On 21.11.19 13:24, Dave Goodrich wrote:
I know I will incur some wrath for this but I have the Mayor breathing down my
neck. We stop nearly all spam now, but some does get through. Mostly it has
been mail from gmail and outlook servers that pass DKIM and SPF.
This morning a large number of messages appearing to come from the Mayor were
delivered. The email is technically legitimate and was scored appropriately.
Unfortunately, the From address was in the following format 'the Mayor's display name
<random-numb...@gmail.com>'. So, everyone who saw the message opened it because
it looked like it came from the Mayor. then they called the Mayor's office.
- The message was benign.
- The users know to hover over display names to check the address, but this was
the Mayor. They did not.
- All mail delivered locally comes through our server. No one is allowed to use
their City email address on none City devices. Had the address been correct, it
would have been stopped.
Even if only for this one account, I need a rule to check that the Mayor's
display name matches the Mayor's email account and I am at a loss how to manage
that with SA rule structure.
Any thoughts on that or has anyone done something similar?
Unfortunately this kind of targetted spams or phishes are becoming very
common. I have seen them within multiple companies we maintain mail for.
(and they have complained).
However, as the others already noted, it's quite hard to get all possible
permutations of name, and also, names are not very unique, so there may be
legitimate mail from outside user having same or similar name.
While we can create rules to match the Mayor's name:
https://mail-archives.apache.org/mod_mbox/spamassassin-users/201911.mbox/<ed2b24b10a460a9df102d00499d3482f7cbdf605.camel%40gregorie.org>
we must also consider permutations and yet we won't be 100% sure.
header __SM1 From:name =~ /\bJohn\s?(M\.?\s?)?\sMayor\b/
header __SM2 From:addr =~ /^john\.mayor@example\.org$/
meta SPOOFED_MAYOR (__SM1 && !__SM2)
score SPOOFED_MAYOR 5
Tagging subject in this case should help much but people must still be sure.
That's why some people for years recommend using PGP or S/MIME mail
signatures.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
