How to block forged senders (planning tactics)

Nikolaos Milas nmilas at noa.gr
Wed Nov 8 14:51:00 CET 2023


Hello guys,

On a postfix-amavis-spamassassin-clamd system (on Rocky Linux 8) serving 
as incoming mail gateway, I would like to try the following to block 
forged senders:

If From: field includes a name belonging to a list of known senders, 
accept the mail only if the mail address in the same field is listed in 
that list.

For example, an incoming mail arrives with a From address:

    From: "John Smith" <mail1234567 at gmail.com>

If my list contains:

    ------ /etc/amavisd/known_senders_list -------

    ... Smith jsmith at example.com,smithj at example.org ...

    ---------------------------------

then I would like to quarantine this mail as spam.

How could I do it?

As an additional/complementary/alternative approach, I would like to 
check the mail body to locate the line with the name which was used in 
From: field (in the above example: John Smith or J. Smith or J Smith), 
and assuming this is the signature line, I would like to check the 
following 5-6 lines to find whether one of them contains the name of our 
organization, as an example: "ACME Productions". If it does, I would 
like to ban (quarantine) the mail if the From: mail address is NOT on 
the acme-productions.com domain. This test could also be assisted by a 
list of Org names and respective domains. For example:

    ------ /etc/amavisd/known_org_list -------

    ... ACME Productions     acme-productions.com ...

    ---------------------------------

The same could be done for other friendly domains (banks, mail/courier 
services, etc).

How can this be done?

I am confident that we could block a good number of spam/phishing 
attacks using the above logic.

Has anyone implemented the above and provide some example rules (in 
amavis or in spam assassin I would presume)? What is your experience 
with such approach(es)?

Thanks in advance!

Best regards,
Nick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20231108/5292c2c3/attachment.htm>


More information about the amavis-users mailing list