Hi, On Tue, May 15, 2018 at 9:26 PM, David B Funk <dbf...@engineering.uiowa.edu> wrote: > On Tue, 15 May 2018, Alex wrote: > >> Hi, >> >> We received another of those phishes as a result of a compromised O365 >> account. >> >> https://pastebin.com/raw/Fv5NKRAP >> >> Anyone able to take a look and provide ideas on how to block them? It >> passes with DKIM_VALID_AU, RCVD_IN_SENDERSCORE_90_100 and SPF_PASS. >> >> It's missing headers, and I've written a rule to account for that, but >> it would be great to have some other input. >> >> Interestingly, it was passed through a mimecast system first. >> >> The amount of Outlook/O365/Exchange headers in this email is enormous! >> >> Thanks, >> Alex > > > For openers either totally lose "RCVD_IN_HOSTKARMA_W" & "RCVD_IN_DNSWL_LOW" > rules, or set their score to something minimal (EG -0.1 instead of that > honking -2.5) or create a rule that detects the message being from O365 and > meta it with RCVD_IN_HOSTKARMA_W to then add an offsetting score to nullify > the damage from RCVD_IN_HOSTKARMA_W WRT O365.
That's great advice. I've also now just noticed that the KAM rules (nonKAM, actually) are responsible for subtracting the -2.5 points, overriding my rules that subtract just -1. Kevin, can you consider reducing it, or eliminating it wrt O365? > Then look for custom anti-phish rulesets. Your example hit a rule > "RULEGEN_PHISH2" which was in a file 90_rulegen_phish.cf on my server. > (I'm sorry I don't remember where I got that from). It looks like it was a rules emporium file from years ago. Is it really still usable? > Train bayes, look for custom URIBL lists that might hit that powned website. The IP (216.32.180.23) is listed on sorbs, but that's it, and the domain (peabodyenergy.com) is not listed anywhere.
