On 03.03.24 10:40, Paul Menzel via Postfix-users wrote:
A user had their password guessed/leaked, and the account was used to
send spam/phishing messages – but only once an hour or so, so it
wasn’t detected as abnormal traffic. One thing detectable thing would
have been, that the sent unsolicited messages used a different name
than the user in the From: field.
Jennifer Wood <not-w...@molgen.mpg.de>
To detect phishing messages on the receiving end, we already maintain
a list in regexp-header for “important” people, so names used in From:
have to match certain email addresses.
The names are already present in the user name or comment field in
`/etc/passwd` but also some LDAP database.
Has somebody already experience with implementing such a heuristic,
and is it useful¹? If it is useful, how could I do it? Probably an
exact match would cause too much trouble, as some users want to put
their academic title to the field too.
There are commercial solutions that supports this. So far I don't know
anything about free solutions.
I know about:
- postfix smtpd_sender_login_maps, reject_authenticated_sender_login_mismatch
and reject_known_sender_login_mismatch that allow you to reject disallowed
(envelope) from addresses
- milters vrfydmn and milterfrom, which allow you to reject mail where
envelope and header from: are different
neither of these controls the non e-mail part of header From: tho.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
