Paul Menzel via Postfix-users:
> Dear Postfix users,
>
>
> A user had their password guessed/leaked, and the account was used to
> send spam/phishing messages - but only once an hour or so, so it wasn't
> detected as abnormal traffic. One thing detectable thing would have
> been, that the sent unsolicited messages used a different name than the
> user in the From: field.
>
> Jennifer Wood <not-w...@molgen.mpg.de>
>
> To detect phishing messages on the receiving end, we already maintain a
> list in regexp-header for "important" people, so names used in From:
> have to match certain email addresses.
>
> The names are already present in the user name or comment field in
> `/etc/passwd` but also some LDAP database.
>
> Has somebody already experience with implementing such a heuristic, and
> is it useful? If it is useful, how could I do it? Probably an exact
> match would cause too much trouble, as some users want to put their
> academic title to the field too.
The opposite approach would involve mandatory From: replacement
based on envelope.From (using Milter), or header_checks bassed on
header.From. This would happen before DKIM signing.
Untested PCRE pattern for the latter:
/^From:.*<\qfirst.l...@example.com\E>/ REPLACE From: First Last
<first.l...@example.com>
This disables special characters (such as '.') between \Q and \E,
to avoid unintended matches.
For performance, use IF and ENDIF to break up a long pattern list
into smaller lists, with the IF condition based on the first character
in the email address.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
