Block email body expression

[jacksonvld]

Hello good afternoon. I am receiving several phishing emails.

Is it possible to create a rule to block emails based on an expression in the body of the email?

For example: Click here.

I found how to do it by the sender, by the subject, but I couldn't find it by the body of the email.


Thank you in advance for your help.

 

[hata_ph]

Pls share the raw email format

 

[jacksonvld]

Good Morning. My mailboxes were breached and triggered several emails just like the one I want to block.


Date: Tue, 20 Oct 2020 06:00:15 -0400 (AMT)
From: Grupo Zimbra <sgel@al.mt.gov.br>
Bcc: danilo.cavalcanti@dislubequador.com.br, diego.targino@dislubequador.com.br
Message-ID: <892189254.84361.1603188015044.JavaMail.zimbra@al.mt.gov.br>
Subject:
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_d452a426-19be-4153-a851-6239ff12d501"

--=_d452a426-19be-4153-a851-6239ff12d501
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Sua senha da caixa de correio expirar=C3=A1 hoje. para manter sua senha. [ =
https://credenciamentobh.creatorlink.net/ | CLIQUE AQUI para atualizar e en=
viar ] imediatamente.=20

--=_d452a426-19be-4153-a851-6239ff12d501
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D"font-family: arial,helvetica,sans-serif; font-siz=
e: 12pt; color: #000000"><div> <!--StartFragment--><span style=3D"color: #0=
00000; font-family: arial,helvetica,sans-serif; font-size: 16px;" data-mce-=
style=3D"color: #000000; font-family: arial,helvetica,sans-serif; font-size=
: 16px;">Sua senha da caixa de correio expirar=C3=A1 hoje. para manter sua =
senha.&nbsp;</span><a href=3D"https://credenciamentobh.creatorlink.net/" st=
yle=3D"font-family: arial,helvetica,sans-serif; font-size: 16px;" target=3D=
"_blank" data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://cre=
denciamentobh.creatorlink.net/&amp;source=3Dgmail&amp;ust=3D160327217394700=
0&amp;usg=3DAFQjCNEZ1J_X8bvAOeSknmyiJNjsZ7vUxw" rel=3D"noopener" data-mce-h=
ref=3D"https://credenciamentobh.creatorlink.net/" data-mce-style=3D"font-fa=
mily: arial,helvetica,sans-serif; font-size: 16px;">CLIQUE AQUI para atuali=
zar e enviar</a><span style=3D"color: #000000; font-family: arial,helvetica=
,sans-serif; font-size: 16px;" data-mce-style=3D"color: #000000; font-famil=
y: arial,helvetica,sans-serif; font-size: 16px;">&nbsp;imediatamente.&nbsp;=
</span>&nbsp;&nbsp;<!--EndFragment--> </div></div></body></html>
--=_d452a426-19be-4153-a851-6239ff12d501--

 

[jacksonvld]

Gentlemen, reading the documentation. I understand that I need to use Spamassassin to block expressions in the body of the email.

I am trying this configuration.

################################################################
ifplugin Mail::SpamAssassin\plugin:\phishing

phishing_openphish_feed /etc/mail/spamassassin/openphish-feed.txt
phishing_phishtank_feed /etc/mail/spamassassin/phishtank-feed.csv

body URI_PHISHING eval:check_phishing()
describe URI_PHISHING Url match phishing in feed
score URI_PHISHING 0 2.4 0 2.5

body TEST_RULE /\bclique\b/i
describe TEST_RULE Regra 01
score TEST_RULE 2.5

endif
###################################################################

Has anyone done this type of blocking?

 

[hata_ph]

Option 1: PMG's mail filter do not support email body checking. Create custom template to use postfix's body_checks.
Create your own body_checks files with regex for reject/discard. Add below line to your custom main.cf.

body_checks = regexp:/etc/postfix/body_checks

https://www.linuxbabe.com/mail-server/block-email-spam-check-header-body-with-postfix-spamassassin

Remember to remove no_header_body_checks from the /etc/postfix/master.cf. You will loose the ability to quarantine and check the block body_checks email in Tracking center.

 

[hata_ph]

Option 2: To use spamassassin, create your custom spamassassin rule under /etc/mail/spamassassin/custom.cf.
Remember to run service pmg-smtp-filter restart to restart the spamassassin service.

body         test1    /test/i
describe     test1    test1
score         test1     0.5

Send an test mail with "test" as body and check out the spam score.

X-SPAM-LEVEL: Spam detection results:  0
    AWL                     0.137 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider
    HTML_MESSAGE            0.001 HTML included in message
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    TVD_SPACE_RATIO         0.001 -
    test1                     0.5 test1

--0000000000009cefbb05b21bed34
Content-Type: text/plain; charset="UTF-8"

test

--0000000000009cefbb05b21bed34
Content-Type: text/html; charset="UTF-8"

<div dir="ltr">test<br></div>

--0000000000009cefbb05b21bed34--

 

[jacksonvld]

@hata_ph,
Thanks for the help. I did both settings, I found receiving the emails in quarantine, but I also received them in the inbox.
See my confs:

Master.cf


Main.cf


File body_checks:


Custom.cf

 

[hata_ph]

show the full raw email format and also the mail.log

 

[jacksonvld]

Good morning gentlemen. I was able to block emails using normal rules.

 

[facyber]

Hi everyone,

I also needed this and for me worked what @hata_ph wrote in comment #6.

So:

1. Create /etc/mail/spamassassin/custom.cf. file if you didn't already
2. Make changes based on his/her comment
3. Restart PMG smtp filter service with service pmg-smtp-filter restart
4. Do check its status just to be sure everything is okay. service pmg-smtp-filter status

Thanks hata_ph!

 

[MiamiJack]

Good morning gentlemen. I was able to block emails using normal rules.

Hello,

Could you share the method you used?
Thank you!