Maintain state between filter rules

Richard Goode

New Member
May 29, 2019
15
2
3
52
Hi all,

Is there a way to maintain some state between mail filter rules? I've had a look through pmg-smtp-filter and I can see that all actions get applied at the end after their conditions have been evaluated.

What I want to achieve is an "impersonation" filter. My logic is :

Code:
if (header("from") == ceo-names-who-object) {        // from matches list of regex's of important people
    if (header("from") != ceo-emails-who-object {    // from does not match list of valid email addresses for the important people
        mark subject with warning
    }
}

My hope was that I could create 3 rules to do this, setting an X-header to maintain state between them (i.e. If matches the list of CEO names, set X-Name header; If doesn't match the list of valid CEO emails, set X-Email header; If X-Name=true && X-Email=false then send warning), but after digging through pmg-smtp-filter I see the last step won't work (header's aren't set util all rules evaluated).

I believe it would really open possibilities if we could use the rules (or some other mechanism) to easily script complex conditions. Any thoughts on how I can achieve this other than writing my own filter?

Thanks,
Richard
 
hmm - one question that comes to mind is - what do you gain by such a filter?
* the From-header can be easily written by any client which sends mail - and if someone maliciously writes a mail where they change the 'Fullname' in the from header to impersonate and important person, what should stop them from changing the e-mail-address in the same line/header itself?
* the from-header is nothing which can be used for authentication (smtp-auth, when the mailer writes an appropriate header could be used for that, but again - there's many legitimate scenarios where the auth-user is different from the from-header)

However stateful rules are indeed not currently possible in PMG

I hope this helps!
 
Hi Stoiko.

We have had some cases where an attacker has sent emails pretending to be our CEO. I'm sure you're familiar - the email is sent to someone in finance stating that we must pay this overseas supplier urgently, etc etc. The emails we've seen employ two methods:

Assume the CEO is "Joe Smith"

1. Forged From. The From header of the message says something like
From: <attacker@gmail.com> "Joe Smith"​
2. Forged reply-to.
From: <joe.smith@mycompany.com> "Joe Smith"​
Reply-to: <attacker@gmail.com>​
Certain mail clients (Outlook for example) will show the mail as from "Joe Smith" and in our case, the finance person exchanged a couple of emails with the attacker before realising it was a fake.

The filter I'm trying to create (which I have done previously on Ironports) is this:

Code:
If ("From" ~= "(?i)joe.*smith")
{
    if ("Reply-to") && ! ("Reply-to" == [legitimate emails for joe smith])
        mark as spam;
    else if ! ("From" == [legitimate emails for joe smith])
        mark as spam;
}


Obviously we'd have to create multiple rules for each C-level, which actually became a pain to manage, so I compromised with a generic filter like this:

Code:
if ("From" ~= [list of protected name regex's])
{
    if ("Reply-to") && ! ("Reply-to" == [list of acceptable emails])
        mark as spam;
    else if ! ("From" == [list of acceptable emails])
        mark as spam;
}

The compromise being that technically I could send an email "from" a protected name using the reply-to address for a different protected name's email, but I'm happy with that to keep the rule simple.

For this to work, I need 2 lists:

1. A list of "protected name" regex's
2. A list of legitimate emails for those protected names

So if someone sends mail "From:" joe smith, but the reply-to is "attacker@gmail.com" then it gets flagged.

Regards,
Richard
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!