####################################### ### INTRODUCTION TO JARED'S RULEZ ### ####################################### "THE BEST PHISH IS THE ONE THAT NEVER MAKES IT INTO A USER MAILBOX" These rulesets are put out there in "stand-alone" fashion, so that an Email Administrator can use (or not) rules that address their particular needs. Other rules bundlers can use what they want. I've no problem in assigning "Kill Level" scores (>= 5.0) to rulesets. For a Systems Administrator who wants to preserve their sanity, the most important rules, in order of most important to least important, are: 1) CLOUDSPLOIT.cf 2) BAZA_CALL.cf 3) GONE_PHISHING.cf 4) NILS.cf 5) US_POLITICS.cf (Optional) Downloads (ZIP or GZ) here: https://jaredsec.com/antispam/downloads ############################################################################## 1) CLOUDSPLOIT.cf: This file should be installed when your system goes into production. The rules therein will provide good, solid protection for both the IT Staff and their users. CLOUDSPLOIT contains several parts. Most notable: ================== - IT Administrator Fraud These are straight-up Subject and Body phrase matches. These are bogus "account deactivations", "e-mail error", ============================= - IT System/Document Handling Fraud These are Subject and Body phase matches in conjunction with bad, or otherwise Non-Relational, URLs. For example, "Increase Storage", "Sign Document", "Reset Password", "Get your files", etc. with a non-relational URL, like a ZPR.IO or Twitter link. ============= - Sextortion Fraud Multiple Body phrase matches are used to catch Aaron Smith/Sextortion e-mails. It comes complete with a Punycode word dictionary to catch Unicode and Hybrid variants. It is also guards against those extortion mails with JPEG street-view images. ============= - Other Tools There are lot of other rulesets therein that deal with: + Bad Onmicrosoft.com hosts + Bad Firebase project hosts + MIME type/classification errors + Open-Me/Sales-Process scams + Attachment names and types + Unicode irregularities + Address Field format issues ============= Very effective. 2) GONE_PHISHING.cf: This file mostly consists mostly of simple Name and Domain comparisons (Name "'spoofs"). Some, like PayPal, are more complex than others. This is very effective at eliminating fraudulent bank schemes. Company names ARE trademarks by default. For the most part, if an Email's From Name and From Address do not match, these rules hit. This protects both Consumers and Companies alike from fraud. There are over 100 companies protected by these rules. Updated when necesary, but not updated frequently. 3) BAZA_CALL.cf: These rules target fake invoice scam/threats - like your McAfee or Geek Squad "subscriptions". They are characterized by having a phone number that the consumer can call for "support", where credit card details are solicitied or mailware is installed by the remote operator. These rules introduces a Non-Relational Object (NRO) design model. Object Groups linked: - Subjects - Body Phrases - From Names - Product Names - Form Fields - Values in Form Fields - Phone number presence (NANPA) - Phone number values Works amazingly well, even with .ICS calendar invites. It works well with the ExtractText Plugin for detecting Baza Call signatures in attached Word or PDF files. 4) NILS.cf: These rules deal with Name-Image-Likeness Spam. These include Social Information Diffusion (SID) spam campaigns and other fraudulent Tradmark Infringment schemes like: + Omaha Steaks + AAA + BlueCross/BlueShield + Costco + Marriott 5) US_POLITICS.cf: These rules target and filter out e-mail from most political organizations. It doesn't affect e-mail from actual Government organizations, representatives, employees, and office-holders. Perhaps it should. This file is OPTIONAL. Our systems support small business domains. Most people (99.6% here) will have no objection to this ruleset. But, there is one individual at one company, who explained, "I know it's all crap, but we do retain a lobbying company and I need to know which way the wind is blowing." ##############################################################################