docusign/adobe spark/sendgrid phish

[Alex <my...@gmail.com>]

Hi,

This message passes DKIM for adobespark.com and hits the sendgrid SPBL
rule, but also USER_IN_DEF_SPF_WL. I'm trying to understand how this
message was not caught and how it was allowed to apparently manipulate
these services.

What is the attachment included in the email?

https://pastebin.com/mm2JiT3L

Thanks,
Alex

Re: docusign/adobe spark/sendgrid phish

[Bill Cole <sa...@billmail.scconsult.com>]

On 28 Jan 2021, at 8:01, Alex wrote:

> Hi,
>
> This message passes DKIM for adobespark.com and hits the sendgrid SPBL
> rule, but also USER_IN_DEF_SPF_WL. I'm trying to understand how this
> message was not caught and how it was allowed to apparently manipulate
> these services.

Clearly the reason it was not deemed to be spam was the -7.5 score of 
USER_IN_DEF_SPF_WL, which completely counteracted the Bayes and 
NIXSPAM_IXHASH scores. The full story is told by the X-Spam-Status 
header. Personally, I weaken the "default whitelist" scores on systems I 
administer because of this sort of travesty and a general lack of 
"spammy" wanted mail from domains in that list. YMMV.

As for Adobe Spark and Sendgrid, they are both designed to facilitate 
spamming, so this is just normal use, not manipulation. I personally 
don't believe that Adobe has earned their position in the "default 
whitelist" but apparently some people get substantial wanted mail from 
them and are convinced that they act on spam reports.

> What is the attachment included in the email?

The 2 attachments are both PNG images: the DocuSign logo and a 
"download" icon. Harmless.

The "payload" is the Spark-obfuscated link claiming to be for viewing a 
signed DocuSign document. Spark redirects that to a Google Firebase URL 
which is now dead.


-- 
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire