On 11/25/2017 12:20 PM, Jerry Malcolm wrote:
Thanks, Dave. Now I'm REALLY glad I didn't try to figure this one out
on my own.... What you are recommending makes sense. But doubt I'd have
stumbled onto this solution on my own.... :-)
Jerry
Sure. I totally understand. It takes a bit of experience with mail
filtering tactics that aren't specific to SA. In this case, you need to
understand SPF and DKIM a bit (SPF_PASS and DKIM_VALID_AU rule hits)
which tell approved sources and authentic emails respectively.
I have a huge list (thousands) of whitelist_auth entries for
_envelope-domain_ senders that I consider trusted. I use the word
"trusted" intentionally so each SA admin can define it themselves.
For those senders that don't have a valid/accurate SPF record, I have a
whitelist_from_rcvd entry instead of a whitelist_auth that won't work
unless there is an SPF_PASS or DKIM_VALID_AU rule hit.
Once you have a good number of whitelist_auth/whitelist_from_rcvd of
_envelope-domain_ entries to cover trusted senders, then you can bump up
scores like BAYES_*, DCC_CHECK, FREEMAIL*, etc. Then the seemingly high
scores in KAM.cf don't cause false positives.
Local rules are used to increase scores to help fight new spam campaigns
from compromised accounts. Compromised accounts are the hardest spam to
block. These definitely require some local custom rules to block zero
hour/day spam that have been specially crafted to get past the stock SA
rules.
Dave
On 11/25/2017 12:02 PM, David Jones wrote:
On 11/25/2017 11:41 AM, Jerry Malcolm wrote:
Thanks so much for all the info. I have installed KAM rules, and
I've started becoming a ninja writing my own (simple) rules. MUCH
improved results (amazing when you finally learn what your doing....)
I figure before this is all over with, I'm going to have to become
very knowledgeable about regex. But I'm not there yet. Just out of
curiosity, has anybody written a rule that checks if the 'from name'
contains "Amazon" but the 'from domain' name does not contain
"Amazon" (or variations for Kohls, Target, etc)? That's definitely
for the sophomore class in regex, and I'm struggling with the
freshman class.... Any regex experts that can whip this out?
Thanks in advance.
Jerry
This has been discussed recently on the list and here's how I have
handled it:
header BAD_FROM_NAME From:name =~
/(^chase$|chase.com|Internal Revenue Service|banking|Apple|Bank of
America|American Express)/i
describe BAD_FROM_NAME Displayed From contains bad
information to trick the recipients
score BAD_FROM_NAME 8.2
The "header" line has a simple regex that is basically a bunch of OR's.
Then you setup "whitelist_auth" entries for the real domains
preferably using the envelope-from domain which is a little more
difficult to spoof with the adoption of SPF the past few years.
So for amazon.com, I have these two entries:
whitelist_auth *@amazon.com
whitelist_auth *@*.amazon.com
and then you put "Amazon" in the "header" line above.
We really need to do something like this in the default SA rules which
should be safe for all mail flow. I will open a bug issue if anyone
else thinks this would be a good idea.
This could be implemented with a new 60_whitelist_auth.cf to slowly
and carefully expand the whitelist_auth entries of those know good
senders that properly filter their outbound mail and handle abuse
reports. For example:
whitelist_auth *@alertsp.chase.com
whitelist_auth *@e.chase.com
to go along with the BAD_FROM_NAME header check above. We would add
safe subdomain entries from Apple and Bank of America as well. This
should safely catch a lot of spoofed display names trying to trick
recipients.
Thoughts?
--
David Jones
