Maintain state between filter rules

Richard Goode

New Member
May 29, 2019
15
2
3
52
Hi all,

Is there a way to maintain some state between mail filter rules? I've had a look through pmg-smtp-filter and I can see that all actions get applied at the end after their conditions have been evaluated.

What I want to achieve is an "impersonation" filter. My logic is :

Code:
if (header("from") == ceo-names-who-object) {        // from matches list of regex's of important people
    if (header("from") != ceo-emails-who-object {    // from does not match list of valid email addresses for the important people
        mark subject with warning
    }
}

My hope was that I could create 3 rules to do this, setting an X-header to maintain state between them (i.e. If matches the list of CEO names, set X-Name header; If doesn't match the list of valid CEO emails, set X-Email header; If X-Name=true && X-Email=false then send warning), but after digging through pmg-smtp-filter I see the last step won't work (header's aren't set util all rules evaluated).

I believe it would really open possibilities if we could use the rules (or some other mechanism) to easily script complex conditions. Any thoughts on how I can achieve this other than writing my own filter?

Thanks,
Richard
 
hmm - one question that comes to mind is - what do you gain by such a filter?
* the From-header can be easily written by any client which sends mail - and if someone maliciously writes a mail where they change the 'Fullname' in the from header to impersonate and important person, what should stop them from changing the e-mail-address in the same line/header itself?
* the from-header is nothing which can be used for authentication (smtp-auth, when the mailer writes an appropriate header could be used for that, but again - there's many legitimate scenarios where the auth-user is different from the from-header)

However stateful rules are indeed not currently possible in PMG

I hope this helps!
 
Hi Stoiko.

We have had some cases where an attacker has sent emails pretending to be our CEO. I'm sure you're familiar - the email is sent to someone in finance stating that we must pay this overseas supplier urgently, etc etc. The emails we've seen employ two methods:

Assume the CEO is "Joe Smith"

1. Forged From. The From header of the message says something like
From: <attacker@gmail.com> "Joe Smith"​
2. Forged reply-to.
From: <joe.smith@mycompany.com> "Joe Smith"​
Reply-to: <attacker@gmail.com>​
Certain mail clients (Outlook for example) will show the mail as from "Joe Smith" and in our case, the finance person exchanged a couple of emails with the attacker before realising it was a fake.

The filter I'm trying to create (which I have done previously on Ironports) is this:

Code:
If ("From" ~= "(?i)joe.*smith")
{
    if ("Reply-to") && ! ("Reply-to" == [legitimate emails for joe smith])
        mark as spam;
    else if ! ("From" == [legitimate emails for joe smith])
        mark as spam;
}


Obviously we'd have to create multiple rules for each C-level, which actually became a pain to manage, so I compromised with a generic filter like this:

Code:
if ("From" ~= [list of protected name regex's])
{
    if ("Reply-to") && ! ("Reply-to" == [list of acceptable emails])
        mark as spam;
    else if ! ("From" == [list of acceptable emails])
        mark as spam;
}

The compromise being that technically I could send an email "from" a protected name using the reply-to address for a different protected name's email, but I'm happy with that to keep the rule simple.

For this to work, I need 2 lists:

1. A list of "protected name" regex's
2. A list of legitimate emails for those protected names

So if someone sends mail "From:" joe smith, but the reply-to is "attacker@gmail.com" then it gets flagged.

Regards,
Richard