On Mon, 18 Sep 2017, Alex wrote:
Hi,
I've whitelisted dropbox so I can use some aggressive rules to block
phishing attacks involving dropbox. The problem I'm now having is
legitimate dropbox accounts are being used to send malware with links
to dropbox accounts to download these malicious files.
https://pastebin.com/raw/PFpJeYDX
This email likely would have been tagged if it wasn't for being
whitelisted by SPF. The language in the body is clearly spam.
Does anyone have any recommendations on how to handle this? I found
this because two of my users reported it. We can report it to dropbox,
but that's after the fact.
Don't whitelist dropbox as a whole. Whitelist specific real dropbox users
if you must to get them past SA, on explicit request. This of course
depends on the size of your userbase.
Alternatively, write a meta to offset *most* of the negative points from
the whitelisting, so that the rest of the rules do still have some chance
of having an effect.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Public Education: the bureaucratic process of replacing
an empty mind with a closed one. -- Thorax
-----------------------------------------------------------------------
Tomorrow: Talk Like a Pirate day
