efa-project.org


https://forum.efa-project.org/

DHL Spam

https://forum.efa-project.org/viewtopic.php?t=2458

Page 1 of 1

DHL Spam

Posted: 13 Jun 2017 13:29
by nicola.piazzi
Sometimes happen that trojan virus use real peolple pc's to send spam and virus itself

So infected pc's send mails from its real address and is impossible to classify as spam
these messages contains for example, dhl tipycal text so also bayes fail

For example ome of this :

From :sant1234@studio1234.it
Subject :VS SPEDIZIONE DHL AWB 378938938 proveniente dalla GRAN BRETAGNA **AVVISO DI GIACENZA **

You can see that there sender is a real people, probably with a correct spf,no blacklisted ip, etc but it send a mail as it is DHL

This rule, can catch if someone use DHL in subject but ii not have DHL as part of FROM ADDRESS

Is there a way to write shortly and better ?

header SUBJ_NOTIN_SENDER_DHL_1 Subject =~ /dhl:/si
header SUBJ_NOTIN_SENDER_DHL_2 From =~ /dhl/si
meta SUBJ_NOTIN_SENDER_DHL SUBJ_NOTIN_SENDER_DHL_1 && ! SUBJ_NOTIN_SENDER_DHL_2
describe SUBJ_NOTIN_SENDER_DHL Oggetto contiene dhl ma il mittente no, probabile attacco
score SUBJ_NOTIN_SENDER_DHL 1.00

Re: DHL Spam

Posted: 13 Jun 2017 15:49
by thewomble
Is this mail from somebodies home PC?

If so, I find adding this to my main.cf (reject_non_fqdn_sender)

Code: Select all

smtpd_sender_restrictions = 
         ......
	reject_non_fqdn_sender, 
        ..... other rules
The reason is the majority of PC's are normally standalone and they are not joined to a domain, so they do not have an FQDN when they connect to my MTA they get rejected. I believe this will stop not just DHL, but the majority of zombie hosts.

Re: DHL Spam

Posted: 13 Jun 2017 16:01
by nicola.piazzi
no, this is not the question

trojans infect also corporate pc that send in background using its regular mail program and mailserver

Re: DHL Spam

Posted: 13 Jun 2017 21:57
by thewomble
if your code works, go with I am not an expert on SA coding.

I was suggesting an alternative to the problem, since I added "reject_non_fqdn_sender" I very rarely get DHL spam anymore.

I also force inbound TLS for common delivery company like dhl.com get rid the spoofed, zombie PCs tend not to do TLS (yet}, I also do this to free mail providers, like outlook.com, gmail.com.

Checking rFQDNs is also a good metric nonmatching score higher.

Any well managed corporate network should have DNS and SMTP (an others} should be blocked for normal users.

One I am working for phishing emails.

Code: Select all

#PHISHING SCAMS
#SUBJECTS
header		__LOCAL_PHISH_1	Subject =~ /(Email|Access|Update)/i

rawbody		__LOCAL_PHISH_2	/e-emailbox|password|expire|update/is

#BAD LINKS
rawbody		__LOCAL_PHISH_3	/https?:\/\/.{3,30}\.(tripod|freewebs)\//i

#STUPID STATEMENTS
body		__LOCAL_PHISH_4	/Dear|expire|password|update|helpdesk|email|exchange/i

describe	LOCAL_PHISH	Phishing password harvesting scam
score		LOCAL_PHISH	2.0
meta		LOCAL_PHISH	(__LOCAL_PHISH_1 + __LOCAL_PHISH_2 >= 2) && (__LOCAL_PHISH_3 >= 1) || (__LOCAL_PHISH_4 >= 2)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited