Detecting fraud From <-> Reply attempts

Questions and answers about how to do stuff
Post Reply
zthephoenixz
Posts: 26
Joined: 28 May 2015 01:55

Detecting fraud From <-> Reply attempts

Post by zthephoenixz »

I am getting more and more of these coming in and they are specifically targeting accounts staff and ceo/gm members.

Emails where the From Address shows up like this in Outlook.
From : "ceo's name" [mailto: "ceo's email address"]
But the hidden Reply address is some anonymous webmail service somewhere.

The users though, see "CEO" and hit reply and don't look at the reply address to see "Hey that's not his email address" and then reply with the requested details. Usually bank balances and transfer limits, had an accounts staff member almost transfer a large sum of money thinking the ceo had requested it, sanity & logic prevailed though. But it is an issue when staff are not truly computer literate and are just following a repeated process.

The question.
I want to flag as spam or even just bounce emails that the From domain doesn't equal the reply domain.

Anyone see any holes in that or suggestions?
Tips on implementation would be great as well.
zthephoenixz
Posts: 26
Joined: 28 May 2015 01:55

Re: Detecting fraud From <-> Reply attempts

Post by zthephoenixz »

I suppose this is more a spamassassin rule/question, I will try posting over there, unless someone knows how to do something like this :-

#header __FAKE_PHISH_TEST1 From =~ /*\@mydomain\.com*/i
#header __FAKE_PHISH_TEST2 Reply-To !~ /*\@mydomain\.com*/i
#meta FAKE_PHISH (__FAKE_PHISH_TEST1 && __FAKE_PHISH_TEST2)
#score FAKE_PHISH 500.0

The filter is for mydomain.com.au mydomain.com.pg mydomain.com which i have registered.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Detecting fraud From <-> Reply attempts

Post by ovizii »

without knowing your setup; do legitimate emails from say employee1 to eymployee2 or ceo go through your EFA filter?
If that is not the case you could go the easiest route and simply not accept any email to your domain from your domain.

additionally, I would setup SPF + DKIM + dmarc that gets rid of most fake emails trying to spoof you.

If you really want something you suggested maybe do it this way:

look at HEADER_FROM_DIFFERENT_DOMAINS that is bein used in /var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf

maybe:

Code: Select all

header __TEST1 From =~ /*\@mydomain\.com*/i
meta   TEST2 (HEADER_FROM_DIFFERENT_DOMAINS &&TEST1)
score 25
my syntax is most probably wrong, just wanted to give you an idea.
Last edited by ovizii on 28 Jul 2016 10:00, edited 2 times in total.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Detecting fraud From <-> Reply attempts

Post by pdwalker »

That would be my approach. If mail from my domain comes into my efa box, I'd just drop it, or set it to a very high spam level.

All our mail is handled internally, so there is no reason why mail from our domain would ever come in from an external source.
Post Reply