> We are regularly getting phishes from dhl, fedex, usps, amazon, netflix,
> spotify that fakes the from (eg. amazon <p...@biggung1892301.com> wants
> to send me a amadon-legit.pdf). Usually these are previously unknown to
> pyzor, dcc, rbls, and domain reputation doesn't really exist[0].
>
> I'm wondering if anyone has made a rule that looks to see if the From
> contains amazon, but it is not amazon.com/.ca/.jp (all their TLDs), then
> score them up, if it wants to also drop a psd, or a tar.xz, or a png, or
> a pdf or whatever, then light them on fire.
I have rules similar to that to catch other things. I just made one for you to
catch a spam that claims to be from USPS but is not. Simple modifications will
catch other putative senders.
#-----------------------------------------------------------------------------------
# 08/24/2020
# Someone on the SA mailing list is upset about spams that claim to be from some
# reputable company, usually a package transfer company, but actually aren't.
# I have an example in today's spam, though it is caught by lots of other rules:
#
# From: USPS <store-n...@amazon.com>
header NOT_FROM_USPS From =~
/\bUSPS\b[^<]*<[\w\-.]+\@[\w\-.]*\b(?!usps\.com)\s{0,3}>/
score NOT_FROM_USPS 1
describe NOT_FROM_USPS Claims to be from USPS, but isn't
I'm also including two general rules that catch this sort of stuff most of the
time.
#-----------------------------------------------------------------------------------
# 01/21/08
# Return-Path: <bradshaw...@laposte.net>
# Message-Id: <20080121072522.16582.qmail@comp2>
# From: <f...@ferd.com>
#
# The from and the return-path should match
# The from host and the message-id host should match
header __FROM_SENDER ALL =~
m'Return-Path:\s+<([^\n>]+)>.*\nFrom:(?:[^<\n]+<\1>|\s+\1$)'si
header __NULL_SENDER Return-Path =~ /<>/
meta NOT_FROM_SENDER !__FROM_SENDER && !__NULL_SENDER
score NOT_FROM_SENDER 1
describe NOT_FROM_SENDER Not from putative sender
# Return-Path: <jq...@fsuimail.ferris.edu>
# Message-ID: <7a9a01c85ca2$0fcbc910$c0a80102@Ricky>
header __SENDER_MSGID ALL =~
m'Return-Path:[^\@\n]+\@([^>.]+).*\nMessage-Id:[^\@\n]+\@[\w.]{0,30}\1'si
meta NOT_SENDER_MSGID !__SENDER_MSGID && !__NULL_SENDER
score NOT_SENDER_MSGID 0.5
describe NOT_SENDER_MSGID Sender host doesn't match message-id host
