On 11/16/18 7:44 AM, Robert Fitzpatrick wrote: > We're having an issue with spam coming from the same company even though > SPF and DKIM is setup with DMARC to reject. Take this forwarded email > for instances.... > >> -------- Original message -------- From: User <u...@company.com> Date: >> 11/15/18 10:42 AM (GMT-07:00) To: Other User <other.u...@company.com> >> Subject: OVERDUE INVOICE >> Sorry for the delay…. This is an invoice reminder. The total for your >> item is $1,879.17. >> THX, >> - >> User T 123.456.7890 | O 123.456.7891 EMail:u...@company.com > > However, the raw headers show as this... > >> Date: Thu, 15 Nov 2018 18:35:35 +0100 >> From: User <u...@company.com> >> <arte.fin...@creativegroup.com.ec> >> To: other.u...@company.com >> Message-ID: <860909106225419267.2007038e08376...@company.com> >> Subject: OVERDUE INVOICE > > Could someone suggest a rule to match the signature with the last From > email or envelope from? Or another suggestion how this could be resolved. > > Thanks! >
From: John D. Smith <johnsm...@richland.edu> <cay...@corpmaqplast.com> To: kdeu...@vianet.ca Message-ID: <35706717752563516902.8f4660866aa84...@vianet.ca> Couple of things: 1. Recent discussions on this mailing list showed me that the Message-ID should never have the recipient's domain in it so I setup a local meta rule to match all of my customer domains that I filter for with an inbound rule (like ALL_TRUSTED) to add a bunch of points. 2. Seems like there should be easy rules to detect more than one pair of angle brackets and more than on at sign to add points to non-standard display names. 3. I add a point or two for invoice-related subjects just because I want to lower the bar for them being caught. Legit invoice senders should have other good rules hit that will offset this. I try to make legit invoice senders score just below the block threshold so anything suspicious like that From: or Message-ID: header will push it over the limit. You can setup logwatch or grep your mail logs often from cron to alert you when your invoice-related rules are hit so you don't cause a problem blocking a real invoice in the first month or two as you are tuning your rules and scores. -- David Jones
