How can I use filtering to warn my users about phishing attempts against their accounts?
One method is to use filtering to add a disclaimer to any mail message with words or phrases such as "date of birth", "password", "Social Security number", etc. in it. You can do that with a Mirapoint filter, in combination with the Message Set command. However, you will need to create the filter at the command-line, not through the Administrative Suite.
First, create the message. You must use the filter.disclaimer group for this message so that it can be used in the disclaimer filter action, as shown:
mirapoint.example.edu> message set en_US.iso-8859-1 filter.disclaimer.passmessage
Enter message (including headers), finish with a '.' on a line by itself:
NOTICE: University IT staff will never ask for your password,
Social Security Number, or other sensitive information in email.
If you receive a message claiming to be from a staff member asking
for such information, please forward it to email@example.com for
our security team to deal with.
Next, create the filter or filters. The various options for how to get disclaimers to display as intended in HTML email, how to customize messages for different character sets, etc. are beyond the scope of this article, but here are a pair of example filters that use the message set above:
mirapoint.example.edu> filter add "(domain=any)" "pass1" disclaimer "(message=filter.disclaimer.passmessage)(position=top)(name=password-warning.txt)" anyof continue
:body contains "date of birth"
:body contains "password"
:body contains "Social Security Number"
:body contains "PASSW0RD"
filter add "(domain=any)" "pass2" disclaimer "(message=filter.disclaimer.passmessage)(position=top)(name=password-warning.txt)" anyof continue
Subject regexmatches "password|account suspend|account disable"
A small, but probably increasing, fraction of the spam stream is encoded in non-text formats, which these filters will not match. To work around this problem, use :bodydecoded includes(compare=nocase) instead of :body contains in the filters above.
NOTE: Using :bodydecoded includes(compare=nocase) instead of :body contains can place a significant load on edge systems, so monitor performance carefully if you choose this method.