Re: Scoring Philosophy?

Sat, 25 Nov 2017 10:03:03 -0800 

On 11/25/2017 11:41 AM, Jerry Malcolm wrote:
Thanks so much for all the info.  I have installed KAM rules, and I've started becoming a ninja writing my own (simple) rules.  MUCH improved results (amazing when you finally learn what your doing....) 


I figure before this is all over with, I'm going to have to become very 
knowledgeable about regex.  But I'm not there yet.  Just out of 
curiosity, has anybody written a rule that checks if the 'from name' 
contains "Amazon" but the 'from domain' name does not contain "Amazon" 
(or variations for Kohls, Target, etc)?  That's definitely for the 
sophomore class in regex, and I'm struggling with the freshman 
class....  Any regex experts that can whip this out?


Thanks in advance.

Jerry



This has been discussed recently on the list and here's how I have 
handled it:



header          BAD_FROM_NAME       From:name =~ 
/(^chase$|chase.com|Internal Revenue Service|banking|Apple|Bank of 
America|American Express)/i
describe        BAD_FROM_NAME       Displayed From contains bad 
information to trick the recipients

score           BAD_FROM_NAME       8.2

The "header" line has a simple regex that is basically a bunch of OR's.


Then you setup "whitelist_auth" entries for the real domains preferably 
using the envelope-from domain which is a little more difficult to spoof 
with the adoption of SPF the past few years.


So for amazon.com, I have these two entries:

whitelist_auth *@amazon.com
whitelist_auth *@*.amazon.com

and then you put "Amazon" in the "header" line above.


We really need to do something like this in the default SA rules which 
should be safe for all mail flow.  I will open a bug issue if anyone 
else thinks this would be a good idea.



This could be implemented with a new 60_whitelist_auth.cf to slowly and 
carefully expand the whitelist_auth entries of those know good senders 
that properly filter their outbound mail and handle abuse reports.  For 
example:


whitelist_auth *@alertsp.chase.com
whitelist_auth *@e.chase.com


to go along with the BAD_FROM_NAME header check above.  We would add 
safe subdomain entries from Apple and Bank of America as well.  This 
should safely catch a lot of spoofed display names trying to trick 
recipients.


Thoughts?

--
David Jones






















					Reply via email to