efa-project.org


https://forum.efa-project.org/

Detecting fraud From <-> Reply attempts

https://forum.efa-project.org/viewtopic.php?t=1758

Page 1 of 1

Detecting fraud From <-> Reply attempts

Posted: 26 Jul 2016 05:59
by zthephoenixz
I am getting more and more of these coming in and they are specifically targeting accounts staff and ceo/gm members.

Emails where the From Address shows up like this in Outlook.
From : "ceo's name" [mailto: "ceo's email address"]
But the hidden Reply address is some anonymous webmail service somewhere.

The users though, see "CEO" and hit reply and don't look at the reply address to see "Hey that's not his email address" and then reply with the requested details. Usually bank balances and transfer limits, had an accounts staff member almost transfer a large sum of money thinking the ceo had requested it, sanity & logic prevailed though. But it is an issue when staff are not truly computer literate and are just following a repeated process.

The question.
I want to flag as spam or even just bounce emails that the From domain doesn't equal the reply domain.

Anyone see any holes in that or suggestions?
Tips on implementation would be great as well.

Re: Detecting fraud From <-> Reply attempts

Posted: 27 Jul 2016 00:48
by zthephoenixz
I suppose this is more a spamassassin rule/question, I will try posting over there, unless someone knows how to do something like this :-

#header __FAKE_PHISH_TEST1 From =~ /*\@mydomain\.com*/i
#header __FAKE_PHISH_TEST2 Reply-To !~ /*\@mydomain\.com*/i
#meta FAKE_PHISH (__FAKE_PHISH_TEST1 && __FAKE_PHISH_TEST2)
#score FAKE_PHISH 500.0

The filter is for mydomain.com.au mydomain.com.pg mydomain.com which i have registered.

Re: Detecting fraud From <-> Reply attempts

Posted: 28 Jul 2016 09:09
by ovizii
without knowing your setup; do legitimate emails from say employee1 to eymployee2 or ceo go through your EFA filter?
If that is not the case you could go the easiest route and simply not accept any email to your domain from your domain.

additionally, I would setup SPF + DKIM + dmarc that gets rid of most fake emails trying to spoof you.

If you really want something you suggested maybe do it this way:

look at HEADER_FROM_DIFFERENT_DOMAINS that is bein used in /var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf

maybe:

Code: Select all

header __TEST1 From =~ /*\@mydomain\.com*/i
meta   TEST2 (HEADER_FROM_DIFFERENT_DOMAINS &&TEST1)
score 25
my syntax is most probably wrong, just wanted to give you an idea.

Re: Detecting fraud From <-> Reply attempts

Posted: 28 Jul 2016 09:50
by pdwalker
That would be my approach. If mail from my domain comes into my efa box, I'd just drop it, or set it to a very high spam level.

All our mail is handled internally, so there is no reason why mail from our domain would ever come in from an external source.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited