Email body prepend

Given the recent increase in email sender spoofing I've been working on a Sieve filter to deal with emails that pass SPF, DKIM and thus DMARC filters but are clearly trying to fool users. My draft filter is listed below, the logic works according to https://www.fastmail.com/cgi-bin/sievetest.pl. I'm looking to drop hidden sender in spam if the domain is different from the receiver, if the same it should just discard.

What I'd like to do next is to add a bit of html/text to emails that are to be dropped in the spam folder to warn users. I can't find a way using Sieve to do this. I see procmail mentioned but a quick search of this forum for procmail doesn't fill me with confidence. Are there any people out there who are doing this already? What options/tools would you use to modify email body/subject? Sieve can edit the email header so it should be easy to add a flag for another tool. For excample Spamassassin prepends potential spam emails.

Code:

require ["reject","fileinto","variables","regex"];

# Test if the display name contains a spoofed email address
if header :matches "from" "*@* <*@*>" {
    # ${1} spoofed name
    # ${2} spoofed domain
    # ${3} actual name
    # ${4} actual domain
    set :lower "fr_spoof_dn"  "${2}";
    set :lower "fr_spoof_fq"  "${1}@${2}";
    set :lower "fr_actual_fq" "${3}@${4}";
    # Match spoofed vanity sender email addresses
    if not string "${fr_actual_fq}" "${fr_spoof_fq}" {
        if address :domain ["to","cc","bcc"] "${fr_spoof_dn}" {
            # Sender is impersonating target domain.
            #set "warning" "Impersonating";
            #reject "BLOCKED - Impersonating the receiving domain.";
            #discard;
            fileinto "trash";
        } else {
            # Sender is hiding the real source domain.
            #set "warning" "HidingSource";
            #reject "WARNING - Hiding the true sender.";
            fileinto "spam";
        }
    } else {
        # Do nothing, no Spoofing detected.
    }
}

If my coding stinks, please feel free to point out improments.

 

This looks interesting, as in it edits email body: https://www.howtoforge.com/add-disclaimers-to-outgoing-emails-with-altermime-postfix-debian-etch

 

Absolutely, I agree the link points to an article dealing with sent emails. I was more interested in seeing if it could be used to prepend to the body of a received email, after DKIM had been checked.

Your editheader suggestion seems to cater to subject line modification, for which my gratitude. I'm (actually) looking for something similar to what Gmail has started doing for suspect emails. O365 has similar abilities. I only want to implement this for received email. If editheaders can do this too then I've not yet spent enough time Googling.

 

I use both, the website shows the warning. Which may well just be in response to a flag set in the header or as a meta tag outside the email.

That is something I hadn't considered, (again I find I need to read better) you explicitly mention DKIM issues when using sieve to forward emails with altered subject. I'm not planning to forward email using sieve so I should be safe there.

I think I'll settle on just blocking directed phishing when a sender tries to impersonate the receiving domain. Other spoofed sources using the vanity name will get marked as spam and put int he spam folder. I may add a marker in the subject line, I definetely would not want to forward these emails anywhere.

 

I'm adding to this OLD thread to say that this needs to be revisited.

Perhaps MailSieve isn't the answer, but altermime doesn't do it either.

Basically as spammers become bigger a**holes and try to loop unsuspecting users into scams, a header at the top of the email after it's been delivered to the mail server stating "This is from the outside world!" is becoming increasingly necessary. It can be done in Exchange, but we're looking for some way to do it in ISPConfig.

If this were a MailSieve rule, it would look like "if origin header does not contain [internal IP subnet], bodyprepend "WarningMessage". If you do it AFTER the message is validated by postfix, then it doesn't break DKIM.

And before someone retorts about it - Yes, we have training from KnowBefore.... but users are still occasionally fooled.

Thoughts?