Re: Scoring Philosophy?

Sat, 25 Nov 2017 10:30:06 -0800 


On 11/25/2017 12:02 PM, David Jones wrote:

On 11/25/2017 11:41 AM, Jerry Malcolm wrote:
Thanks so much for all the info.  I have installed KAM rules, and I've started becoming a ninja writing my own (simple) rules.  MUCH improved results (amazing when you finally learn what your doing....) 


I figure before this is all over with, I'm going to have to become 
very knowledgeable about regex.  But I'm not there yet. Just out of 
curiosity, has anybody written a rule that checks if the 'from name' 
contains "Amazon" but the 'from domain' name does not contain 
"Amazon" (or variations for Kohls, Target, etc)?  That's definitely 
for the sophomore class in regex, and I'm struggling with the 
freshman class....  Any regex experts that can whip this out?


Thanks in advance.

Jerry



This has been discussed recently on the list and here's how I have 
handled it:



header          BAD_FROM_NAME       From:name =~ 
/(^chase$|chase.com|Internal Revenue Service|banking|Apple|Bank of 
America|American Express)/i
describe        BAD_FROM_NAME       Displayed From contains bad 
information to trick the recipients

score           BAD_FROM_NAME       8.2

The "header" line has a simple regex that is basically a bunch of OR's.


Then you setup "whitelist_auth" entries for the real domains 
preferably using the envelope-from domain which is a little more 
difficult to spoof with the adoption of SPF the past few years.


So for amazon.com, I have these two entries:

whitelist_auth *@amazon.com
whitelist_auth *@*.amazon.com

and then you put "Amazon" in the "header" line above.


We really need to do something like this in the default SA rules which 
should be safe for all mail flow.  I will open a bug issue if anyone 
else thinks this would be a good idea.



This could be implemented with a new 60_whitelist_auth.cf to slowly 
and carefully expand the whitelist_auth entries of those know good 
senders that properly filter their outbound mail and handle abuse 
reports.  For example:


whitelist_auth *@alertsp.chase.com
whitelist_auth *@e.chase.com


to go along with the BAD_FROM_NAME header check above.  We would add 
safe subdomain entries from Apple and Bank of America as well.  This 
should safely catch a lot of spoofed display names trying to trick 
recipients.


Thoughts?



Thanks, Dave.  Now I'm REALLY glad I didn't try to figure this one out 
on my own.... What you are recommending makes sense.  But doubt I'd have 
stumbled onto this solution on my own....


Jerry























					Reply via email to