On Thu, 24 Dec 2020, Bill Cole wrote:
On 24 Dec 2020, at 0:02, Joey J wrote:
I'm trying to figure out how to write a rule that looks for matches of
certain names against the display name, and then insuring its from a list
of valid email addresses.
So a phishing email come in from "Boss Man<boss...@gmail.com>"
So I want to check if the display name is "Boss Man" and if so, make sure
the sending email address is boss...@realcompany.com or
boss...@company2.com,
otherwise score it with 10.
header __BOSSNAME From:name =~ /Boss Man/
header __BOSSADDR From:addr =~ /BossMan\@RealCompany.com|boss...@company2.com/
Missed escaping the second @ sign, and the periods...
meta BOSSPHISH __BOSSNAME && !__BOSSADDR
score BOSSPHISH 10
If you have a list of such addresses, you'd probably benefit from writing
a script to generate the rules from that list rather than manually
maintaining all the rules.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas
