[Users] Warning message based on a header?

"Adrián Gibanel" adrian.gibanel at btactic.com
Fri Aug 11 19:53:13 CEST 2023 

You can find a virtually identical repo to the zimlet that Barry links to here: 

[ https://github.com/btactic/spoofing-and-phishing-alert-zimlet | https://github.com/btactic/spoofing-and-phishing-alert-zimlet ] 

and it even has its own release so that you can easily download the zimlet. 

This has not been updated from November 2019 but it works quite well nowadays on ZCS 8.8.15 as far as I know. 

> Currently, we maintain post-treatment anti-phishing rules based on keywords combined with URLs from certain domains that we have identified as regularly hosting phishing forms. 
> When these rules match, we add weight to messages (score) which usually leads to them being marked as SPAM. But sometimes the URL pointed in the phishing email is not in our list and the message 
> escapes tagging. 
> 
> The idea would be to position a header on the message when one or more rules match based keywords combinations only (whatever the URL in the message) 
> so that the user, at least, gets alerted that the message may be malicious. 

My piece of advice is just to create a custom Spamassassin tag (not sure if that's the actual name) and then add add it the same way as FROMNAME_SPOOF was added: [ https://github.com/btactic/spoofing-and-phishing-alert-zimlet/commit/75947d755ec287e808b8fed822c920f4e086b946 | https://github.com/btactic/spoofing-and-phishing-alert-zimlet/commit/75947d755ec287e808b8fed822c920f4e086b946 ] . 

Yes, it means either forking the zimlet so that it has your custom Spamassassin tag or refactoring so that some of those X-Spam-Status values can be fetched from some zimlet config or something I guess. 

> De: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
> Para: "users" <users at lists.zetalliance.org>
> Enviados: Miércoles, 5 de Julio 2023 8:21:09
> Asunto: [Users] Warning message based on a header?

> Hello folks,

> Are you aware of any Zimbra setting or Zimlet that would add a red warning on
> the email read panel saying "This message could be malicious" based on the
> presence of a specific header in the message?

> Regards,
> Frédéric

> --
> Frédéric Nass

> Sous-direction Infrastructures et Services
> Direction du Numérique
> Université de Lorraine
> Tél : +33 3 72 74 11 35

-- 
[ http://www.btactic.com/ ] Adrián Gibanel 
I.T. Manager 

+34 675 683 301 
+34 973 270 382 
[ http://www.btactic.com/ | www.btactic.com ] [ http://btactic.com/ ] 

[ http://www.btactic.com/ ] 
[ https://www.facebook.com/btactic.befree ] [ https://twitter.com/btactic ] [ http://www.linkedin.com/company/btactic-sccl ] [ https://www.instagram.com/btactic_befree/ ] [ https://www.btactic.com/ya-somos-zimbra-sales-certified-partner/ ] [ https://www.btactic.com/ya-estamos-registrados-en-el-catalogo-de-ciberseguridad-de-incibe/ ] 
Abans d´imprimir aquest missatge, pensa en el medi ambient. El medi ambient és cosa de tothom. / Antes de imprimir el mensaje piensa en el medio ambiente. El medio ambiente es cosa de todos. / Before printing this message, think about the environment. The environment is something for everyone. 
AVIS: 
El contingut d'aquest missatge i els seus annexos és confidencial. Si no en sou el destinatari, us fem saber que està prohibit utilitzar-lo, divulgar-lo i/o copiar-lo sense tenir l'autorització corresponent. Si heu rebut aquest missatge per error, us agrairem que ho feu saber immediatament al remitent i que procediu a destruir el missatge . 
AVISO: 
El contenido de este mensaje y de sus anexos es confidencial. Si no es el destinatario, les hacemos saber que está prohibido utilizarlo, divulgarlo y/o copiarlo sin tener la autorización correspondiente. Si han recibido este mensaje por error, les agradeceríamos que lo hagan saber inmediatamente al remitente y que procedan a destruir el mensaje . 
WARNING: 
The content of this message and its attachments is confidential. If you are not the intended recipient, you do know that it is forbidden to use it, disclose it and / or copying it without authorization. If you have received this message in error, please send them to you do know the sender immediately and proceed to destroy the message. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20230811/ab30dac8/attachment.html>

More information about the Users mailing list