On 20 Sep 2020, at 10:35, Daryl Rose wrote:
I tend to get a lot of phishing attempts, and they all get through.
This appears to come from Apple, but obviously is not.
Subject: Re: Purchase Notification - Here is confirmation of your
order
Mail From:
acc.mubmx4btmqkymgfv1leobg.copsess2049113.222...@v2345t3w4t0inbox13.com
I can blacklist the email address, but I know that won't help. Is
there a
rule that I can set up to catch more phishing attempts?
To catch (MOST) Apple phishing:
whitelist_auth *@*.apple.com
whitelist_auth *@apple.com
header FROM_APPLE From =~ /\bapple\b/i
describe FROM_APPLE Seems to claim to be from Apple
score FROM_APPLE 4
Similar combinations of whitelist_auth rules to clear mail that passes
SPF and/or DKIM authentication for a domain but strongly suspect
anything else that seems to claim to be from them.
Note that if you happen to be on mailing lists with Apple employee
participants using their apple.com addresses, you should take other
measures to favor the list mail, since mailing lists commonly break
author DKIM and SPF is applied to the list's domain.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
