On 15/11/17 09:55, Martin Gregorie wrote:
On Wed, 2017-11-15 at 08:41 +0000, Sebastian Arcus wrote:
The emails often contain links to various popular cloud platforms -
such as SharePoint, DropBox etc. Most of the emails come from clean
domains, or from large webmail providers.
I'd say there is not a lot you can do if the legit solicitors and
accountants you and your clients deal with normally use these public
dropboxes to deliver documents. OTOH, if they don't do that, then if
the mail claims to be from a solicitor or accountant you can use the
presence those links as a spam recogniser, or go even further and treat
any link that *doesn't* point to the sender's own domain as a spam
indication.
Whether doing this is safe or not depends pretty much on what's in your
normal mail stream and on what is seen as normal practice for the
solicitors and accountants your users deal with.
I use a mail archive as another way of finding spam: anybody in the
archive who I've sent mail to gets tagged by a negative-scoring rule,
but this may not work for you and your users. However, system
performance isn't an issue. My archive is in a Postgres database and
the view it uses to recognise addresses that have received mail from my
domain is fast because the my DB schema was designed to support this
type of query.
Thank you - that is an interesting idea. Do you use a software to
extract the emails from the Sent archives, or do you add them to the
database on-the-fly, when the sent emails go out through your MTA? If
you have any links or example scripts available I would be very much
interested.
I suppose one side risk is that if the domain of one of your regular
correspondents gets compromised, the spam coming from it will almost be
guaranteed to arrive in the Inbox?
