Re: Office 365 Org tag

[RW]

On Thu, 18 Apr 2019 04:07:36 +
David Jones wrote:

> I would like to use the AskDNS plugin to query a private DBL that I
> can populate/manage.  The idea is to subtract a few points for
> inbound O365 domains that have been seen before in an effort to help
> block compromised O365 accounts from domains that have never been
> seen before.
> 
> Ideally a new tag would be created when the last external relay is an
> outbound.protection.microsoft.com host and the X-Originating-Org
> header value (which should match the EnvelopeFrom domain) is used to
> make a new tag like _O365ORG_ 

IIWY I'd just lookup sender or author and do the rest in a meta-rule. 

Office 365 Org tag

[David Jones]

I would like to use the AskDNS plugin to query a private DBL that I can 
populate/manage.  The idea is to subtract a few points for inbound O365 domains 
that have been seen before in an effort to help block compromised O365 accounts 
from domains that have never been seen before.

Ideally a new tag would be created when the last external relay is an 
outbound.protection.microsoft.com host and the X-Originating-Org header value 
(which should match the EnvelopeFrom domain) is used to make a new tag like 
_O365ORG_ for a simple rule like this:

ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdnsO365_ORG_SEEN_BEFORE _O365ORG_.o365seen.example.com A 
/^127\.\d+\.\d+\.2$/
scoreO365_ORG_SEEN_BEFORE-2.0
endif

BTW, how can I find a list of all existing tags available for use?  I tried a 
number of greps and Google searches with no luck.

Thanks,
Dave