On Thu, 2019-11-21 at 13:24 -0500, Dave Goodrich wrote: > Good day, > I know I will incur some wrath for this but I have the Mayor breathing > down my neck. We stop nearly all spam now, but some does get through. > Mostly it has been mail from gmail and outlook servers that pass DKIM > and SPF. > This morning a large number of messages appearing to come from the > Mayor were delivered. The email is technically legitimate and was > scored appropriately. Unfortunately, the From address was in the > following format 'the Mayor's display name <random-numb...@gmail.com>' > . So, everyone who saw the message opened it because it looked like it > came from the Mayor. then they called the Mayor's office. > - The message was benign.- The users know to hover over display names > to check the address, but this was the Mayor. They did not.- All mail > delivered locally comes through our server. No one is allowed to use > their City email address on none City devices. Had the address been > correct, it would have been stopped. > Even if only for this one account, I need a rule to check that the > Mayor's display name matches the Mayor's email account and I am at a > loss how to manage that with SA rule structure. > Any thoughts on that or has anyone done something similar?
Make sure your real mail streams are authenticated with DKIM and you're setup to use the whitelist_from_dkim rule; which I believe requires the header added by opendkim on received mail. whitelist_from_dkim *@yourdomain your_signing_domain Then you can add a custom rule to add a large score to From =~ /mayor's name/ and variants , possibly meta'd with FREEMAIL_FROM if you're only concerned about gmail spoofs. It'll only be so useful but at least you can catch the straight-up imposter who isn't using charset encoding or spelling tricks to masq the name.
