On Thu, 11 May 2023, Marc wrote:
I was wondering if spamassassin is applying some sort of algorithm to
comparing sender domain against recipient domain to detect a phishing
attempt?
There is a suite of meta rules and subrules with names containing
TO_EQ_FROM in the default rule channel. Consul
On Sat, 13 May 2023, Matus UHLAR - fantomas wrote:
But I was more interested if SA already has something like that?
It does not.
On Fri, 12 May 2023, Loren Wilton wrote:
Weren't there a whole set of "FUZZY" rules once?
On 12.05.23 20:01, John Hardin wrote:
There still are.
however
A while back I created a plugin for checking Levenshtein distance on From
and To domains, this might answer the problem?
An example configuration might look like this -
This would look just for From domains with a distance equal to 1 from
alexander.com
---8<---
ifplugin Mail::SpamAssassin::Plugi
But I was more interested if SA already has something like that?
It does not.
On Fri, 12 May 2023, Loren Wilton wrote:
Weren't there a whole set of "FUZZY" rules once?
On 12.05.23 20:01, John Hardin wrote:
There still are.
however these rules only search for words like viagra, unubscri
>
> On Fri, May 12, 2023 at 05:32:30PM +0200, Reindl Harald wrote:
> > > On Fri, May 12, 2023 at 09:49:40AM -0500, Dave Funk wrote:
> > > > On Fri, 12 May 2023, Matija Nalis wrote:
> > > > > That is because those domains are not EQUAL? Od did you wanted a
> > > > > rule that checks only on SIMILAR
On Fri, 12 May 2023, Loren Wilton wrote:
But I was more interested if SA already has something like that?
It does not.
Weren't there a whole set of "FUZZY" rules once?
There still are.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Fri, 12 May 2023, Matija Nalis wrote:
I wonder if someone has already done it, and something sufficiently
similar to be used to that purpose?
There are a lot of ReplaceTags rules in the base ruleset.
I don't know if offhand that works with header rules.
--
John Hardin KA7OHZ
But I was more interested if SA already has something like that?
It does not.
Weren't there a whole set of "FUZZY" rules once? I'm pretty sure that they
looked for words in in the subject and maybe body of the email that had
exactly this sort of obfuscation. I don't think they were applied t
On 2023-05-12 at 15:16:59 UTC-0400 (Fri, 12 May 2023 21:16:59 +0200)
Matija Nalis
is rumored to have said:
> But I was more interested if SA already has something like that?
It does not.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com a
On Fri, May 12, 2023 at 05:32:30PM +0200, Reindl Harald wrote:
> > On Fri, May 12, 2023 at 09:49:40AM -0500, Dave Funk wrote:
> > > On Fri, 12 May 2023, Matija Nalis wrote:
> > > > That is because those domains are not EQUAL? Od did you wanted a
> > > > rule that checks only on SIMILAR domain names
On Fri, May 12, 2023 at 09:49:40AM -0500, Dave Funk wrote:
> On Fri, 12 May 2023, Matija Nalis wrote:
> > That is because those domains are not EQUAL? Od did you wanted a
> > rule that checks only on SIMILAR domain names (e.g. with lowercase
> > letter "L" replaced with number "1" as in your exampl
On Fri, 12 May 2023, Matija Nalis wrote:
On Thu, May 11, 2023 at 09:41:34PM +, Marc wrote:
I was wondering if spamassassin is applying some sort of algorithm to
comparing sender domain against recipient domain to detect a phishing
attempt?
[snip..]
That is because those domains are not
On Thu, May 11, 2023 at 09:41:34PM +, Marc wrote:
> > > I was wondering if spamassassin is applying some sort of algorithm to
> > > comparing sender domain against recipient domain to detect a phishing
> > > attempt?
> >
> > There is a suite of meta rules and subrules with names containing
> >
>
> > I was wondering if spamassassin is applying some sort of algorithm to
> > comparing sender domain against recipient domain to detect a phishing
> > attempt?
>
> There is a suite of meta rules and subrules with names containing
> TO_EQ_FROM in the default rule channel. Consult the rules file
>
>
> what useful information would you be looking for from this kind of
> comparison?
sen...@a1exander.com
recipi...@alexander.com
* 3.9 PHISHING 1=l attempt
I assume there are some character substitude algorithms available, maybe an
adapted version of an algorithm that tries to detect typ
On 2023-05-11 at 16:22:12 UTC-0400 (Thu, 11 May 2023 20:22:12 +)
Marc
is rumored to have said:
I was wondering if spamassassin is applying some sort of algorithm to
comparing sender domain against recipient domain to detect a phishing
attempt?
There is a suite of meta rules and subrules
what useful information would you be looking for from this kind of comparison?
All the time I receive mail from people with non-local domains and regularly
receive e-mail from co-workers using the same domain as me.
The kind of things that might be useful are:
1) detecting local-domain forger
17 matches
Mail list logo
