Hi, On Fri, Jul 7, 2017 at 3:45 PM, John Hardin <jhar...@impsec.org> wrote: > On Fri, 7 Jul 2017, Alex wrote: > >> It's just a short body with a URI which downloads malware. We got hit >> by this pretty hard. This is where the real threats are. Receive one >> of these to an Exchange distribution list and your reputation with the >> customer suffers badly. > > Defense in depth. For that sort of thing you also need dynamic blocking of > the malware hosts (as much as is possible) in either your site web proxy (if > you have one) or your firewall rules.
Yes, absolutely. We have scripts that can be used to populate a local RBLs that extract the from, IPs, etc, and provide the ability to drop them into a postfix client_access blocklist. It's easy to stop them after the fact. The problem (in this case) was that they were received over the course of a few days during the 4th holiday, then we got burnt when everyone came back to the office. Generally, though, there could be ten malicious emails received, a handful will actually click, while others report them, which is enough to tarnish reputation. When there's a small handful of malicious emails that make it through, among hundreds of thousands received per day, it's just not possible to go through them. A more automated or assisted method is necessary, or better protection to begin with...