Enquiry - Any way to detect look-alike domain in SpamAssassin?

[ccto]

To reduce look-alike domain phishing between from-domain and to-domain, any way to detect it?

For example, our customer domain says 123.com
spammer registers l23.com , setup those SPF,DKIM,..., and then it passes all anti-spam, and send the phishing emails.

Thank you for your advice.

 

[Ohm J]

v=spf1 a mx -all

Normally, directadmin will create with " ~all ", this will less strict. If really want to reject, must changing into " -all ".

Or maybe I'm wrong, if this isn't enought. @mxroute could solves this problem.

 

[Richard G]

If really want to reject, must changing into " -all ".

This indeed isn't enough because the spammer is not spoofing the domain but using a real domain which looks alike, so no spf or dkim will block that. But -all can be helpfull with "normal" spoofers.

@ccto Might be good to put that look-alike-domain in the /etc/virtual/blacklist_domains and maybe like *@I123.com (using your example) in the /etc/virtual/blacklist_senders file. Restart Exim aftwards.
However, this will not block that spammer from sending phishing mails to other servers.

But indeed maybe @mxroute has additional nice idea's.

 

[Ohm J]

Sieve filter can put regex expression to automatics deleted email.



Other feature like Spamassassin or Email Filter don't support regex rules. so this could filter look-alike domain out of mailbox.