On Mon, 2020-08-24 at 12:00 -0400, micah anderson wrote: > We are regularly getting phishes from dhl, fedex, usps, amazon, > netflix, spotify that fakes the from (eg. amazon < > p...@biggung1892301.com> wants to send me a amadon-legit.pdf). > > I'm wondering if anyone has made a rule that looks to see if the From > contains amazon, but it is not amazon.com/.ca/.jp (all their TLDs), > Try it yourself: something like this:
header SUBRULE13a From:name =~ /Amazon/ header SUBRULE13b From:addr =~ /amazon/ meta SUBRULE13 (SUBRULE13a != SUBRULE13b) score SUBRULE13 10 should work though the text in the regex will probably need tweaking to match actual spam. You'll need to collect examples of spam from all these sources to test your rules against. Also: - the regexes may need alternates if, say, you see variations in the name text or if you want the addr regex to include more than just the bare domain name - of course you'll need a separate rule for each spam source - another spam warning is emaile where the domain name in the Message-id doesn't match the one in the From address. I'm not seeing anything that looks like the spam you're getting, but if I did, that's the type of rule I'd be writing to trap the garbage. Martin
