Difference between revisions of "Phishing From Own Domain"

From Roaring Penguin
Jump to: navigation, search
Line 17: Line 17:
 
  AND (Domain of Envelope Sender is not exception.com)
 
  AND (Domain of Envelope Sender is not exception.com)
  
==Spoofing From Other Domains==
+
==General Rule==
  
This same rule will work for any other domain as well by substituting in that domain for example.com. For example if you are receiving mail that is spoofed to appear to be coming from a business partner you can create the following rules for your own domain which will reject messages that didn't come from that partner directly:
+
To avoid creating the above rule for a bunch of domains you can create an alternate version that takes the recipient domain as a variable so that it can be used to apply to mail spoofing any recipient's own domain.
  
  (Domain of Header From is partner.com) AND (Domain of Envelope Sender is not partner.com)
+
Please use caution with this rule due to the exceptions mentioned above. If you add an exception to this rule it will apply to all domains that are effected by it. It is best to leave this rule, as below, with no exceptions and if you need a specific domain to have exceptions then create the above rule local to that realm and override the score of this rule to 0.
 +
 
 +
  (Envelope Recipient Ends with %{domain_of_header_from}) AND (Envelope Recipient Does not end with %{domain_of_envelope_sender})  
 +
 
 +
===Spoofing From Other Domains===
 +
 
 +
See [[Spoofed Addresses]]
  
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
[[category:All]][[category:Best_Practices]][[category:Rules]]
 
[[category:All]][[category:Best_Practices]][[category:Rules]]

Revision as of 12:16, 3 May 2016

A common tactic for more advanced phishing techniques is for the spammer to identify key figures within an organization and spoof a conversation among them. The message will generally show up in the inbox of someone in the financial department - for instance, cfo@example.com - and will appear to be from a trusted sender, say ceo@example.com.

There is already a rule in SpamAssassin that detects this behaviour (HEADER_FROM_DIFFERENT_DOMAINS) but we set it to have negligible effect on the score because of its huge potential to create false-positives. This is because it will be triggered by any source that delivers through a relay or that disguises it's true sender for good reasons as well. The score of this rule can be increased using Rules->Score Overrides, but a more specific rule is better. This rule is, however, a good indicator that a message has been spoofed so that better rules can be created.

Recommended Rule

The best solution for this is usually to create a compound rule that is triggered only when a sender spoofs the domain of the recipient.

  • From the default realm, navigate to Rules->Compound Rules. Add new as follows (where example.com is your own domain):
(Domain of Header From is example.com) AND (Domain of Envelope Sender is not example.com)
  • Apply enough points to get trapped.

This rule will also trigger for some valid sources such as Mailchimp that are not spam, but will still pretend to be sending from your domain to limit confusion for recipients. You can create exceptions for these by appending to the rule above:

AND (Domain of Envelope Sender is not exception.com)

General Rule

To avoid creating the above rule for a bunch of domains you can create an alternate version that takes the recipient domain as a variable so that it can be used to apply to mail spoofing any recipient's own domain.

Please use caution with this rule due to the exceptions mentioned above. If you add an exception to this rule it will apply to all domains that are effected by it. It is best to leave this rule, as below, with no exceptions and if you need a specific domain to have exceptions then create the above rule local to that realm and override the score of this rule to 0.

(Envelope Recipient Ends with %{domain_of_header_from}) AND (Envelope Recipient Does not end with %{domain_of_envelope_sender}) 

Spoofing From Other Domains

See Spoofed Addresses