On 05/15/2018 08:26 PM, David B Funk wrote:
On Tue, 15 May 2018, Alex wrote:
Hi,
We received another of those phishes as a result of a compromised O365
account.
https://pastebin.com/raw/Fv5NKRAP
Anyone able to take a look and provide ideas on how to block them? It
passes with DKIM_VALID_AU, RCVD_IN_SENDERSCORE_90_100 and SPF_PASS.
It's missing headers, and I've written a rule to account for that, but
it would be great to have some other input.
Interestingly, it was passed through a mimecast system first.
The amount of Outlook/O365/Exchange headers in this email is enormous!
Thanks,
Alex
For openers either totally lose "RCVD_IN_HOSTKARMA_W" &
"RCVD_IN_DNSWL_LOW" rules, or set their score to something minimal (EG
-0.1 instead of that honking -2.5) or create a rule that detects the
message being from O365 and meta it with RCVD_IN_HOSTKARMA_W to then add
an offsetting score to nullify the damage from RCVD_IN_HOSTKARMA_W WRT
O365.
Due to the junk coming out of O365 lately I have setup OFFSET rules to
add back any whitelist points for messages received from O365. I grep'd
my rules for any rules that subtracted points and made meta rules to add
back the same amount. Due to the size of O365 you really can't allow
any of their IPs to to subtract points.
(Can we get the maintainers of RCVD_IN_HOSTKARMA_W to remove that
contagion pit called O365 from their list of "good guy" sites?).
Yes, please! Good RBLs will not list large mail service providers like
Google and O365 in their whitelists since there is a mixture of ham and
spam.
I've done a bit of all of the above so an incoming O365 message ends up
with no "brownie points" at all, so it's only scored on the merits of
its contents.
Then look for custom anti-phish rulesets. Your example hit a rule
"RULEGEN_PHISH2" which was in a file 90_rulegen_phish.cf on my server.
(I'm sorry I don't remember where I got that from).
Train bayes, look for custom URIBL lists that might hit that powned
website.
I have seen quite a bit of junk coming out of mimecast.com's servers in
recent months. I am about to add them to my NOTRUST list which puts
them in the FREEMAIL category of commonly abused mail service providers.
Then my meta rules based on ENA_FREEMAIL will bump up points for email
coming through any NOTRUST servers.
--
David Jones
