On 11/25/2017 01:09 PM, Martin Gregorie wrote:
On Sat, 2017-11-25 at 11:41 -0600, Jerry Malcolm wrote:
Thanks so much for all the info. I have installed KAM rules, and
I've
started becoming a ninja writing my own (simple) rules. MUCH
improved
results (amazing when you finally learn what your doing....)
I figure before this is all over with, I'm going to have to become
very
knowledgeable about regex. But I'm not there yet. Just out of
curiosity, has anybody written a rule that checks if the 'from name'
contains "Amazon" but the 'from domain' name does not contain
"Amazon"
(or variations for Kohls, Target, etc)? That's definitely for the
sophomore class in regex, and I'm struggling with the freshman
class.... Any regex experts that can whip this out?
Or, if you want to make the rule very specific, you can do something
like this:
describe FAKE_AMAZON_FROM Pick up who claim to be Amazon but aren't
header __FAF1 from:name =~ /Amazon/
header __FAF2 from:address =~ /amazon\.com/i
meta FAKE_AMAZON_FROM ( __FAF1 && !__FAF2 )
score FAKE_AMAZON_FROM 3.0
The two subrules with '__' prefixes don't generate scores but take true
or false values which the meta rule can test.
The meta rule only fires if the name contains 'Amazon' and the address
does not contain it. Note that the __FAF2 rule matches regardless of
the mix of upper and lower case letters in the domain name because the
'i' suffix makes it a caseless comparison.
Martin
With that rule as it stands, an easily spoofed "Amazon
<ord...@myamazon.com>" would not hit FAKE_AMAZON_FROM. Even if the rule
specified "@amazon.com," then native DMARC support would be needed to
block spoofed From: headers for the next amazon.com spoof. Since SA
doesn't have native DMARC support, every SA instance would have to
locally manage hundreds of these high-profile targets for phishing.
We see this all of the time for Dropbox.com with various misspellings.
Dropbox.com has a DMARC record with "p=reject" so we can allow in
dropbox.com safely with a "whitelist_auth dropbox.com" and then create
rules to add lots of points to subjects and bodies with Dropbox.com and
various regexes that cover intentional misspellings.
whitelist_auth *@dropbox.com
whitelist_auth *@*.dropbox.com
The default SA rules handle Paypal spoofing pretty well with
def_whitelist_from_spf in 60_whitelist_spf.cf. Adding "Paypal" and
various misspellings to a from:name rule handles spoofing very well. I
am only proposing that we extend this to other high-profile domains like
Amazon.com. Rspamd is doing this.
--
David Jones
