On Sun, 8 Nov 2020, Daryl Rose wrote:
I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= *
Easy enough to write a "FUZZY_WELLSFARGO" rule for that, but it probably won't pass masscheck and get published because there are probably few examples of that in the corpus.
Added to my sandbox: ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FUZZY_WELLSFARGO_BODY /<W>(?!ells[-\s]?Fargo)<E><L><L><S>[-\s]?<F><A><R><G><O>/i replace_rules __FUZZY_WELLSFARGO_BODY header __FUZZY_WELLSFARGO_FROM From:name =~ /<W>(?!ells[-\s]?Fargo)<E><L><L><S>[-\s]?<F><A><R><G><O>/i replace_rules __FUZZY_WELLSFARGO_FROM meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM endif Do you have something like this in place? whitelist_auth *@wellsfargo.com blacklist_from *@wellsfargo.com whitelist_auth *@*.wellsfargo.com blacklist_from *@*.wellsfargo.com whitelist_auth *@bankofamerica.com blacklist_from *@bankofamerica.com whitelist_auth *@*.bankofamerica.com blacklist_from *@*.bankofamerica.com -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Sheep have only two speeds: graze and stampede. -- LTC Grossman ----------------------------------------------------------------------- Tomorrow: The 82nd anniversary of Kristallnacht - disarmament enables genocide
