This example can detect SMTP messages where the domain in the email address of the sender does not match the domain of the SMTP server sending the email. This might be a sign of a phishing attack, though additional indicators may be needed to confirm.
For Example:
SenderEmail: mrX@corporateXYZ-email.com
SenderDomain: openSMTPserver.com
|
function Flow_SMTPDomainMismatch (dpiMsg, ruleEngine) require('LOG') -- get/verify application SMTP local app = GetLatestApplication(dpiMsg) if app == "smtp" then -- get/verify sender domain local sender_domain = GetString(dpiMsg, "smtp", "sender_domain") if sender_domain ~= nil and sender_domain ~= '' then sender_domain = string.lower(sender_domain) -- get/verify sender email local sender_email = GetString(dpiMsg, "smtp", "sender_email") if sender_email ~= nil and sender_email ~= '' then -- parse/verify/save the domain from sender email local sender_email_domain = string.sub(sender_email, string.find(sender_email, '@')+1, string.len(sender_email)) if (sender_email_domain ~= nil and sender_email_domain ~= '') then sender_email_domain = string.lower(sender_email_domain) SetCustomField(dpiMsg, "sender_email_domain", sender_email_domain) -- check if sender's real domain matches their claimed domain (exclude gmail) -- alarm on mismatch if not string.find(sender_domain, sender_email_domain, 1, true) and not string.find(sender_domain, 'gmail') and not string.find(sender_domain, 'google') then SetCustomField(dpiMsg, "sender_domain", sender_domain) SetCustomField(dpiMsg, "sender_domain_mismatch", 'true') TriggerUserAlarm(dpiMsg, ruleEngine, 'medium') EZINFO('domain mismatch, sender domain: ' .. sender_domain .. ', email domain: ' .. sender_email_domain .. ', UUID: ' .. GetUuid(dpiMsg)) end end end end end end |