On 1/4/2024 3:19 PM, Kirk Ismay wrote:
I'm wondering if anyone has any good ideas to catch gift card scam
emails. This latest version came from Gmail, and has valid DKIM
records and the IPs are whitelisted.
Thanks,
Kirk
Here's the hits from SpamAssassin:
X-Spam-Status: No, score=0.3 required=5.0
tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
T_SCC_BODY_TEXT_LINE autolearn=disabled version=3.4.6
And here's the body:
(link to the body in a paste bin next time)
I catch the vast majority of these in postfix header_checks that
look for the boss' name and a few minor variants in From: and reject
if the sending address isn't the right one. This works well enough
for us since there are a limited number of $boss targets here. This
has also cut down on the "send a payment to" and other social
engineering scams that claim to be from the boss.
You could do the same thing in SA if you don't have too many $boss
targets.
I've not had much success with generalized rules - too many folks
here talk about gift cards in legit mail, some of it actually
business-related.
Good luck.
-- Noel Jones
