On 06/08/2018 03:17 PM, Alex wrote:
Hi,
Received this one today that was delivered to about 25 recipients,
lacked a To header, routed through outlook.com and contained a link to
a Google Drive doc that's still active.
https://pastebin.com/y1k0LtM1
It was done under the pretense of a ShareFile attachment.
Is a plugin necessary to tag on when the Subject matches content in the From?
I've created some body rules, and tweaked my existing outlook.com
rules, but I thought everyone should see this, and thought others
might have additional ideas for blocking...
Content analysis details: (5.8 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
2.2 MISSING_HEADERS Missing To: header
0.0 T_KAM_HTML_FONT_INVALID BODY: Test for Invalidly Named or Formatted
Colors in HTML
-3.2 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
background
1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.2 ENA_NOT_DKIM_VALID_AU DKIM signed and valid but not from the
originating author
1.2 KAM_SHORT Use of a URL Shortener for very short URL
0.2 ENA_NO_TO_CC No To: or Cc: so it must have been
completely Bcc'd
0.2 ENA_FREEMAIL No description available.
2.2 ENA_DIGEST_FREEMAIL Freemail account hitting message digest
spam seen
by the Internet (DCC, Pyzor, or Razor).
Reminder that I treat all senders on Office 365 as FREEMAIL (commonly
abused senders) which gets penalized with meta rules to amplify many
scores. If something comes from Office 365 with no To: or Cc: header
with a URL shortener that should be very suspicious. I need to add
another meta rule that combines ENA_FREEMAIL and KAM_SHORT to add a
couple more points.
--
David Jones