How to block forged senders (planning tactics)
Nikolaos Milas
nmilas at noa.gr
Wed Nov 8 14:51:00 CET 2023
Hello guys,
On a postfix-amavis-spamassassin-clamd system (on Rocky Linux 8) serving
as incoming mail gateway, I would like to try the following to block
forged senders:
If From: field includes a name belonging to a list of known senders,
accept the mail only if the mail address in the same field is listed in
that list.
For example, an incoming mail arrives with a From address:
From: "John Smith" <mail1234567 at gmail.com>
If my list contains:
------ /etc/amavisd/known_senders_list -------
... Smith jsmith at example.com,smithj at example.org ...
---------------------------------
then I would like to quarantine this mail as spam.
How could I do it?
As an additional/complementary/alternative approach, I would like to
check the mail body to locate the line with the name which was used in
From: field (in the above example: John Smith or J. Smith or J Smith),
and assuming this is the signature line, I would like to check the
following 5-6 lines to find whether one of them contains the name of our
organization, as an example: "ACME Productions". If it does, I would
like to ban (quarantine) the mail if the From: mail address is NOT on
the acme-productions.com domain. This test could also be assisted by a
list of Org names and respective domains. For example:
------ /etc/amavisd/known_org_list -------
... ACME Productions acme-productions.com ...
---------------------------------
The same could be done for other friendly domains (banks, mail/courier
services, etc).
How can this be done?
I am confident that we could block a good number of spam/phishing
attacks using the above logic.
Has anyone implemented the above and provide some example rules (in
amavis or in spam assassin I would presume)? What is your experience
with such approach(es)?
Thanks in advance!
Best regards,
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20231108/5292c2c3/attachment.htm>
More information about the amavis-users
mailing list