On 29/08/13 13:26, Michael Schaap wrote: > > # Punish fake LinkedIn mail > header __FROM_LINKEDIN From =~ /\@linkedin\.com/i > meta FROM_LINKEDIN_NO_SPF (__FROM_LINKEDIN && !SPF_PASS && > !SPF_HELO_PASS) > score FROM_LINKEDIN_NO_SPF 5.0 > > This seems to do the trick for most of the messages. >
Very dangerous - for one thing you're giving +5 to any email from a LinkedIn employee to a mailing-list - at least that should be "X-Envelope-From" instead of "From" (all the phishing emails I've seen related to this use unrelated envelope details) This is what I'm using - it will only trigger on the invite Subject line with evidence it isn't from LinkedIn header __TRMB_LINKEDIN_FROM From =~ /\W(linkedin)\W/i header __TRMB_LINKEDIN_RP X-Envelope-From =~ /\.linkedin\.com($|>$)/i header __TRMB_LINKEDIN_INVITE Subject =~ /^Invitation to connect on LinkedIn/i body __TRMB_LINKEDIN_BODY /(^|\W)(wants to connect with you on LinkedIn)\W/i meta TRMB_LINKEDIN_SPAM (!__TRMB_LINKEDIN_RP && (__TRMB_LINKEDIN_INVITE || __TRMB_LINKEDIN_FROM) && __TRMB_LINKEDIN_BODY) describe TRMB_LINKEDIN_SPAM Linkedin invite email with non-linkedin sender score TRMB_LINKEDIN_SPAM 7.1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
