Hi, >> https://pastebin.com/raw/TfvhUu0X >> ... > What I have had to do is basically increase the score on all invoice emails > to try to block the bad ones and then whitelist the good ones. > > That email was BCC'd which is another suspicious trait which is why I bump > up the score for MISSING HEADERS. I have other ways to penalize these > emails at SMTP time based on the number of BCC'd recipients if this were > received by my servers but I can't tell after the fact like this.
Yes, we've similarly created rules for missing headers. > There is so much junk coming out of Office 365 right now from compromised > accounts and otherwise that it's really hard to accurately filtering O365 > email. I have created a rule based on the X-OriginatorOrg: header to start > subtracting points for known OK senders and then bumping up other rule hits > like invoice-related ones that come from O365. I know this doesn't help > with compromised accounts in known OK Orgs but it definitely cuts down the > majority of the fake invoice emails. > > header __RCVD_OFFICE365 Received =~ > /\.outbound\.protection\.outlook\.com \[/ > header __RCVD_OFFICE365_PROXY X-ClientProxiedBy =~ /\.outlook\.com > \(/ > > header __OFFICE365_TRUST_ORG X-OriginatorOrg =~ > /^(ena\.com|example\.com)/ You've set this to be your local system, but what if the mail relay does not process outbound email? What are legitimate values for this header? In other words, is this helpful if your mail relay doesn't process your outbound mail?
