On 05/09/2018 10:59 AM, Alex wrote:
Hi,
https://pastebin.com/raw/TfvhUu0X
...
What I have had to do is basically increase the score on all invoice emails
to try to block the bad ones and then whitelist the good ones.
That email was BCC'd which is another suspicious trait which is why I bump
up the score for MISSING HEADERS. I have other ways to penalize these
emails at SMTP time based on the number of BCC'd recipients if this were
received by my servers but I can't tell after the fact like this.
Yes, we've similarly created rules for missing headers.
There is so much junk coming out of Office 365 right now from compromised
accounts and otherwise that it's really hard to accurately filtering O365
email. I have created a rule based on the X-OriginatorOrg: header to start
subtracting points for known OK senders and then bumping up other rule hits
like invoice-related ones that come from O365. I know this doesn't help
with compromised accounts in known OK Orgs but it definitely cuts down the
majority of the fake invoice emails.
header __RCVD_OFFICE365 Received =~
/\.outbound\.protection\.outlook\.com \[/
header __RCVD_OFFICE365_PROXY X-ClientProxiedBy =~ /\.outlook\.com
\(/
header __OFFICE365_TRUST_ORG X-OriginatorOrg =~
/^(ena\.com|example\.com)/
You've set this to be your local system, but what if the mail relay
does not process outbound email? What are legitimate values for this
header?
I don't have "ena.com" in my own rule. Rather I have dozens of others
listed. Sorry if this is confusing to imply this is for outbound mail.
In other words, is this helpful if your mail relay doesn't process
your outbound mail?
Yes. It's not meant for outbound but inbound. I shouldn't have put
"ena.com" in there for me but you could put it in there for your local
rules if you think our email is trustworthy. :)
--
David Jones
