Adding to Taavi's List-Unsub condition - I've had similar success with
List-unsubscribe identification for transactional-volume attacks, and
also with a few additional indicators for transactional mail that are
below. These are Proofpoint-specific conditions, but can be (mostly)
translated to other filters.
As Taavi noted, this is scorched-earth on most external mail, but it
curbs the volume the attack recipient actually receives down to almost
negligible levels, while still allowing somewhat normal day-to-day
correspondence. You'd definitely want to make sure these messages are
quarantined, rather than rejected/dropped so your SOC/IR team can review.
* Message Header "x-mailer" contains "php"
o OR
* Detected Language is not "en" (english) - (Or whatever your org's
expected communication language(s) are)
o OR
* Message Header "x-antiabuse" does not equal ""
o OR
* Envelope Sender Email Address contains "bounce"
o OR
* Dictionary Unsubscribe score greater than 0 in subject, body fields
- (dictionary below)
Unsubscribe dictionary:
Teken uit إلغاء الاشتراك Odhlásit se Afmeld abonnement opzeggen
unsubscribe tellimuse tühistamine boko ni volayaca Maghinto ng
suskrisyon Peruuta tilaus se désabonner abbestellen আন-সাবস্ক্রাইব
διαγραφείτε από τη συνδρομή dezabòne לבטל את המנוי सदस्यता समाप्त
Leiratkozás berhenti berlangganan disiscrizione 購読解除します。 batili
ungisho 구독 취소 otkazati pretplatu atcelt abonēšanu atsisakyti
prenumeratos berhenti melanggan twaqqaf l-abbonament anular le
suscripción avslutte abonnementet anular ar suscripción لغو عضویت
Anulowanie subskrypcji dezabonare отписване отписаться toe lesitala
Отказивање претплате Otkazivanje pretplate odhlásiť odjavo anular la
suscripción avsluta prenumerationen சந்தாநீக்கு స్వీకరణ donar de baixa
ยกเลิก to'o e ngaahi totongi Aboneliği Kaldır відмовитися від підписки
رکنیت ختم hủy đăng ký Dileu tanysgrifiad leiratkozni darse de baja
wypisać z donar-se de baixa 取消 订阅 取消 訂閱 取消訂閱 subscribe verify
subscription registration account has been created welcome to newsletter
confirmation activation
- Mark Alley
On 6/28/2024 3:42 AM, Taavi Eomäe via mailop wrote:
The best method we've found was to reject all letters with
List-Unsubscribe header (or similar) sent to that victim.
This obviously has side-effects, but they're tolerable compared to the
flood of letters.
I should note that these letters are usually sent in order to cover up
something like a credit card statement, password reset or something
other malicious. So be perceptive.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
