We are trying to mark phishing mails with a simple rule in Spamassasin as spam. But unfortunately we are unable to get a working check out of it.
Basically what we are trying to achieve is that if the sender of the Mail is not from our domain @example.org but is writing with a faked display name.
Here is an example:
From: "Firstname Lastname <firstname.lastname@example.org>" <fraud@badcompany.com>
So we worked out the following SA rule which did not work
header __FRAUD_HEADER From =~ /.*@(?!example\.org)/i
body __FRAUD_BODY /".*\@example\.org.*"(?!.*\@example\.org.*$)/i
meta COMPANY_FRAUD (__FRAUD_HEADER && __KFRAUD_BODY)
describe COMPANY_FRAUD Fake Sender - Phishing Attempt
score COMPANY_FRAUD 100
Any Ideas on why this did not work out?
regex101.com tels us that that the regular expression is correct. Spamassasin is also not complaining about errors.
EDIT: I think I got that wrong how they faked the sender. This is an excerpt how I think they faked/disguised the sender address
# telnet mail.example.org 25
Trying 10.20.30.40...
Connected to mail.example.org.
Escape character is '^]'.
220 mail.example.org ESMTP
EHLO a.mailserver.com
250-mail.example.org
250-PIPELINING
250-SIZE
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:fraud@badcompany.com
250 2.1.0 Ok
RCPT TO: CEO@example.org
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
TO: CEO@example.org
FROM: "Firstname Lastname" firstname.lastname@example.org
SUBJECT: Something
Spam/Phishing message text goes here
.
250 2.0.0 Ok: queued as 123456789
quit
221 2.0.0 Bye
Connection closed by foreign host.
The proposed Solution worked!