>Am I missing something here: Respectfully, you are.
>An email comes in from the CEO of the business - seemingly from the company, >and has a Spam score of 7.5 I am talking about legit emails from trusted senders that won't hit FREEMAIL_FORGED, RBLs, DBLs or any high scoring rules so they are below the SA block threshold. This would be common from compromised accounts that the bad guy can use in a stealth manner by deleting the message in the Sent folder and quickly remove the inbound email from the reply. The average user would never notice their account is being used by a second person. >Content analysis details: (7.5 points, 5.5 required) >pts rule name description >---- ---------------------- -------------------------------------------------- > 0.0 TVD_RCVD_SPACE_BRACKET No description available. > 0.1 HK_RANDOM_FROM From username looks random >-0.1 CUST_DNSWL_5_ORG_NT RBL: list.dnswl.org (No Trust) > [173.201.193.64 listed in list.dnswl.org] >-0.1 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) > [173.201.193.64 listed in wl.mailspike.net] > 0.0 HTML_MESSAGE BODY: HTML included in message > 1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60% > [score: 0.5000] > 0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars >-0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust) > [173.201.193.64 listed in score.senderscore.com] >-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders > 1.2 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag > 3.0 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From > 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information > 1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) >________________________________ >Content analysis details: (13.9 points, 5.5 required) >How many INTERNAL EMAILS will have a score of 7.5??? Or even 3? Or 1? You are correct. Internal emails (i.e. within Office 365 that don't get scanned) would not be scored but this scenario I am talking about is from the outside but the recipient would not notice. The average user only looks at the visible "Display Name <bad...@somedomain.com>" and never looks closely at the actual email address inside the < >. >In fact, if it came in through the INTERNAL_NETWORK ip range then it wouldnt >even be scanned (seen as trusted). So any email coming "from the CEO" that >has a SPAM score is definitely dodgy! It only takes a couple of external emails to get to the right person to get thousands of dollars wired to you account to make this worth it. Some may get blocked by Reindl Harald's super duper trained Bayesian or meta rules that he has put thousands of hours into creating with complex scripts that the rest of us don't have time to setup since mail filtering is only part of our job and we have a life outside of work. >How hard can it be to say "if FROM = 'a company address' and a SPAM SCORE >EXISTS then treat with rubber gloves. >So ensure all company emails are pupt through the company email servers and >set the INTERNAL_NETWORK parameters. >Whats wrong with this? Compromised accounts and other trusted senders can get through good SA setups. Bottom line, If the accounting department doesn't have proper procedures then they can be easily tricked into wiring money to bad guys. If they can get one person a day to wire thousands of US dollars to them, then that's a pretty nice income with very little effort once they have control of a compromised account. They don't have to blast out tons of spam like traditionally seen which gets them listed on RBLs and DBLs.