> Hi all, I'm wondering if someone has some ideas to handle bank fraud > phishing emails, and in particular this one: > > https://pastebin.com/wxFtKK16 > > It doesn't hit bayes99 because we haven't seen one before, and txrep > subtracts points. It also doesn't hit any blacklists. > > Ideas for blocking these, and more general advice for blocking banking > fraud/phish attacks would be appreciated. >
You can create custom rules for each bank used by your userbase. Basically you give penalties for the bank name being used in the From address. And then you undo these penalties for legitimate bank mails. This you can do by spf/dkim whitelisting them or by checking the From:addr domain and DKIM_VALID_AU. Or you can do something like this: header __BENEFIT_FROM From =~ /Benefitwallet/i describe __BENEFIT_FROM From name includes Benefitwallet header __BENEFIT_PHISHING_BADFROMADDR From:addr !~ /benefitwallet/ describe __BENEFIT_PHISHING_BADFROMADDR The from e-mail address does not contain benefitwallet meta BENEFIT_PHISHING_BADFROM (__BENEFIT_FROM && __BENEFIT_PHISHING_BADFROMADDR) describe BENEFIT_PHISHING_BADFROM Fake Benefitwallet mail score BENEFIT_PHISHING_BADFROM 3.5 Above rule assumes the legit domain at least has benefitwallet in it. Basically it all depends about what you know about the bank and how unique their name is. The more unique, the easier to give penalties to its usage. And if you can find out from what domains the bank sends legit mail, you can do dkim whitelisting or DKIM_VALID_AU checks in your rules.
