On Sat, 17 Nov 2018, David Jones wrote:
On 11/16/18 7:44 AM, Robert Fitzpatrick wrote:
We're having an issue with spam coming from the same company even though
SPF and DKIM is setup with DMARC to reject. Take this forwarded email
for instances....
-------- Original message -------- From: User <u...@company.com> Date:
11/15/18 10:42 AM (GMT-07:00) To: Other User <other.u...@company.com>
Subject: OVERDUE INVOICE
Sorry for the delay…. This is an invoice reminder. The total for your
item is $1,879.17.
THX,
-
User T 123.456.7890 | O 123.456.7891 EMail:u...@company.com
However, the raw headers show as this...
Date: Thu, 15 Nov 2018 18:35:35 +0100
From: User <u...@company.com>
<arte.fin...@creativegroup.com.ec>
To: other.u...@company.com
Message-ID: <860909106225419267.2007038e08376...@company.com>
Subject: OVERDUE INVOICE
Could someone suggest a rule to match the signature with the last From
email or envelope from? Or another suggestion how this could be resolved.
Thanks!
From: John D. Smith <johnsm...@richland.edu> <cay...@corpmaqplast.com>
To: kdeu...@vianet.ca
Message-ID: <35706717752563516902.8f4660866aa84...@vianet.ca>
Couple of things:
1. Recent discussions on this mailing list showed me that the Message-ID
should never have the recipient's domain in it
That's not 100% true.
There is no requirement that the sender put a Message-ID on the message.
It is valid for your MTA to add a Message-ID onto a message that was
received without one. That is likely going to be done using your domain.
I'd suggest a filter on Message-ID domain would be more appropriate at the
MTA level than in SA - if a message is received from outside with a
Message-ID having a domain that you control, reject it at that point,
before the possibility of adding a local one because it's missing becomes
a source of ambiguity.
I do something similar with HELO. You might want to look into that too -
check your logs for the HELOs that spammers are using, there are
low-hanging fruit there (that I'm reluctant to discuss publicly).
2. Seems like there should be easy rules to detect more than one pair of
angle brackets and more than on at sign to add points to non-standard
display names.
There probably are. A big question is: does that appear enough in the
masscheck corpora to be promoted as a useful rule?
3. I add a point or two for invoice-related subjects just because I want
to lower the bar for them being caught. Legit invoice senders should
have other good rules hit that will offset this. I try to make legit
invoice senders score just below the block threshold so anything
suspicious like that From: or Message-ID: header will push it over the
limit.
You can setup logwatch or grep your mail logs often from cron to alert
you when your invoice-related rules are hit so you don't cause a problem
blocking a real invoice in the first month or two as you are tuning your
rules and scores.
Good suggestions.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows and its users got mentioned at home today, after my wife the
psych major brought up Seligman's theory of "learned helplessness."
-- Dan Birchall in a.s.r
-----------------------------------------------------------------------
597 days since the first commercial re-flight of an orbital booster (SpaceX)
