On 10/24/2017 07:41 PM, Alex wrote:
On Tue, Oct 24, 2017 at 2:49 PM, David Jones <djo...@ena.com> wrote:
On 10/24/2017 01:32 PM, Alex wrote:
Hi all, I'm wondering if someone has some ideas to handle bank fraud
phishing emails, and in particular this one:
https://pastebin.com/wxFtKK16
It doesn't hit bayes99 because we haven't seen one before, and txrep
subtracts points. It also doesn't hit any blacklists.
Ideas for blocking these, and more general advice for blocking banking
fraud/phish attacks would be appreciated.
Zero-hour phishing emails from Office 365 are going to be tough to block.
About all you can do is add a blacklist_from *@mybenefitswallet.com entry
and report it to SpamCop and ph...@office365.microsoft.com.
For the most part, I agree, but the client here has also contracted
with Wombat and they managed to detect this email as "Probably Phish".
We're missing something with spamassassin.
They could have some general rules like:
/account.{1,30}locked/i
/email.{1,50}security/i
that would flag a lot of legit emails as "Probably Phish". If they do
this a lot then users will ignore that flag and quickly it becomes useless.
Are they modifying the subject with "Probably Phish" to tell the users?
It's much easier to modify the subject of false positives with a very
low score vs. what Spamassassin has to do by accurately scoring the message.
That message did have a lot of bad English and mispellings. Too bad we
can't introduce AI into SA somehow in a secure way locally where no
information was sent out to the cloud. This would be about the only
chance to stop zero-hour spam that has been hand crafted to pass through
most mail filters before DCC, Razor, Bayes, RBLs, DBLs, detect and react
to it.
--
David Jones
