Sometimes happen that trojan virus use real peolple pc's to send spam and virus itself
So infected pc's send mails from its real address and is impossible to classify as spam
these messages contains for example, dhl tipycal text so also bayes fail
For example ome of this :
From :sant1234@studio1234.it
Subject :VS SPEDIZIONE DHL AWB 378938938 proveniente dalla GRAN BRETAGNA **AVVISO DI GIACENZA **
You can see that there sender is a real people, probably with a correct spf,no blacklisted ip, etc but it send a mail as it is DHL
This rule, can catch if someone use DHL in subject but ii not have DHL as part of FROM ADDRESS
Is there a way to write shortly and better ?
header SUBJ_NOTIN_SENDER_DHL_1 Subject =~ /dhl:/si
header SUBJ_NOTIN_SENDER_DHL_2 From =~ /dhl/si
meta SUBJ_NOTIN_SENDER_DHL SUBJ_NOTIN_SENDER_DHL_1 && ! SUBJ_NOTIN_SENDER_DHL_2
describe SUBJ_NOTIN_SENDER_DHL Oggetto contiene dhl ma il mittente no, probabile attacco
score SUBJ_NOTIN_SENDER_DHL 1.00
DHL Spam
Re: DHL Spam
Is this mail from somebodies home PC?
If so, I find adding this to my main.cf (reject_non_fqdn_sender)
The reason is the majority of PC's are normally standalone and they are not joined to a domain, so they do not have an FQDN when they connect to my MTA they get rejected. I believe this will stop not just DHL, but the majority of zombie hosts.
If so, I find adding this to my main.cf (reject_non_fqdn_sender)
Code: Select all
smtpd_sender_restrictions =
......
reject_non_fqdn_sender,
..... other rules
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: DHL Spam
no, this is not the question
trojans infect also corporate pc that send in background using its regular mail program and mailserver
trojans infect also corporate pc that send in background using its regular mail program and mailserver
Re: DHL Spam
if your code works, go with I am not an expert on SA coding.
I was suggesting an alternative to the problem, since I added "reject_non_fqdn_sender" I very rarely get DHL spam anymore.
I also force inbound TLS for common delivery company like dhl.com get rid the spoofed, zombie PCs tend not to do TLS (yet}, I also do this to free mail providers, like outlook.com, gmail.com.
Checking rFQDNs is also a good metric nonmatching score higher.
Any well managed corporate network should have DNS and SMTP (an others} should be blocked for normal users.
One I am working for phishing emails.
I was suggesting an alternative to the problem, since I added "reject_non_fqdn_sender" I very rarely get DHL spam anymore.
I also force inbound TLS for common delivery company like dhl.com get rid the spoofed, zombie PCs tend not to do TLS (yet}, I also do this to free mail providers, like outlook.com, gmail.com.
Checking rFQDNs is also a good metric nonmatching score higher.
Any well managed corporate network should have DNS and SMTP (an others} should be blocked for normal users.
One I am working for phishing emails.
Code: Select all
#PHISHING SCAMS
#SUBJECTS
header __LOCAL_PHISH_1 Subject =~ /(Email|Access|Update)/i
rawbody __LOCAL_PHISH_2 /e-emailbox|password|expire|update/is
#BAD LINKS
rawbody __LOCAL_PHISH_3 /https?:\/\/.{3,30}\.(tripod|freewebs)\//i
#STUPID STATEMENTS
body __LOCAL_PHISH_4 /Dear|expire|password|update|helpdesk|email|exchange/i
describe LOCAL_PHISH Phishing password harvesting scam
score LOCAL_PHISH 2.0
meta LOCAL_PHISH (__LOCAL_PHISH_1 + __LOCAL_PHISH_2 >= 2) && (__LOCAL_PHISH_3 >= 1) || (__LOCAL_PHISH_4 >= 2)