Here is an example of an phishing email: Authentication-Results: spf=none (sender IP is 200.58.117.126) smtp.mailfrom=ppl3.com; hotmail.com; dkim=fail (body hash did not verify) header.d=c0800455.domain.com;hotmail.com; dmarc=none action=none header.from=ppl3.com; Received-SPF: None (protection.outlook.com: ppl3.com does not designate permitted sender hosts) Received: from smht-x-x.domain.com (200.58.117.126) by DB5EUR03FT006.mail.protection.outlook.com (10.152.20.106) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.696.11 via Frontend Transport; Thu, 26 Apr 2018 10:22:41 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:BC2CEE5C26E95CD829053392BF062A8A8EF5B80B38721334E4D422793F5D4711;UpperCasedChecksum:DBAACD04967E0EBE075BAE00C7F9A355386276A19553DE2D32FBB1B903C63A0B;SizeAsReceived:3262;Count:21 Received: from c00.domain.com (c00 [172.x.x.x]) by smarthost.domain.com (Postfix) with ESMTPS id 4FC2A20000A24 for <mkch...@hotmail.com>; Thu, 26 Apr 2018 07:22:39 -0300 (-03) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=c0800455.domain; s=mail; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Date:Subject:To:From:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=LUcrH5hRyj2Ujx36ZGDIENRVn7MtrTTfammZnXLJGrg=; b=RXl8e5v1c/TQQo/kLRo+tyg4VA 54BiXbsaC0z2TFM3dMDf4uNZpILl2RXYzhwcKptr9UVm+LQHUXW9UJmdqXKywlisZXyyJtk4U5KSP LcaKmcWO+d9HwQWLY3MeDjBT4iw4xEiEeVN4Myra1K8Mf8Pfs3U42IqPHJWF4lLVPSeo=; Received: from [105.155.80.137] (helo=Abdo-PC) by c000.domain.com with esmtpsa (TLSv1:EDH-RSA-DES-CBC3-SHA:168) (Exim 4.87_1) (envelope-from <m...@ppl3.com>) id 1fBe2q-0006i7-4d for mkch...@hotmail.com; Thu, 26 Apr 2018 07:22:39 -0300 Message-ID: <0364314f-43216-021f47358625@abdo-pc> From: PayPal Inc <m...@ppl3.com>
Could you apply some verification for the signature dkim? I'm working in it ________________________________ De: Matus UHLAR - fantomas <uh...@fantomas.sk> Enviado: jueves, 26 de abril de 2018 5:12:05 Para: users@spamassassin.apache.org Asunto: Re: Anti Phish Rules On 26.04.18 18:00, Nick Edwards wrote: >We've been using a separate product to do this, but it struck me, maybe >spamassassin can do this easier (or without having to call yet another >binary to run as can over mails) > >Rules that look at URLs in a html message href and src tags, check the "A" >tag to see if there is a URL there, and if they do not match, consider it >a phis so apply said phis score to the message. > >Has anyone done this? module even? the main problem: may non-spam senders do that, see: https://wiki.apache.org/spamassassin/AntiPhishFakeUrlRule and further the discussion in linked bug: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=4255 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...