Difference between revisions of "Phishing From Own Domain"

From Roaring Penguin
Jump to: navigation, search
Line 9: Line 9:
 
*From the default realm, navigate to Rules->Compound Rules. Add new as follows (where example.com is your own domain):
 
*From the default realm, navigate to Rules->Compound Rules. Add new as follows (where example.com is your own domain):
  
  (Domain of Header From) is example.com AND (Domain of Envelope Sender) is not example.com
+
  (Domain of Header From is example.com) AND (Domain of Envelope Sender is not example.com)
  
 
*Apply enough points to get trapped.
 
*Apply enough points to get trapped.
Line 15: Line 15:
 
This rule will also trigger for some valid sources such as Mailchimp that are not spam, but will still pretend to be sending from your domain to limit confusion for recipients. You can create exceptions for these by appending to the rule above:
 
This rule will also trigger for some valid sources such as Mailchimp that are not spam, but will still pretend to be sending from your domain to limit confusion for recipients. You can create exceptions for these by appending to the rule above:
  
  AND (Domain of Envelope Sender) is not exception.com
+
  AND (Domain of Envelope Sender is not exception.com)
  
 
==Spoofing From Other Domains==
 
==Spoofing From Other Domains==
Line 21: Line 21:
 
This same rule will work for any other domain as well by substituting in that domain for example.com. For example if you are receiving mail that is spoofed to appear to be coming from a business partner you can create the following rules for your own domain which will reject messages that didn't come from that partner directly:
 
This same rule will work for any other domain as well by substituting in that domain for example.com. For example if you are receiving mail that is spoofed to appear to be coming from a business partner you can create the following rules for your own domain which will reject messages that didn't come from that partner directly:
  
  (Domain of Header From) is partner.com AND (Domain of Envelope Sender) is not partner.com
+
  (Domain of Header From is partner.com) AND (Domain of Envelope Sender is not partner.com)
 
 
  
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
[[category:All]][[category:Best_Practices]][[category:Rules]]
 
[[category:All]][[category:Best_Practices]][[category:Rules]]

Revision as of 10:31, 15 December 2015

A common tactic for more advanced phishing techniques is for the spammer to identify key figures within an organization and spoof a conversation among them. The message will generally show up in the inbox of someone in the financial department - for instance, cfo@example.com - and will appear to be from a trusted sender, say ceo@example.com.

There is already a rule in SpamAssassin that detects this behaviour (HEADER_FROM_DIFFERENT_DOMAINS) but we set it to have negligible effect on the score because of its huge potential to create false-positives. This is because it will be triggered by any source that delivers through a relay or that disguises it's true sender for good reasons as well. The score of this rule can be increased using Rules->Score Overrides, but a more specific rule is better. This rule is, however, a good indicator that a message has been spoofed so that better rules can be created.

Recommended Rule

The best solution for this is usually to create a compound rule that is triggered only when a sender spoofs the domain of the recipient.

  • From the default realm, navigate to Rules->Compound Rules. Add new as follows (where example.com is your own domain):
(Domain of Header From is example.com) AND (Domain of Envelope Sender is not example.com)
  • Apply enough points to get trapped.

This rule will also trigger for some valid sources such as Mailchimp that are not spam, but will still pretend to be sending from your domain to limit confusion for recipients. You can create exceptions for these by appending to the rule above:

AND (Domain of Envelope Sender is not exception.com)

Spoofing From Other Domains

This same rule will work for any other domain as well by substituting in that domain for example.com. For example if you are receiving mail that is spoofed to appear to be coming from a business partner you can create the following rules for your own domain which will reject messages that didn't come from that partner directly:

(Domain of Header From is partner.com) AND (Domain of Envelope Sender is not partner.com)