I thought DKIM was supposed to flag such messages;
do these phishing emails satisfy DKIM ?
On Tue, 18 Feb 2020, Benoit Panizzon via mailop wrote:
Hi List
Lately, our customers are getting an increased amount of phishing
emails, or emails containing malware with legit looking From: headers
from either banks, or even from our own customer support.
SPF would block the From email addresses if also used as envelope
sender. But the, from the customers perspective 'hidden' envelope
sender is different and does match SPF.
So we get complaints why we let such emails with faked From: header
through our content filter.
As we use MIMEDefang as filter, we can easily match From and envelope
sender and do something with it, like increasing spam score.
But:
* A lots of ESP sending Newsletters, have different From and
Envelope Sender to manage bounces.
* Mailinglists use different From headers.
* SRS
So another thought was to append the String 'Possible fake sender' to
the From: Header string.
But also this would match an awful lot of legitimate newsletters and
possibly break DKIM signatures.
Has anyone come up with a clever recipe for this issue?
Mit freundlichen Grüssen
-Benoît Panizzon-
_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
