On Wed, 15 Jan 2020 at 15:20, Adam Barnett <a...@dneg.com> wrote: > The from address will be, for example > > From: Jo Blogs > > But the return address and return path would be and different address from > what Jo Blogs is > > > I am 99% sure it is a user error, but just wondering if there was anything > else to be done > ______________________ > > ----- Original Message ----- > | From: "Dominic Raferd" <domi...@timedicer.co.uk> > | To: "Postfix users" <postfix-users@postfix.org> > | Sent: Wednesday, 15 January, 2020 15:15:30 > | Subject: Re: phising attacks > > | On Wed, 15 Jan 2020 at 15:09, Adam Barnett <a...@dneg.com> wrote: > | > |> Hi Postfix Peeps > |> We seem to be getting more phishing attacks that are being clever. The > |> address looks like it someone internal but the from address is not that > |> person. > |> Any suggestions postfix or otherwise to help with these > |> > | > | When you say 'looks like it someone internal' what *exactly* do you mean? >
There is plenty that can be done with header_checks (based on one header at a time) but it depends on exactly what you are seeing, and you haven't provided a full From header. Is the email address in the From header being faked as well as the text, or only the text? For multi-header rules (e.g. combination of From: and Reply-To:) you need something like postfwd / spamassassin / mimedefang(?) I don't see actual email addresses of our domains being faked in From headers, but that's because we use DMARC with p=reject. But I do see the text being faked, including inserting our names or a fake email address (i.e. one of ours) before the real (foreign) address. I trap these.
