Dear Postfix users,
A user had their password guessed/leaked, and the account was used to
send spam/phishing messages – but only once an hour or so, so it wasn’t
detected as abnormal traffic. One thing detectable thing would have
been, that the sent unsolicited messages used a different name than the
user in the From: field.
Jennifer Wood <not-w...@molgen.mpg.de>
To detect phishing messages on the receiving end, we already maintain a
list in regexp-header for “important” people, so names used in From:
have to match certain email addresses.
The names are already present in the user name or comment field in
`/etc/passwd` but also some LDAP database.
Has somebody already experience with implementing such a heuristic, and
is it useful¹? If it is useful, how could I do it? Probably an exact
match would cause too much trouble, as some users want to put their
academic title to the field too.
Kind regards,
Paul
¹ After a while the criminals are going to adapt, and just use the
correct name for the account.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org