80_phishing.cf

#
# Try to stop known phishing attempt
#

# Domains:
# ing.be is in use
# ing.nl is in use
# ingbank.nl is in use
# ingbank.com is in use
# mail.ing.nl is in use
# postbank.nl is an old domain with a closed SPF-record
# ingservice.nl is hosted for redirect purposes
#
describe PHISH_FROM_ING        Trigger on phishing mails
header   PHISH_FROM_ING        From:addr =~ /\@(mail\.ing\.nl|ing\.nl|ing\.be|ingbank\.nl|ingbank\.com|postbank\.nl|ingservice\.nl)$/i
score    PHISH_FROM_ING        2.0

describe UNPHISH_FROM_ING      Untrigger on valid mails
header   __UNPHISH_FROM_ING_A  Return-Path:addr =~ /\@(mail\.ing\.nl|ing\.nl|ing\.be|ingbank\.nl|ingbank\.com|postbank\.nl)$/i
meta     UNPHISH_FROM_ING      ( __UNPHISH_FROM_ING_A && SPF_PASS )
score    UNPHISH_FROM_ING      -2.0

describe PHISH_SBJ_ING         Some known phishing subjects
header   PHISH_SBJ_ING         Subject =~ /(ING Verificatie|ING Status Notification|ING Account Referentie)/
score    PHISH_SBJ_ING         0.5

# Domains:
# abnamro.nl 
# nl.abnamro.com
describe PHISH_FROM_ABNAMRO        Trigger on phishing mails
header   PHISH_FROM_ABNAMRO        From:addr =~ /\@(abnamro\.nl|nl\.abnamro\.com)$/i
score    PHISH_FROM_ABNAMRO        2.0

describe UNPHISH_FROM_ABNAMRO      Untrigger on valid mails
header   __UNPHISH_FROM_ABNAMRO_A  Return-Path:addr =~ /\@(abnamro\.nl|nl\.abnamro\.com)$/i
meta     UNPHISH_FROM_ABNAMRO      ( __UNPHISH_FROM_ABNAMRO_A && SPF_PASS )
score    UNPHISH_FROM_ABNAMRO      -2.0

# Domains:
# rabobank.nl 
describe PHISH_FROM_RABOBANK        Trigger on phishing mails
header   PHISH_FROM_RABOBANK        From:addr =~ /\@rabobank\.nl$/i
score    PHISH_FROM_RABOBANK        2.0

describe UNPHISH_FROM_RABOBANK      Untrigger on valid mails
header   __UNPHISH_FROM_RABOBANK_A  Return-Path:addr =~ /\@rabobank\.nl$/i
meta     UNPHISH_FROM_RABOBANK      ( __UNPHISH_FROM_RABOBANK_A && SPF_PASS )
score    UNPHISH_FROM_RABOBANK      -2.0

# Domains:
# vodafone.nl
# vodafone.com
# bounce.e-nieuwsbrief.vodafone.nl
describe PHISH_FROM_VODAFONE   Trigger on phishing mails
header   PHISH_FROM_VODAFONE   From:addr =~ /\@(vodafone\.nl|vodafone\.com|.*\.vodafone\.nl)$/i
score    PHISH_FROM_VODAFONE   2.0

describe UNPHISH_FROM_VODAFONE      Untrigger on valid mails
header   __UNPHISH_FROM_VODAFONE_A  Return-Path:addr =~ /\@(vodafone\.nl|vodafone\.com|.*\.vodafone\.nl)$/i
meta     UNPHISH_FROM_VODAFONE      ( __UNPHISH_FROM_VODAFONE_A && DKIM_VALID )
score    UNPHISH_FROM_VODAFONE      -2.0

# Domains:
# postnl.nl
# postnlinfo.eu
describe PHISH_FROM_POSTNL   Trigger on phishing mails
header   PHISH_FROM_POSTNL   From:addr =~ /\@(postnl\.nl|postnlinfo\.eu)$/i
score    PHISH_FROM_POSTNL   2.0

describe UNPHISH_FROM_POSTNL      Untrigger on valid mails
header   __UNPHISH_FROM_POSTNL_A  Return-Path:addr =~ /\@(postnl\.nl|postnlinfo\.eu)$/i
meta     UNPHISH_FROM_POSTNL      ( __UNPHISH_FROM_POSTNL_A && SPF_PASS )
score    UNPHISH_FROM_POSTNL      -2.0

describe PHISH_BODY_POSTNL         Some known phishing subjects
header   PHISH_BODY_POSTNL         rawbody =~ /Beste Online Postnl Customer/
score    PHISH_BODY_POSTNL         0.5

describe PHISH_SBJ_POSTNL         Some known phishing subjects
header   PHISH_SBJ_POSTNL         subject =~ /uw pakket is beschikbaar hier is uw nummer:/
score    PHISH_SBJ_POSTNL         0.5

# Domains:
# snsbank.nl
describe PHISH_FROM_SNSBANK        Trigger on phishing mails
header   PHISH_FROM_SNSBANK        From:addr =~ /\@snsbank\.nl$/i
score    PHISH_FROM_SNSBANK        3.5

describe PHISH_BODY_SNSBANK_1      Trigger on phishing mails
header   PHISH_BODY_SNSBANK_1      subject =~ /SNS Bank/i
score    PHISH_BODY_SNSBANK_1      0.5

describe PHISH_BODY_SNSBANK_2      Trigger on phishing mails
header   PHISH_BODY_SNSBANK_2      subject =~ /digipas/i
score    PHISH_BODY_SNSBANK_2      0.5

describe PHISH_BODY_SNSBANK_3      Trigger on phishing mails
header   PHISH_BODY_SNSBANK_3      subject =~ /Mijn SNS/i
score    PHISH_BODY_SNSBANK_3      0.5

describe PHISH_BODY_SNSBANK_4      Trigger on phishing mails
header   PHISH_BODY_SNSBANK_4      subject =~ /SNS Mobiel/i
score    PHISH_BODY_SNSBANK_4      0.5

describe UNPHISH_FROM_SNSBANK      Untrigger on valid mails
header   __UNPHISH_FROM_SNSBANK_A  Return-Path:addr =~ /\@snsbank\.nl$/i
meta     UNPHISH_FROM_SNSBANK      ( __UNPHISH_FROM_SNSBANK_A && SPF_PASS )
score    UNPHISH_FROM_SNSBANK      -2.0

# Domains:
# knab.nl
describe PHISH_FROM_KNAB        Trigger on phishing mails
header   PHISH_FROM_KNAB        From:addr =~ /\@knab\.nl$/i
score    PHISH_FROM_KNAB        2.0

describe UNPHISH_FROM_KNAB      Untrigger on valid mails
header   __UNPHISH_FROM_KNAB_A  Return-Path:addr =~ /\@knab\.nl$/i
meta     UNPHISH_FROM_KNAB      ( __UNPHISH_FROM_KNAB_A && SPF_PASS )
score    UNPHISH_FROM_KNAB      -2.0

# Domain:
# email.nl
describe PHISH_FROM_EMAILNL   Trigger on phishing mails
header   PHISH_FROM_EMAILNL   From:addr =~ /\@(email\.nl)$/i
score    PHISH_FROM_EMAILNL   2.0

describe UNPHISH_FROM_EMAILNL      Untrigger on valid mails
header   __UNPHISH_FROM_EMAILNL_A  Return-Path:addr =~ /\@(email\.nl)$/i
meta     UNPHISH_FROM_EMAILNL      ( __UNPHISH_FROM_EMAILNL_A && SPF_PASS )
score    UNPHISH_FROM_EMAILNL      -2.0

# Apple
describe PHISH_FROM_APPLE1        Trigger on phishing mails
header   PHISH_FROM_APPLE1        From:addr =~ /apple/i
score    PHISH_FROM_APPLE1        0.2

describe PHISH_FROM_APPLE2        Trigger on phishing mails
header   PHISH_FROM_APPLE2        Return-Path:addr =~ /apple/i
score    PHISH_FROM_APPLE2        0.2

describe PHISH_BODY_APPLE1         Some known phishing keywords
header   PHISH_BODY_APPLE1         rawbody =~ /(Apple ID|Apple Profile)/
score    PHISH_BODY_APPLE1         0.8

describe PHISH_BODY_APPLE2         Some known phishing keywords
header   PHISH_BODY_APPLE2         rawbody =~ /(Apple iCloud ID|Apple iCloud Profile|iCloud ID|iCloud Account|iCloud Profile)/
score    PHISH_BODY_APPLE2         0.8

describe PHISH_BODY_APPLE3         Some known phishing keywords
header   PHISH_BODY_APPLE3         rawbody =~ /(iTunes ID|iTunes Profile)/
score    PHISH_BODY_APPLE3         0.8

describe PHISH_BODY_APPLE4         Some known phishing keywords
header   PHISH_BODY_APPLE4         rawbody =~ /(KYC|Know Your Customer)/
score    PHISH_BODY_APPLE4         0.8

# CJIB
describe PHISH_FROM_CJIB1        Trigger on phishing mails
header   PHISH_FROM_CJIB1        From:addr =~ /cjib/i
score    PHISH_FROM_CJIB1        0.2

describe PHISH_FROM_CJIB2        Trigger on phishing mails
header   PHISH_FROM_CJIB2        Return-Path:addr =~ /cjib/i
score    PHISH_FROM_CJIB2        0.2

describe PHISH_SUBJ_CJIB1        Trigger on phishing mails
header   PHISH_SUBJ_CJIB1        Subject =~ /Betaalverzoek inzake CJIB \d+/i
score    PHISH_SUBJ_CJIB1        0.2

describe PHISH_BODY_CJIB1        Trigger on phishing mails
header   __PHISH_BODY_CJIB1_A    rawbody =~ /Centraal Justitieel Incassobureau/i
header   __PHISH_BODY_CJIB1_B    rawbody =~ /CJIB/i
header   __PHISH_BODY_CJIB1_C    rawbody =~ /BKR/i
meta     PHISH_BODY_CJIB1        ( ( __PHISH_BODY_CJIB1_A || __PHISH_BODY_CJIB1_B ) && __PHISH_BODY_CJIB1_C )
score    PHISH_BODY_CJIB1        0.8

# Windows
describe PHISH_BODY_WINDOWS1        Trigger on phishing mails
header   __PHISH_BODY_WINDOWS1_A    rawbody =~ /(PaySafe|PaySafe card|PaySafecard)/i
header   __PHISH_BODY_WINDOWS1_B    rawbody =~ /(spoedoverboeking|incassokosten)/i
header   __PHISH_BODY_WINDOWS1_C    rawbody =~ /Windows/i
meta     PHISH_BODY_WINDOWS1        ( ( __PHISH_BODY_WINDOWS1_A || __PHISH_BODY_WINDOWS1_B ) && __PHISH_BODY_WINDOWS1_C )
score    PHISH_BODY_WINDOWS1        0.8