Szerteszana²

grin agymenései

Archívum Október 2020

[geek admin only] Banki spamek + spamassassin

2020-10-27 21:41 írta grin

Ez most csak az adminoknak szól, akik spamassassint használnak.

Nagy mennyiségű magyar bankos phishing indult mostanában. Közösségi jócselekedetként megosztom ez a configot. Az /etc/spamassassin/hubank.cf file-ba lehet pl. beírni.

(UPDATED: 2020/11/04)

#$Id: rule_hubank_hu.cf,v 6413efa4969d 2020/11/04 12:52:50 grin $

## hungarian fake bank email

if (version >= 3.004002)
 ifplugin Mail::SpamAssassin::Plugin::WLBLEval

enlist_addrlist (HUBANK) *@mkb.hu *@raiffeisen.hu
enlist_addrlist (HUBANK) *@otpbank.hu *@otp.hu
enlist_addrlist (HUBANK) *@budapestbank.hu
enlist_addrlist (HUBANK) *@cib.hu
enlist_addrlist (HUBANK) *@erstebank.hu
enlist_addrlist (HUBANK) *@kh.hu
enlist_addrlist (HUBANK) *@unicreditbank.hu
reuse  _FROM_ADDRLIST_HUBANKS
reuse  FROM_HUBANK_FAKE_RP

header          __FROM_ADDRLIST_HUBANKS  eval:check_from_in_list('HUBANK')
describe        __FROM_ADDRLIST_HUBANKS         Felado egy magyar bank

header          __EFROM_FROM_COUNTRY_HU  X-Envelope-from =~ /\@.+?\.hu>$/i
describe        __EFROM_FROM_COUNTRY_HU  X-Envelope-from address from .HU
score           __EFROM_FROM_COUNTRY_HU  -0.1

header          FROM_FROM_COUNTRY_HU    ALL =~ /^From +\S+\@\S+?\.hu\s/
describe        FROM_FROM_COUNTRY_HU    From " " hu
score           FROM_FROM_COUNTRY_HU    -0.01

## ehhez szükséges a  loadplugin Mail::SpamAssassin::Plugin::RelayCountry
## az init.pre file-ban.
header          RELAYCOUNTRY_BAD        X-Relay-Countries =~ /CN|KR|RU/
describe        RELAYCOUNTRY_BAD        Relayed through China/Korea/Russia at some point
score           RELAYCOUNTRY_BAD        2.0

header          RELAYCOUNTRY_HU         X-Relay-Countries =~ /^HU/
describe        RELAYCOUNTRY_HU         First untrusted relay is in Hungary
score           RELAYCOUNTRY_HU         -1.0

meta            FROM_HUBANK_FAKE_RP0    __FROM_ADDRLIST_HUBANKS && !__ENV_AND_HDR_FROM_MATCH
describe        FROM_HUBANK_FAKE_RP0    Hamisitott magyar bank email, eltero sender/from
score           FROM_HUBANK_FAKE_RP0    2.57

meta            FROM_HUBANK_FAKE_RP1    __FROM_ADDRLIST_HUBANKS && !__EFROM_FROM_COUNTRY_HU
describe        FROM_HUBANK_FAKE_RP1     Hamisitott magyar bank email (nem .hu)
score           FROM_HUBANK_FAKE_RP1     4.66

meta            FROM_HUBANK_FAKE_RP2    __FROM_ADDRLIST_HUBANKS && !RELAYCOUNTRY_HU
describe        FROM_HUBANK_FAKE_RP2     Hamisitott magyar bank email (nem magyar relay)
score           FROM_HUBANK_FAKE_RP2     6.66

meta            FROM_HUBANK_FAKE_RP3    __FROM_ADDRLIST_HUBANKS && RELAYCOUNTRY_BAD
describe        FROM_HUBANK_FAKE_RP3     Hamisitott magyar bank email (spamorszag relay)
score           FROM_HUBANK_FAKE_RP3     6.66

 endif
endif

Jószerencsét!

Szerteszana²

[geek admin only] Banki spamek + spamassassin

Categories

Archive

Links