AW: Quarantine From Header differ From Body
Peter Lemieux
mailscanner at replies.cyways.com
Wed Nov 29 15:34:20 UTC 2017
Are these nessages coming in from outside your network but appear to be
coming from people inside? If there are no legitimate reasons why mail
carrying your domain should come from the outside, then the simplest
solution is to block them at the doorstep with either access rules in
sendmail or PCRE rules in Postfix. You can also permit specific addresses,
say mail from an external webserver, while blocking any other mail allegedly
coming from your domain.
Peter
On 11/29/2017 02:26 AM, Braun, Thomas [WEKAL] wrote:
>>> Hello List,
>>>
>>> is there an option/way to simply quarantine all faked Body-From Mails when this differ case insensitive to the Header-From?
>>
>> What do you mean by faked Body-From Mails as opposed to Header-From?
>>
>> Do you mean the From: header as opposed to the envelope sender? If so, you could probably create SpamAssassin rules to do it, but I think it is a bad idea, Many legitimate emails have a From: header address different from the envelope sender. This reply as you receive it from the list is but one example.
>
> Hi Mark,
>
> we get phishing Mails where supposedly our own employees write another one, want him to click a link. Not all of our employees are clever enough to check this.
> I am searching for a solution to filter mails with a visible
> From: "MyKnownFellow <fellow at mycompany>" and an invisible envelope <hackedbox at othercompany>
>
> Those mails getting more and more lately. And they even fake our signature and having better grammar. So it is hard to spot.
> Perhaps there is a better way...
>
>
>
More information about the MailScanner
mailing list