Hello, we have detected several instances of spam looking exactly like legit email
they dont contain virus, and they seem to be generated by an script
They look exactly like SAT emails (the Mexican IRS) the only givaway is that they come from brazil. (but we can't just block a whole country, can we?)...
This is how it looks on mail client
this is the content
<http://unbouncepages.com/training-template-26471027869253355/> Descargar todo como.zip archivos adjuntos (98kb) <http://unbouncepages.com/training-template-26471027869253355/> 11/06/2019 17:02:19 se anexa el seguiente comprobante fiscal digital Remitente: Servicio de Administración Tributaria N-66816155. Hemos identificado que tienes pendiente de presentar, al 11 de junio de 2019, lo siguiente: SERIE Y FOLIO: _BME_2019_66816155_6681.
we can't block words like
se anexa el seguiente comprobante fiscal digital
because they mean
"Here is attached the following invoice"
and that is used by ALL the electronic invoices systems in mexico.
The only words we figured we could block is
Descargar todo como.zip
(means download everything as zip)
We added that to the content filter: We already started to see blocked fishing with no false positives so far.
But Please notice how MOST of the words are randomly generated, like invoice number, and date, and how the linked content is just a landing page form, so no virus in the link or attachment, I know this is terribly difficult to block for barracuda or any filtering system for that matter.
so any advice about the content filtering?
thanks in advance