On 05/09/2018 12:39 PM, Alex wrote:
Hi,
header __RCVD_OFFICE365 Received =~
/\.outbound\.protection\.outlook\.com \[/
header __RCVD_OFFICE365_PROXY X-ClientProxiedBy =~
/\.outlook\.com
\(/
header __OFFICE365_TRUST_ORG X-OriginatorOrg =~
/^(ena\.com|example\.com)/
You've set this to be your local system, but what if the mail relay
does not process outbound email? What are legitimate values for this
header?
I don't have "ena.com" in my own rule. Rather I have dozens of others
listed. Sorry if this is confusing to imply this is for outbound mail.
In other words, is this helpful if your mail relay doesn't process
your outbound mail?
Yes. It's not meant for outbound but inbound. I shouldn't have put
"ena.com" in there for me but you could put it in there for your local rules
if you think our email is trustworthy. :)
I think I'm still a little confused. I did a quick search on existing
email received with that header, and it's a hugely varied list with an
equal amount trustworthy as untrustworthy. I don't think it's feasible
to maintain a list of trustworthy domains for this header, unless I'm
missing something?
Also, the youngliving.com domain that was listed in my spample still
isn't blacklisted on any legitimate list. This looks to be a
legitimate domain with a compromised account. You had mentioned your
rules don't really work on compromised accounts from legitimate
domains, but also that it cuts down on invoice spam.
Is this one of those cases where your rules don't really help?
The problem is anything coming out of O365 is not going to show up on
traditional IP block lists. Domain block lists (DBLs) are going to be
very slow to react and list a domain. SPFBL would help and IVM might
quickly list them if there were a URL that could be blocked.
My approach is to bump up the score a little on any invoice-related
emails and then a little more on "freemail/commonly abused" platforms
where it's a common source of phishing lately.
Then you only have to maintain the X-OriginatorOrg list for a small
subset of legit invoice sending domains.
For example, let's say your blocking threshold is the SA default of 5.0.
Add a point for all freemail/commonly abused platforms so now their
threshold is effectively 4.0. Now add another point for invoice-related
emails bringing the threshold down to 3.0.
Now legit invoice senders will either score low on their own from good
reputation, get whitelist_auth/whitelist_from_rcvd entries, or get added
to the X-OriginatorOrg if they come from O365.
Does that make sense? This has been working well for me the past couple
of months after seeing many phishing attacks from O365 compromised
accounts. I would rather risk slightly over blocking invoices and
release/whitelist them later than have a customer get phished and cause
a lot of financial damage.
I have customers that will blindly pay invoices without matching POs or
any confirmation if the company name sounds familiar. I am seeing a lot
of construction-related phishing emails. Since there is always
construction going on, they just assume these are legit.
--
David Jones
