On 11/25/2017 12:02 PM, David Jones wrote:
On 11/25/2017 11:41 AM, Jerry Malcolm wrote:
Thanks so much for all the info. I have installed KAM rules, and
I've started becoming a ninja writing my own (simple) rules. MUCH
improved results (amazing when you finally learn what your doing....)
I figure before this is all over with, I'm going to have to become
very knowledgeable about regex. But I'm not there yet. Just out of
curiosity, has anybody written a rule that checks if the 'from name'
contains "Amazon" but the 'from domain' name does not contain
"Amazon" (or variations for Kohls, Target, etc)? That's definitely
for the sophomore class in regex, and I'm struggling with the
freshman class.... Any regex experts that can whip this out?
Thanks in advance.
Jerry
This has been discussed recently on the list and here's how I have
handled it:
header BAD_FROM_NAME From:name =~
/(^chase$|chase.com|Internal Revenue Service|banking|Apple|Bank of
America|American Express)/i
describe BAD_FROM_NAME Displayed From contains bad
information to trick the recipients
score BAD_FROM_NAME 8.2
The "header" line has a simple regex that is basically a bunch of OR's.
Then you setup "whitelist_auth" entries for the real domains
preferably using the envelope-from domain which is a little more
difficult to spoof with the adoption of SPF the past few years.
So for amazon.com, I have these two entries:
whitelist_auth *@amazon.com
whitelist_auth *@*.amazon.com
and then you put "Amazon" in the "header" line above.
We really need to do something like this in the default SA rules which
should be safe for all mail flow. I will open a bug issue if anyone
else thinks this would be a good idea.
This could be implemented with a new 60_whitelist_auth.cf to slowly
and carefully expand the whitelist_auth entries of those know good
senders that properly filter their outbound mail and handle abuse
reports. For example:
whitelist_auth *@alertsp.chase.com
whitelist_auth *@e.chase.com
to go along with the BAD_FROM_NAME header check above. We would add
safe subdomain entries from Apple and Bank of America as well. This
should safely catch a lot of spoofed display names trying to trick
recipients.
Thoughts?
Thanks, Dave. Now I'm REALLY glad I didn't try to figure this one out
on my own.... What you are recommending makes sense. But doubt I'd have
stumbled onto this solution on my own....
Jerry