Thanks, i will look into it
-- ______________________ Adam Barnett Systems Engineer Double Negative 160 Great Portland Street,W1W 5QA T: 020-7268-5000 [ http://www.dneg.com/ | www.dneg.com ] ______________________ ----- Original Message ----- | From: "Dominic Raferd" <domi...@timedicer.co.uk> | To: "Postfix users" <postfix-users@postfix.org> | Sent: Wednesday, 15 January, 2020 15:33:33 | Subject: Re: phising attacks | On Wed, 15 Jan 2020 at 15:20, Adam Barnett <a...@dneg.com> wrote: | |> The from address will be, for example |> |> From: Jo Blogs |> |> But the return address and return path would be and different address from |> what Jo Blogs is |> |> |> I am 99% sure it is a user error, but just wondering if there was anything |> else to be done |> ______________________ |> |> ----- Original Message ----- |> | From: "Dominic Raferd" <domi...@timedicer.co.uk> |> | To: "Postfix users" <postfix-users@postfix.org> |> | Sent: Wednesday, 15 January, 2020 15:15:30 |> | Subject: Re: phising attacks |> |> | On Wed, 15 Jan 2020 at 15:09, Adam Barnett <a...@dneg.com> wrote: |> | |> |> Hi Postfix Peeps |> |> We seem to be getting more phishing attacks that are being clever. The |> |> address looks like it someone internal but the from address is not that |> |> person. |> |> Any suggestions postfix or otherwise to help with these |> |> |> | |> | When you say 'looks like it someone internal' what *exactly* do you mean? |> | | There is plenty that can be done with header_checks (based on one header at | a time) but it depends on exactly what you are seeing, and you haven't | provided a full From header. Is the email address in the From header being | faked as well as the text, or only the text? For multi-header rules (e.g. | combination of From: and Reply-To:) you need something like postfwd / | spamassassin / mimedefang(?) | | I don't see actual email addresses of our domains being faked in From | headers, but that's because we use DMARC with p=reject. But I do see the | text being faked, including inserting our names or a fake email address | (i.e. one of ours) before the real (foreign) address. I trap these.
