Re: Custom rule to please the Mayor
On 21.11.19 13:24, Dave Goodrich wrote: I know I will incur some wrath for this but I have the Mayor breathing down my neck. We stop nearly all spam now, but some does get through. Mostly it has been mail from gmail and outlook servers that pass DKIM and SPF. This morning a large number of messages appearing to come from the Mayor were delivered. The email is technically legitimate and was scored appropriately. Unfortunately, the From address was in the following format 'the Mayor's display name '. So, everyone who saw the message opened it because it looked like it came from the Mayor. then they called the Mayor's office. - The message was benign. - The users know to hover over display names to check the address, but this was the Mayor. They did not. - All mail delivered locally comes through our server. No one is allowed to use their City email address on none City devices. Had the address been correct, it would have been stopped. Even if only for this one account, I need a rule to check that the Mayor's display name matches the Mayor's email account and I am at a loss how to manage that with SA rule structure. Any thoughts on that or has anyone done something similar? Unfortunately this kind of targetted spams or phishes are becoming very common. I have seen them within multiple companies we maintain mail for. (and they have complained). However, as the others already noted, it's quite hard to get all possible permutations of name, and also, names are not very unique, so there may be legitimate mail from outside user having same or similar name. While we can create rules to match the Mayor's name: https://mail-archives.apache.org/mod_mbox/spamassassin-users/201911.mbox/ we must also consider permutations and yet we won't be 100% sure. header __SM1 From:name =~ /\bJohn\s?(M\.?\s?)?\sMayor\b/ header __SM2 From:addr =~ /^john\.mayor@example\.org$/ metaSPOOFED_MAYOR (__SM1 && !__SM2) score SPOOFED_MAYOR 5 Tagging subject in this case should help much but people must still be sure. That's why some people for years recommend using PGP or S/MIME mail signatures. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside...
Re: Custom rule to please the Mayor
On Fri, 2019-11-22 at 13:01 +, RW wrote: > On Fri, 22 Nov 2019 00:00:53 + > Martin Gregorie wrote: > > > > describe SPOOFED_MAYOR Check for spoofed mail from the Mayor > > header __SM1 From:name =~ /^John M Mayor$/ > > header __SM2 From:addr =~ /^john\@cityhall\.com$/ > > meta SPOOFED_MAYOR (__SM1 && ! __SM2) || ! _SM1 > > scoreSPOOFED_MAYOR 5.0 > > > .. > > The final " || ! __SM1" meta term is only needed if > > you want to ensure that the name part must also be an exact match, > > i.e. you assume that the user will notice that the sender name isn't > > quite right, but a careful rule writer would not rely on that, hence > > its inclusion. > > I don't understand what you were aiming for here, but '|| ! _SM1' > means that the rule will hit *anything* that doesn't match __SM1, > which is almost everything. > Quite. The original rule detected spoofs marked by having a correct From:name part and an incorrect From:addr part - which is what the OP wanted. Then I thought it would be useful to try to validate the name part as well, which is what I was trying to do. A decent sleep later, and its obvious that doing this is complete BS: the only sensible form of the rule uses this meta: meta SPOOFED_MAYOR (__SM1 && !__SM2) Doing anything apart from that would require a needlessly complex rule (the OP's original message said that this spam was getting through BECAUSE the From:name part was visually exactly what his mail recipients were expecting to see. Doing anything sensible beyond this probably requires a set of related rules, ranging from a check on the Message-ID or initial MTA relay to scanning the email body for signs of a spear phishing expedition etc., or even a dedicated plugin to do some sort of fuzzy match on acceptable name parts, i.e. those using different charsets and/or glyphs but that still look like the Mayor's name given a fairly quick glance. Martin
Re: Custom rule to please the Mayor
On Fri, 22 Nov 2019 00:00:53 + Martin Gregorie wrote: > describe SPOOFED_MAYOR Check for spoofed mail from the Mayor > header __SM1 From:name =~ /^John M Mayor$/ > header __SM2 From:addr =~ /^john\@cityhall\.com$/ > meta SPOOFED_MAYOR (__SM1 && ! __SM2) || ! _SM1 > scoreSPOOFED_MAYOR 5.0 > .. > The final " || ! __SM1" meta term is only needed if > you want to ensure that the name part must also be an exact match, > i.e. you assume that the user will notice that the sender name isn't > quite right, but a careful rule writer would not rely on that, hence > its inclusion. I don't understand what you were aiming for here, but '|| ! _SM1' means that the rule will hit *anything* that doesn't match __SM1, which is almost everything. __SM1 is too prescriptive, even "John M. Mayor" wont match.
Re: Custom rule to please the Mayor
Are you using or able to use 3.4.3-rc6 because there is a new feature for this that you can implement called subjprefix that can mark external emails with External in the subject. Depends on your usage. On 11/21/2019 1:24 PM, Dave Goodrich wrote: > Good day, > > I know I will incur some wrath for this but I have the Mayor breathing down > my neck. We stop nearly all spam now, but some does get through. Mostly it > has been mail from gmail and outlook servers that pass DKIM and SPF. > > This morning a large number of messages appearing to come from the Mayor were > delivered. The email is technically legitimate and was scored appropriately. > Unfortunately, the From address was in the following format 'the Mayor's > display name '. So, everyone who saw the message > opened it because it looked like it came from the Mayor. then they called the > Mayor's office. > > - The message was benign. > - The users know to hover over display names to check the address, but this > was the Mayor. They did not. > - All mail delivered locally comes through our server. No one is allowed to > use their City email address on none City devices. Had the address been > correct, it would have been stopped. > > Even if only for this one account, I need a rule to check that the Mayor's > display name matches the Mayor's email account and I am at a loss how to > manage that with SA rule structure. > > Any thoughts on that or has anyone done something similar? > > DAve > > -- > Dave Goodrich > Information Technology > City of Greenfield, Indiana > 317-477-4309 -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: Custom rule to please the Mayor
On 2019-11-22 01:00, Martin Gregorie wrote: describe SPOOFED_MAYOR Check for spoofed mail from the Mayor header __SM1 From:name =~ /^John M Mayor$/ header __SM2 From:addr =~ /^john\@cityhall\.com$/ meta SPOOFED_MAYOR (__SM1 && ! __SM2) || ! _SM1 scoreSPOOFED_MAYOR 5.0 he atleast now loves anyone equal :=) meta SPOOFED_MAYOR1 __SM1 && ! __SM2 scoreSPOOFED_MAYOR1 5.0 meta SPOOFED_MAYOR2 ! _SM1 scoreSPOOFED_MAYOR2 0.1
Re: Custom rule to please the Mayor
On Thu, 2019-11-21 at 14:22 -0700, Grant Taylor wrote: > I like the logic. > > Unfortunately, you need to be very careful as you start to run into > all the text permutations / homograph attacks. > Fair comment. What you saw was hacked together to show the principle, but not tested. Here's a tested version. In testing this I've assumed that if either the name or the address isn't an exact match then the rule should fire. This tests as fairly bullet proof: describe SPOOFED_MAYOR Check for spoofed mail from the Mayor header __SM1 From:name =~ /^John M Mayor$/ header __SM2 From:addr =~ /^john\@cityhall\.com$/ meta SPOOFED_MAYOR (__SM1 && ! __SM2) || ! _SM1 scoreSPOOFED_MAYOR 5.0 > This type of rule may accidentally incur false positives too, so be man > careful. > Indeed. My original rule, fires if the name part contains '@' or the address part contains a space, can almost be checked by inspection. The rule shown above requires the /^required text$/ construct to prevent additions at either end of the required strings from slipping past un- noticed. The final " || ! __SM1" meta term is only needed if you want to ensure that the name part must also be an exact match, i.e. you assume that the user will notice that the sender name isn't quite right, but a careful rule writer would not rely on that, hence its inclusion. It is not, however, needed for my original use of this rule type, which uses two long lists, e.g. common selling phrases and products being offered, simply assumes that any email that contains at least one match from each list is spam. Given carefully chosen phrases that have been seen in actual spam, my experience over several years shows that this type of rule is pretty resistant to FPs while still spotting spam using list content pairs that haven't been previously encountered. Martin
Re: Custom rule to please the Mayor
On Thu, 2019-11-21 at 14:22 -0700, Grant Taylor wrote: > On 11/21/19 12:14 PM, Martin Gregorie wrote: > > describe SPOOFED_MAYOR Check for spoofed mail from the Mayor > > header __SM1 From:name /display name/ > > header __SM2 From:addr /email address/ > > meta SPOOFED_MAYOR > > (__VM1 && ! __VM2) > > scoreSPOOFED_MAYOR 5.0 > > I like the logic. > > Unfortunately, you need to be very careful as you start to run into > all the text permutations / homograph attacks. > > This type of rule may accidentally incur false positives too, so be > careful. > In general, yes, but in this case both patterns should be plaintext strings > >
Re: Custom rule to please the Mayor
On Thu, 21 Nov 2019 11:12:47 -0800 Alan Hodgson wrote: > Make sure your real mail streams are authenticated with DKIM and > you're setup to use the whitelist_from_dkim rule; which I believe > requires the header added by opendkim on received mail. It doesn't.
Re: Custom rule to please the Mayor
On 11/21/19 12:14 PM, Martin Gregorie wrote: describe SPOOFED_MAYOR Check for spoofed mail from the Mayor header __SM1 From:name /display name/ header __SM2 From:addr /email address/ meta SPOOFED_MAYOR (__VM1 && ! __VM2) scoreSPOOFED_MAYOR 5.0 I like the logic. Unfortunately, you need to be very careful as you start to run into all the text permutations / homograph attacks. This type of rule may accidentally incur false positives too, so be careful. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Custom rule to please the Mayor
On Thu, 2019-11-21 at 13:24 -0500, Dave Goodrich wrote: > > Any thoughts on that or has anyone done something similar? > I have a similar rule that spotsfires on From: headers with @ in the name and a space in the address. I wrote it to spot rather obvious false senders, but something like the following should work for you, obviously with a suitable rule name and the correct display name and address used by your mayor: describe SPOOFED_MAYOR Check for spoofed mail from the Mayor header __SM1 From:name /display name/ header __SM2 From:addr /email address/ meta SPOOFED_MAYOR (__VM1 && ! __VM2) scoreSPOOFED_MAYOR 5.0 Martin
Re: Custom rule to please the Mayor
On Thu, 2019-11-21 at 13:24 -0500, Dave Goodrich wrote: > Good day, > I know I will incur some wrath for this but I have the Mayor breathing > down my neck. We stop nearly all spam now, but some does get through. > Mostly it has been mail from gmail and outlook servers that pass DKIM > and SPF. > This morning a large number of messages appearing to come from the > Mayor were delivered. The email is technically legitimate and was > scored appropriately. Unfortunately, the From address was in the > following format 'the Mayor's display name ' > . So, everyone who saw the message opened it because it looked like it > came from the Mayor. then they called the Mayor's office. > - The message was benign.- The users know to hover over display names > to check the address, but this was the Mayor. They did not.- All mail > delivered locally comes through our server. No one is allowed to use > their City email address on none City devices. Had the address been > correct, it would have been stopped. > Even if only for this one account, I need a rule to check that the > Mayor's display name matches the Mayor's email account and I am at a > loss how to manage that with SA rule structure. > Any thoughts on that or has anyone done something similar? Make sure your real mail streams are authenticated with DKIM and you're setup to use the whitelist_from_dkim rule; which I believe requires the header added by opendkim on received mail. whitelist_from_dkim *@yourdomain your_signing_domain Then you can add a custom rule to add a large score to From =~ /mayor's name/ and variants , possibly meta'd with FREEMAIL_FROM if you're only concerned about gmail spoofs. It'll only be so useful but at least you can catch the straight-up imposter who isn't using charset encoding or spelling tricks to masq the name.
