3

We are trying to mark phishing mails with a simple rule in Spamassasin as spam. But unfortunately we are unable to get a working check out of it.

Basically what we are trying to achieve is that if the sender of the Mail is not from our domain @example.org but is writing with a faked display name.

Here is an example:

From: "Firstname Lastname <firstname.lastname@example.org>" <fraud@badcompany.com>

So we worked out the following SA rule which did not work

header __FRAUD_HEADER From =~ /.*@(?!example\.org)/i 
body __FRAUD_BODY /".*\@example\.org.*"(?!.*\@example\.org.*$)/i 
meta COMPANY_FRAUD (__FRAUD_HEADER && __KFRAUD_BODY) 
describe COMPANY_FRAUD Fake Sender - Phishing Attempt 
score COMPANY_FRAUD 100

Any Ideas on why this did not work out?

regex101.com tels us that that the regular expression is correct. Spamassasin is also not complaining about errors.

EDIT: I think I got that wrong how they faked the sender. This is an excerpt how I think they faked/disguised the sender address

# telnet mail.example.org 25
Trying 10.20.30.40...
Connected to mail.example.org.
Escape character is '^]'.
220 mail.example.org ESMTP
EHLO a.mailserver.com
250-mail.example.org
250-PIPELINING
250-SIZE
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:fraud@badcompany.com
250 2.1.0 Ok
RCPT TO: CEO@example.org
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
TO: CEO@example.org
FROM: "Firstname Lastname" firstname.lastname@example.org
SUBJECT: Something
Spam/Phishing message text goes here
.
250 2.0.0 Ok: queued as 123456789
quit
221 2.0.0 Bye
Connection closed by foreign host.

The proposed Solution worked!

Daywalker
  • 485
  • 5
  • 25

1 Answers1

4

Your original rules:

header __FRAUD_HEADER From =~ /.*@(?!example\.org)/i 
body __FRAUD_BODY /".*\@example\.org.*"(?!.*\@example\.org.*$)/i 
meta COMPANY_FRAUD (__FRAUD_HEADER && __KFRAUD_BODY) 
describe COMPANY_FRAUD Fake Sender - Phishing Attempt 
score COMPANY_FRAUD 100

Some critiques:

  • I see a typo: your meta rule depends on __KFRAUD_BODY rather than __FRAUD_BODY
  • Those are really expensive. Try not to use look arounds unless you have to
  • I recommend naming your rules after yourself so you can remember they're yours
  • Do you really want those double quotes in the body regex? That might be the issue
  • Is that really supposed to be a body regex? Are you trying to match inline forward metadata?
  • A score of 100 is dangerously high given that your threshold should be between 5-10

How about:

header __DW_NONFRAUD_HEADER  From:addr =~ /\bexample\.org$/i 
body   __DW_FRAUD_BODY       /"[^"]{0,99}\@example\.org\b[^"]{0,99}"(?!.{0,99}\@example\.org\b)/i 
meta     DW_COMPANY_FRAUD    (!__DW_NONFRAUD_HEADER && __DW_FRAUD_BODY) 
describe DW_COMPANY_FRAUD    Fake Sender - Phishing Attempt 
score    DW_COMPANY_FRAUD    3

I've negated your first check and limited it just to the address in the From header (see the revision to the meta rule). I also put in copious word boundary (\b) markers to ensure you don't catch "myexample.org" or "example.org.in" or other oddities. Limitless ranges are very expensive, so I've trimmed them down to 0-99 characters and ensured you don't look too far ahead by preventing them from matching double quotes. I also removed your $ since SpamAssassin collapses all whitespace (line endings may not be where you think they are; it's far better to use \b and similar).

I consider a score of 3 to be very high. Anything else and you might want to consider SA's blacklisting features.

Really, you should ensure you have properly installed and configured SpamAssassin's plugins for DKIM, SPF, and DMARC (which are anti-spoofing technologies that implement much of what you're trying to do). your DNSBLs and URI DNSBLs configured properly and that you're using (and training!) Bayes. Third party fuzzy lookups like Razor and Pyzor can help catch missed spam as well.

I say these things because this rule is laborious, expensive, and it doesn't scale (you need to create one per domain), but mostly because it does not look efficacious (the target "signature" isn't terribly spammy and you'll get false positives).

Adam Katz
  • 869
  • 8
  • 16
  • Thank you again for you help. Now I figured everything out and you answer workt aswell. I just edited the rule as the two underscores where missing in front of the header and body name! Thank you again! – Daywalker Oct 03 '17 at 12:06
  • @Daywalker Re: "I just edited the rule as the two underscores where missing in front of the header and body name!" Thanks for the edit, I've approved it, however, it needs one more vote. – gxx Oct 03 '17 at 12:12
  • unfortunately i had to disable the rule again, as forwarded messages are a false positive. So i need to check only the FIRST occurrence of the From header in the Body and check that. (solution not yet found) – Daywalker Oct 05 '17 at 06:15