981bde47f257db7e863.ad08f4991b.wbe@email25.godaddy.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_23F7_01D82A1B.C750BB30"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQGpXfFiNY36YBesMGNK2/iVDAR0rQ==
X-OlkEid: 000000001137781E002A394299788684BB2F1D4D0700C3B68E10F77511CEB4CD00AA00BBB6E600000000000C000093CD7A5710CE3940B17F029E52ABAFC6000000007402000085684C6841C7D94FAE88B054682ADA2C
X-Spam-Flag: Yes
X-SPAM-LEVEL: Spam detection results:  0
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    DCC_REPUT_13_19          -0.1 DCC reputation between 13 and 19 %
    HEADER_FROM_DIFFERENT_DOMAINS  0.248 From and EnvelopeFrom 2nd level mail domains are different
    HTML_MESSAGE            0.001 HTML included in message
    JMQ_SPF_NEUTRAL           0.5 SPF set to ?all
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    KHOP_HELO_FCRDNS        0.186 Relay HELO differs from its IP's reverse DNS
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_NEUTRAL             0.779 SPF: sender does not match SPF record (neutral)
    SUBJ_ALL_CAPS             0.5 Subject is all capitals
    T_REMOTE_IMAGE           0.01 Message contains an external image
    T_SCC_BODY_TEXT_LINE    -0.01 -
X-Originating-IP: 104.243.212.184
X-Sender: yocailimatos@peynadoga.com
X-CMAE-Analysis: v=2.4 cv=CODv4TnD c=1 sm=1 tr=0 ts=6218cf48
 a=qXLKZb2eUIUlYUpvk7LSFw==:117 a=-FRr9NYHW48A:10 a=570isp1FQAcA:10
 a=oGFeUVbbRNcA:10 a=3j4BkbkPAAAA:8 a=69EAbJreAAAA:8 a=3p899kp4AAAA:8
 a=qDgMy0wqAAAA:8 a=PaKHujimU5cYQWQY3HkA:9 a=6ZLkhcLmHUSy84JG:21
 a=_W_S_7VecoQA:10 a=QEXdDO2ut3YA:10 a=nOoTQAqDyDM9MPP4778A:9
 a=n3BslyFRqc0A:10 a=x9I3668ZiE8A:10 a=rls1ZAiwvL0A:10
 a=M_K2dmzOftii9Tr_AL0A:9 a=QkeXobIFxM6Z0thnRRRK:22 a=zsCxxitBfprcCSq-brWK:22
X-SECURESERVER-ACCT: yocailimatos@peynadoga.com
X-CMAE-Envelope: MS4xfNiUKZawm+ilmUAN7NSkRhx80H2lXaTpS3ry0V1P3U2Q1NKkyvoko+jTkC3VRDcAhFmbL5/zDXwjFd6SHssX6ZFv7AsFvBu36TzOpxxPw0zqoiPEd3k4
 wPMQnjhj5gd0NAyTEYp4LFItM8ZIBgxw/rAY05Z+D5EiB7PFAMlnqkITTyz07kvT10b/1Nw5NbzEm0sZshB1FHocCjab7MWDiONybZDYcO/PRvdoPBiqyUyg
X-SID: NZxcn77YD2OJR

 

[hata_ph]

Try this but I do not guarantee it will work.

^".*"<.*@badomain.com>.*$

 

[killmasta93]

Thanks for the reply, so in the part of badomain, can be any variable?
this means that if someone tries to spoof the email in the reply?

 

[hata_ph]

Thanks for the reply, so in the part of badomain, can be any variable?
this means that if someone tries to spoof the email in the reply?

It should be. But I am not sure will it work for the reply-to field. Not tested on my side.

 

[killmasta93]

Thanks for the reply, i put it to test lets wait for it to appear and ill post back