> Tom Hendrikx <t...@whyscream.net> kirjoitti 9.12.2017 kello 0.34: > > On 08-12-17 19:09, AJ Weber wrote: >> I'm trying to decide the best way to detect something like this. >> >> https://pastebin.com/hCX9MWNg >> >> Looking at the raw headers and body it's pretty easy to tell this is a >> spoof, but when it shows-up in an inbox, it looks pretty good. >> >> Something specific to Amazon (where this is purported to come from) >> would be to check if their domain is in the From and Reply-To and at >> least score that relatively high if it's not correct - but compared to >> what? Maybe if From text contains amazon/i and from-address does not >> end with amazon.com (for me in the US at least)? >> >> That feels forced. Does anyone have any suggestions to help me out on >> this fine Friday? >> > > Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO > you can easily whitelist anything from amazon based on that, and then > subtract some points for everything that has '\bAmazon\b' is the > from:name. Header. > > Kind regards, > Tom
A couple of local rules saved here: Content analysis details: (8.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.5 L_SUOMISPAM RBL: Sender is in #suomispam blocklist [20160519 coinletters1.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [69.252.207.24 listed in list.dnswl.org] 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=contact%40email.linushonor.co.uk;ip=69.252.207.24;r=gamecock.fredriksson.dy.fi] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 T_TVD_MIME_NO_HEADERS BODY: No description available. 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4998] 1.7 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding 1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 1.0 L_FROM_NOT_REPLY From: and Reply-To: have different domains 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
signature.asc
Description: Message signed with OpenPGP