Re: Anti Phish Rules

Thu, 26 Apr 2018 06:26:56 -0700 

I have a local rule that adds a few points for commonly spoofed companies like 
Paypal, Bank of America, Chase, Fedex, etc. since all of these will have good 
SPF/DKIM and now have def_whitelist_auth entries in the 60_whitelist_auth.cf.


Maybe we need to consider putting these in the SA core ruleset to help 
everyone.  The problem is that once we publish the exact rules for everyone 
running sa-update, then the spammers just start spoofing new companies.  At 
least it does help stop many of the common spoofing emails.


header          __BAD_FROM_NAME     From:name =~ /(^chase$|chase\.com|Internal 
Revenue Service|banking|Bank of America|American Express|Wells 
Fargo|NavyFederal|Geico|E-fax|Share.oint|UPS Delivery|FedEx|PayPal|Apple 
Support|USAA|.ropbox|Dro.box)/i
meta            BAD_FROM_NAME       __BAD_FROM_NAME && !ALL_TRUSTED
describe      BAD_FROM_NAME       Displayed From contains bad information to 
trick the recipients
score           BAD_FROM_NAME       4.0

You need to make sure any company name above has a whitelist_auth or 
whitelist_dkim entry for their real emails.

Dave


________________________________
From: Emanuel Gonzalez <emanuel_gonza...@live.com.ar>
Sent: Thursday, April 26, 2018 7:08 AM
To: Matus UHLAR - fantomas; users@spamassassin.apache.org
Subject: Re: Anti Phish Rules


Here is an example of an phishing email:

Authentication-Results: spf=none (sender IP is 200.58.117.126)
 smtp.mailfrom=ppl3.com; hotmail.com; dkim=fail (body hash did not verify)
 header.d=c0800455.domain.com;hotmail.com; dmarc=none action=none
 header.from=ppl3.com;
Received-SPF: None (protection.outlook.com: ppl3.com does not designate
 permitted sender hosts)
Received: from smht-x-x.domain.com (200.58.117.126) by
 DB5EUR03FT006.mail.protection.outlook.com (10.152.20.106) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.20.696.11 via Frontend Transport; Thu, 26 Apr 2018 10:22:41 +0000
X-IncomingTopHeaderMarker: 
OriginalChecksum:BC2CEE5C26E95CD829053392BF062A8A8EF5B80B38721334E4D422793F5D4711;UpperCasedChecksum:DBAACD04967E0EBE075BAE00C7F9A355386276A19553DE2D32FBB1B903C63A0B;SizeAsReceived:3262;Count:21
Received: from c00.domain.com (c00 [172.x.x.x])
        by smarthost.domain.com (Postfix) with ESMTPS id 4FC2A20000A24
        for <mkch...@hotmail.com>; Thu, 26 Apr 2018 07:22:39 -0300 (-03)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=c0800455.domain; s=mail; h=Content-Transfer-Encoding:Content-Type:
        
MIME-Version:Date:Subject:To:From:Message-ID:Sender:Reply-To:Cc:Content-ID:
        
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
        
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
        List-Subscribe:List-Post:List-Owner:List-Archive;
        bh=LUcrH5hRyj2Ujx36ZGDIENRVn7MtrTTfammZnXLJGrg=; 
b=RXl8e5v1c/TQQo/kLRo+tyg4VA
        
54BiXbsaC0z2TFM3dMDf4uNZpILl2RXYzhwcKptr9UVm+LQHUXW9UJmdqXKywlisZXyyJtk4U5KSP
        LcaKmcWO+d9HwQWLY3MeDjBT4iw4xEiEeVN4Myra1K8Mf8Pfs3U42IqPHJWF4lLVPSeo=;
Received: from [105.155.80.137] (helo=Abdo-PC)
        by c000.domain.com with esmtpsa (TLSv1:EDH-RSA-DES-CBC3-SHA:168)
        (Exim 4.87_1)
        (envelope-from <m...@ppl3.com>)
        id 1fBe2q-0006i7-4d
        for mkch...@hotmail.com; Thu, 26 Apr 2018 07:22:39 -0300
Message-ID: <0364314f-43216-021f47358625@abdo-pc>
From: PayPal Inc <m...@ppl3.com>


Could you apply some verification for the signature dkim? I'm working in it



________________________________
De: Matus UHLAR - fantomas <uh...@fantomas.sk>
Enviado: jueves, 26 de abril de 2018 5:12:05
Para: users@spamassassin.apache.org
Asunto: Re: Anti Phish Rules

On 26.04.18 18:00, Nick Edwards wrote:
>We've been using a separate product to do this, but it struck me, maybe
>spamassassin can do this easier (or without having to call yet another
>binary to run as can over mails)
>
>Rules that look at URLs in a html message  href and src tags, check the "A"
>tag to see if there is a URL there, and if they do not match,  consider it
>a phis so apply said phis score to the message.
>
>Has anyone done this? module even?

the main problem: may non-spam senders do that, see:

https://wiki.apache.org/spamassassin/AntiPhishFakeUrlRule

and further the discussion in linked bug:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=4255

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...

Reply via email to