On Mon, 24 Aug 2020, Martin Gregorie wrote:
On Mon, 2020-08-24 at 12:00 -0400, micah anderson wrote:
We are regularly getting phishes from dhl, fedex, usps, amazon,
netflix, spotify that fakes the from (eg. amazon <
p...@biggung1892301.com> wants to send me a amadon-legit.pdf).
I'm wondering if anyone has made a rule that looks to see if the From
contains amazon, but it is not amazon.com/.ca/.jp (all their TLDs),
Try it yourself: something like this:
header SUBRULE13a From:name =~ /Amazon/
header SUBRULE13b From:addr =~ /amazon/
Might want some \b in there, just to be safe. The from check would also
hit domains like "amazon-river.org". Perhaps:
header SUBRULE13a From:name =~ /\bAmazon\b/
header SUBRULE13b From:addr =~ /\bamazon\.com$/
meta SUBRULE13 (SUBRULE13a != SUBRULE13b)
That seems too broad, you're assuming mail from amazon.com always has
"amazon" in the sender name. Perhaps:
meta SUBRULE13 SUBRULE13a && !SUBRULE13b
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The yardstick you should use when considering whether to support a
given piece of legislation is "what if my worst enemy is chosen to
administer this law?"
-----------------------------------------------------------------------
Today: the 1941st anniversary of the destruction of Pompeii
