You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2017/10/24 18:32:51 UTC
Bank fraud phish
Hi all, I'm wondering if someone has some ideas to handle bank fraud
phishing emails, and in particular this one:
https://pastebin.com/wxFtKK16
It doesn't hit bayes99 because we haven't seen one before, and txrep
subtracts points. It also doesn't hit any blacklists.
Ideas for blocking these, and more general advice for blocking banking
fraud/phish attacks would be appreciated.
Re: Bank fraud phish
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Tue, 24 Oct 2017, Rupert Gallagher wrote:
> Easy one. The Message-ID is not well formed / RFC compliant. We reject such junk upfront.
>
> Sent from ProtonMail Mobile
>
>
> On Tue, Oct 24, 2017 at 8:32 PM, Alex <my...@gmail.com> wrote:
> Hi all, I'm wondering if someone has some ideas to handle bank fraud phishing emails, and in particular this one:
> https://pastebin.com/wxFtKK16 It doesn't hit bayes99 because we haven't seen one before, and txrep subtracts points.
> It also doesn't hit any blacklists. Ideas for blocking these, and more general advice for blocking banking fraud/phish
> attacks would be appreciated.
I'm sorry, what RFC does that message-id fail to comply with?
It's of the form :
"Message-ID: <alphanum*@alphanum*.alphanum*.alphanum*.alphanum*>"
Looks darned correct to me.
It's a bit on the long side but I've seen worse and is still not too long.
The fact that there's folded-whitespace in there is totally permissable as long
as done correctly, which it looks like it is.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Bank fraud phish
Posted by Rupert Gallagher <ru...@protonmail.com>.
We reject all e-mails with non-compliant Message-ID.
Sent from ProtonMail Mobile
On Tue, Oct 24, 2017 at 9:59 PM, David Jones <dj...@ena.com> wrote:
> On 10/24/2017 02:54 PM, Rupert Gallagher wrote: > Easy one. The Message-ID is not well formed / RFC compliant. We reject > such junk upfront. > > Sent from ProtonMail Mobile > Does this block all email out of Office 365 or just a subset of junk? > > On Tue, Oct 24, 2017 at 8:32 PM, Alex > wrote: >> Hi all, I'm wondering if someone has some ideas to handle bank fraud >> phishing emails, and in particular this one: >> https://pastebin.com/wxFtKK16 It doesn't hit bayes99 because we >> haven't seen one before, and txrep subtracts points. It also doesn't >> hit any blacklists. Ideas for blocking these, and more general advice >> for blocking banking fraud/phish attacks would be appreciated. -- David Jones @gmail.com> @gmail.com>
Re: Bank fraud phish
Posted by David Jones <dj...@ena.com>.
On 10/24/2017 02:54 PM, Rupert Gallagher wrote:
> Easy one. The Message-ID is not well formed / RFC compliant. We reject
> such junk upfront.
>
> Sent from ProtonMail Mobile
>
Does this block all email out of Office 365 or just a subset of junk?
>
> On Tue, Oct 24, 2017 at 8:32 PM, Alex <mysqlstudent@gmail.com
> <ma...@gmail.com>> wrote:
>> Hi all, I'm wondering if someone has some ideas to handle bank fraud
>> phishing emails, and in particular this one:
>> https://pastebin.com/wxFtKK16 It doesn't hit bayes99 because we
>> haven't seen one before, and txrep subtracts points. It also doesn't
>> hit any blacklists. Ideas for blocking these, and more general advice
>> for blocking banking fraud/phish attacks would be appreciated.
--
David Jones
Re: Bank fraud phish
Posted by RW <rw...@googlemail.com>.
On Wed, 25 Oct 2017 11:50:19 +0100
Markus Clardy wrote:
> That isn't the Message-Id, that is
> the X-MS-Exchange-CrossTenant-Network-Message-Id... The Message-Id is
> compliant.
>
As is X-MS-Exchange-CrossTenant-Network-Message-Id in the original
> On Wed, Oct 25, 2017 at 11:43 AM, Rupert Gallagher
> <ru...@protonmail.com> wrote:
>
> > The raw e-mail in pastebin returns a non-well-formed Message-ID. I
> > attach a photo of what I see.
> >
> > Sent from ProtonMail Mobile
> >
> >
> > On Tue, Oct 24, 2017 at 10:05 PM, John Hardin <jh...@impsec.org>
> > wrote:
> >
> > On Tue, 24 Oct 2017, Rupert Gallagher wrote: > Easy one. The
> > Message-ID is not well formed / RFC compliant. We reject such junk
> > upfront. How so? That looks totally valid to me... < dot-atom-text
> > @ dot-atom-text > The line break between the header and the ID is
> > unusual, but not invalid. That might potentially be a usable spam
> > sign.
> >
> >
>
>
Re: Bank fraud phish
Posted by RW <rw...@googlemail.com>.
On Fri, 27 Oct 2017 14:43:30 +0200
Reindl Harald wrote:
> Am 27.10.2017 um 13:54 schrieb RW:
> > On Thu, 26 Oct 2017 01:33:20 -0400
> > Rupert Gallagher wrote:
> >
> >>> The DMARC standard says that EITHER (only takes one) SPF must pass
> >>> and
> >
> >> The relevant DNS R allows requiring both SPF and DKIM must pass,
> >> which is what we do in our own setup.
> >
> > Where in the RFC does it say that?
>
> he don't care about any RFC at all
>
> https://mail-archives.apache.org/mod_mbox/spamassassin-users/201702.mbox/%3cFWrFLZkuFusFwGACSDfdusz_HyPSrPgPw0RsXDHGKfnF2_1kiGm3G7nRvDBvEHCtszfXRDuDEP8RWKODak5w6wOEOr9EykDW03LqRGBR4hc=@protonmail.com%3e
>
> https://mail-archives.apache.org/mod_mbox/spamassassin-users/201702.mbox/%3cX9QVYmPc6XlSTm1JzXZ-J3Stw44aCmzDx9f9V-RVIoAw2wnHO5rfo0eOdtHnsJCFPBrkMr3yN4F5_GViYWxBnQB0J_sFhulAHDr27JbAcS8=@protonmail.com%3e
In this case I suspect that he's was confused by the DMARC record option
to:
"Generate a DMARC failure report if any underlying
authentication mechanism produced something other than an
aligned "pass" result."
which is just a diagnostic feature.
Re: Bank fraud phish
Posted by RW <rw...@googlemail.com>.
On Thu, 26 Oct 2017 01:33:20 -0400
Rupert Gallagher wrote:
> > The DMARC standard says that EITHER (only takes one) SPF must pass
> > and
> The relevant DNS R allows requiring both SPF and DKIM must pass,
> which is what we do in our own setup.
Where in the RFC does it say that?
Re: Bank fraud phish
Posted by Rupert Gallagher <ru...@protonmail.com>.
> The DMARC standard says that EITHER (only takes one) SPF must pass and
align with the envelope-from domain OR DKIM must pass and align with the
the From: header domain.
The relevant DNS R allows requiring both SPF and DKIM must pass, which is what we do in our own setup. When checking for SPAM we apply the same policy to others, regardless of their DNS.
We are very strict, above and beyond the standards. Our general policy is: better safe than sorry.
Sent from ProtonMail Mobile
On Wed, Oct 25, 2017 at 5:30 PM, David Jones <dj...@ena.com> wrote:
> On 10/25/2017 09:39 AM, Rupert Gallagher wrote: > >> -------- Original Message -------- >> Subject: Re: Bank fraud phish >> Local Time: 25 October 2017 4:18 PM >> UTC Time: 25 October 2017 14:18 >> From: rwmaillists@googlemail.com >> To: users@spamassassin.apache.org >> >> On Wed, 25 Oct 2017 09:16:50 -0400 >> Rupert Gallagher wrote: >> >> The e-mail is still flagged as SPAM here. >> >> * >> DMARC fails, because it passes DKIM, but fails SPF. >> >> This is wrong in every detail. >> >> It can't fail or pass DMARC because the domain welchtitles.com >> doesn't >> have a DMARC record. >> >> If it did have a record it would pass DMARC because it doesn't >> have an >> aligned DKIM pass, but does have an aligned SPF pass. > > We run DMARC compliance tests even if the sending domain does not adopt > the standard. That is not practical across the board and not wise. Spammers can setup SPF and DKIM alignment plus a DMARC record to make it perfect. You may decide to whitelist_auth trusted good senders or subtract points but you can't add points when the opposite is true unless you have manually verified the sender is a spammer and created a blacklist_from entry for that domain. The DMARC standard says that EITHER (only takes one) SPF must pass and align with the envelope-from domain OR DKIM must pass and align with the the From: header domain. DMARC doesn't require both to pass and align but it's best when it does. https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ The only valid way to do DMARC checks with SpamAssassin today is to run something like OpenDMARC on your milter and check headers with custom local SA custom rules. That is what I do. As a sender, it takes a lot of work to get DMARC passing so you can't assume that every sender is ready to for DMARC checks and they just forgot to setup their _dmarc TXT record. This may work locally in a small environment but it won't scale out with larger environments without a lot of false positives. > Concerning SPF, the domain is *now* listing outlook.com as permitted > sender. The original > header includes evidence of the change: > > > Received-SPF: None (protection.outlook.com: welchtitles.com does not > designate permitted sender hosts) > > > -- David Jones
Re: Bank fraud phish
Posted by David Jones <dj...@ena.com>.
On 10/25/2017 09:39 AM, Rupert Gallagher wrote:
>
>> -------- Original Message --------
>> Subject: Re: Bank fraud phish
>> Local Time: 25 October 2017 4:18 PM
>> UTC Time: 25 October 2017 14:18
>> From: rwmaillists@googlemail.com
>> To: users@spamassassin.apache.org
>>
>> On Wed, 25 Oct 2017 09:16:50 -0400
>> Rupert Gallagher wrote:
>>
>> The e-mail is still flagged as SPAM here.
>>
>> *
>> DMARC fails, because it passes DKIM, but fails SPF.
>>
>> This is wrong in every detail.
>>
>> It can't fail or pass DMARC because the domain welchtitles.com
>> <http://welchtitles.com> doesn't
>> have a DMARC record.
>>
>> If it did have a record it would pass DMARC because it doesn't
>> have an
>> aligned DKIM pass, but does have an aligned SPF pass.
>
> We run DMARC compliance tests even if the sending domain does not adopt
> the standard.
That is not practical across the board and not wise. Spammers can setup
SPF and DKIM alignment plus a DMARC record to make it perfect. You may
decide to whitelist_auth trusted good senders or subtract points but you
can't add points when the opposite is true unless you have manually
verified the sender is a spammer and created a blacklist_from entry for
that domain.
The DMARC standard says that EITHER (only takes one) SPF must pass and
align with the envelope-from domain OR DKIM must pass and align with the
the From: header domain. DMARC doesn't require both to pass and align
but it's best when it does.
https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
The only valid way to do DMARC checks with SpamAssassin today is to run
something like OpenDMARC on your milter and check headers with custom
local SA custom rules. That is what I do.
As a sender, it takes a lot of work to get DMARC passing so you can't
assume that every sender is ready to for DMARC checks and they just
forgot to setup their _dmarc TXT record. This may work locally in a
small environment but it won't scale out with larger environments
without a lot of false positives.
> Concerning SPF, the domain is *now* listing outlook.com as permitted
> sender. The original
> header includes evidence of the change:
>
> > Received-SPF: None (protection.outlook.com: welchtitles.com does not
> designate permitted sender hosts)
>
>
>
--
David Jones
Re: Bank fraud phish
Posted by RW <rw...@googlemail.com>.
On Wed, 25 Oct 2017 10:39:54 -0400
Rupert Gallagher wrote:
> > -------- Original Message --------
> > Subject: Re: Bank fraud phish
> > Local Time: 25 October 2017 4:18 PM
> > UTC Time: 25 October 2017 14:18
> > From: rwmaillists@googlemail.com
> > To: users@spamassassin.apache.org
> >
> > On Wed, 25 Oct 2017 09:16:50 -0400
> > Rupert Gallagher wrote:
> >
> >> The e-mail is still flagged as SPAM here.
> >>
> >> - DMARC fails, because it passes DKIM, but fails SPF.
> >>
> >> This is wrong in every detail.
> >>
> >> It can't fail or pass DMARC because the domain welchtitles.com
> >> doesn't have a DMARC record.
> >>
> >> If it did have a record it would pass DMARC because it doesn't
> >> have an aligned DKIM pass, but does have an aligned SPF pass.
>
> We run DMARC compliance tests even if the sending domain does not
> adopt the standard. Concerning SPF, the domain is *now* listing
> outlook.com as permitted sender. The original header includes
> evidence of the change:
>
> > Received-SPF: None (protection.outlook.com: welchtitles.com does
> > not designate permitted sender hosts
But a few seconds later
X-Spam-Status: No, score=0.29 tagged_above=-200 required=4.8
tests=[ ... SPF_PASS
Re: Bank fraud phish
Posted by Rupert Gallagher <ru...@protonmail.com>.
> -------- Original Message --------
> Subject: Re: Bank fraud phish
> Local Time: 25 October 2017 4:18 PM
> UTC Time: 25 October 2017 14:18
> From: rwmaillists@googlemail.com
> To: users@spamassassin.apache.org
>
> On Wed, 25 Oct 2017 09:16:50 -0400
> Rupert Gallagher wrote:
>
>> The e-mail is still flagged as SPAM here.
>>
>> - DMARC fails, because it passes DKIM, but fails SPF.
>>
>> This is wrong in every detail.
>>
>> It can't fail or pass DMARC because the domain welchtitles.com doesn't
>> have a DMARC record.
>>
>> If it did have a record it would pass DMARC because it doesn't have an
>> aligned DKIM pass, but does have an aligned SPF pass.
We run DMARC compliance tests even if the sending domain does not adopt the standard.
Concerning SPF, the domain is *now* listing outlook.com as permitted sender. The original
header includes evidence of the change:
> Received-SPF: None (protection.outlook.com: welchtitles.com does not designate permitted sender hosts)
Re: Bank fraud phish
Posted by Benny Pedersen <me...@junc.eu>.
On 25. okt. 2017 16.18.53 RW <rw...@googlemail.com> wrote:
> If it did have a record it would pass DMARC because it doesn't have an
> aligned DKIM pass, but does have an aligned SPF pass.
Spf does not align om mailinglists, since DMARC Will fail om Missing dkim
Re: Bank fraud phish
Posted by RW <rw...@googlemail.com>.
On Wed, 25 Oct 2017 09:16:50 -0400
Rupert Gallagher wrote:
> The e-mail is still flagged as SPAM here.
> - DMARC fails, because it passes DKIM, but fails SPF.
This is wrong in every detail.
It can't fail or pass DMARC because the domain welchtitles.com doesn't
have a DMARC record.
If it did have a record it would pass DMARC because it doesn't have an
aligned DKIM pass, but does have an aligned SPF pass.
Re: Bank fraud phish
Posted by Rupert Gallagher <ru...@protonmail.com>.
-------- Original Message --------Subject: Re: Bank fraud phishLocal Time: 25 October 2017 3:20 PMUTC Time: 25 October 2017 13:20From: h.reindl@thelounge.netTo: users@spamassassin.apache.org, ruga@protonmail.com
> Am 25.10.2017 um 15:16 schrieb Rupert Gallagher:
>
>> MID domain does not match the FROM domain, the FROM domain does not
>> occur among the RECEIVED domains
>>
>> WTF - both are not the slightest sign of spam
They are minor signs of SPAM for us, and they get tiny zero-something points for it.
Re: Bank fraud phish
Posted by Rupert Gallagher <ru...@protonmail.com>.
> -------- Original Message --------
> Subject: Re: Bank fraud phish
> Local Time: 25 October 2017 3:25 PM
> UTC Time: 25 October 2017 13:25
> From: h.reindl@thelounge.net
> To: users@spamassassin.apache.org, ruga@protonmail.com
>
> Am 25.10.2017 um 15:20 schrieb Reindl Harald:
>
>> Am 25.10.2017 um 15:16 schrieb Rupert Gallagher:
>>
>>> MID domain does not match the FROM domain, the FROM domain does not
>>> occur among the RECEIVED domains
>>
>> WTF - both are not the slightest sign of spam
>>
>> nevermid, you are this moron changed the from name to some real name
>> because "ruga" got burned - problem is that you sound like some official
>> from protonmail
>>
>> [https://mail-archives.apache.org/mod_mbox/spamassassin-users/201702.mbox/<20...@hydrogen.roaringpenguin.com>](https://mail-archives.apache.org/mod_mbox/spamassassin-users/201702.mbox/%3c20170208084441.016be92f@hydrogen.roaringpenguin.com%3e)
Said the silly who flames threads based upon false assumptions.
Re: Bank fraud phish
Posted by Rupert Gallagher <ru...@protonmail.com>.
I checked from the w.s. instead of the phone, and this is the response.
The MID I observed from the iPhone is actually part-of a different header of the same e-mail. The true MID is well-formed and RFC compliant:
> Message-ID: <SN...@SN1PR0601MB1616.namprd06.prod.outlook.com>
The e-mail is still flagged as SPAM here.
- DMARC fails, because it passes DKIM, but fails SPF.
- From:name domain mismatches From:addr domain (*)
- Two minor flags are also available and add up to the final score: the MID domain does not match the FROM domain, the FROM domain does not occur among the RECEIVED domains.
The test (*) has been discussed in this list, without solution. I wrote a rule two weeks ago and it proved useful a few times already, without any false positive or negative. I will share it in the next post.
R
Sent with [ProtonMail](https://protonmail.com) Secure Email.
> -------- Original Message --------
> Subject: Re: Bank fraud phish
> Local Time: 25 October 2017 12:50 PM
> UTC Time: 25 October 2017 10:50
> From: markus@clardy.eu
> To: Rupert Gallagher <ru...@protonmail.com>
> John Hardin <jh...@impsec.org>, SA Mailing list <us...@spamassassin.apache.org>
>
> That isn't the Message-Id, that is the X-MS-Exchange-CrossTenant-Network-Message-Id... The Message-Id is compliant.
>
> On Wed, Oct 25, 2017 at 11:43 AM, Rupert Gallagher <ru...@protonmail.com> wrote:
>
>> The raw e-mail in pastebin returns a non-well-formed Message-ID. I attach a photo of what I see.
>>
>> Sent from ProtonMail Mobile
>>
>> On Tue, Oct 24, 2017 at 10:05 PM, John Hardin <jh...@impsec.org> wrote:
>>
>>> On Tue, 24 Oct 2017, Rupert Gallagher wrote: > Easy one. The Message-ID is not well formed / RFC compliant. We reject such junk upfront. How so? That looks totally valid to me... < dot-atom-text @ dot-atom-text > The line break between the header and the ID is unusual, but not invalid. That might potentially be a usable spam sign.
>
> --
> - Markus
Re: Bank fraud phish
Posted by Markus Clardy <ma...@clardy.eu>.
That isn't the Message-Id, that is
the X-MS-Exchange-CrossTenant-Network-Message-Id... The Message-Id is
compliant.
On Wed, Oct 25, 2017 at 11:43 AM, Rupert Gallagher <ru...@protonmail.com>
wrote:
> The raw e-mail in pastebin returns a non-well-formed Message-ID. I attach
> a photo of what I see.
>
> Sent from ProtonMail Mobile
>
>
> On Tue, Oct 24, 2017 at 10:05 PM, John Hardin <jh...@impsec.org> wrote:
>
> On Tue, 24 Oct 2017, Rupert Gallagher wrote: > Easy one. The Message-ID is
> not well formed / RFC compliant. We reject such junk upfront. How so? That
> looks totally valid to me... < dot-atom-text @ dot-atom-text > The line
> break between the header and the ID is unusual, but not invalid. That might
> potentially be a usable spam sign.
>
>
--
- Markus
Re: Bank fraud phish
Posted by Rupert Gallagher <ru...@protonmail.com>.
The raw e-mail in pastebin returns a non-well-formed Message-ID. I attach a photo of what I see.
Sent from ProtonMail Mobile
On Tue, Oct 24, 2017 at 10:05 PM, John Hardin <jh...@impsec.org> wrote:
> On Tue, 24 Oct 2017, Rupert Gallagher wrote: > Easy one. The Message-ID is not well formed / RFC compliant. We reject such junk upfront. How so? That looks totally valid to me... < dot-atom-text @ dot-atom-text > The line break between the header and the ID is unusual, but not invalid. That might potentially be a usable spam sign. @gmail.com> @sn1pr0601mb1616.namprd06.prod.outlook.com>
Re: Bank fraud phish
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 24 Oct 2017, at 16:05 (-0400), John Hardin wrote:
> The line break between the header and the ID is unusual, but not invalid. That might potentially be a usable spam sign.
No, it isn't. Or at least it wasn't 2 years ago.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Paying Work: https://linkedin.com/in/billcole
Re: Bank fraud phish
Posted by John Hardin <jh...@impsec.org>.
On Tue, 24 Oct 2017, Rupert Gallagher wrote:
> Easy one. The Message-ID is not well formed / RFC compliant. We reject such junk upfront.
How so?
<SN...@SN1PR0601MB1616.namprd06.prod.outlook.com>
That looks totally valid to me... < dot-atom-text @ dot-atom-text >
The line break between the header and the ID is unusual, but not invalid.
That might potentially be a usable spam sign.
> On Tue, Oct 24, 2017 at 8:32 PM, Alex <my...@gmail.com> wrote:
>
>> Hi all, I'm wondering if someone has some ideas to handle bank fraud
>> phishing emails, and in particular this one:
>> https://pastebin.com/wxFtKK16 It doesn't hit bayes99 because we haven't
>> seen one before, and txrep subtracts points. It also doesn't hit any
>> blacklists. Ideas for blocking these, and more general advice for
>> blocking banking fraud/phish attacks would be appreciated.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
People seem to have this obsession with objects and tools as being
dangerous in and of themselves, as though a weapon will act of its
own accord to cause harm. A weapon is just a force multiplier. It's
*humans* that are (or are not) dangerous.
-----------------------------------------------------------------------
208 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Bank fraud phish
Posted by Rupert Gallagher <ru...@protonmail.com>.
Easy one. The Message-ID is not well formed / RFC compliant. We reject such junk upfront.
Sent from ProtonMail Mobile
On Tue, Oct 24, 2017 at 8:32 PM, Alex <my...@gmail.com> wrote:
> Hi all, I'm wondering if someone has some ideas to handle bank fraud phishing emails, and in particular this one: https://pastebin.com/wxFtKK16 It doesn't hit bayes99 because we haven't seen one before, and txrep subtracts points. It also doesn't hit any blacklists. Ideas for blocking these, and more general advice for blocking banking fraud/phish attacks would be appreciated.
Re: Bank fraud phish
Posted by Rupert Gallagher <ru...@protonmail.com>.
The new rule "From:name domain mismatches From:addr domain" catches the given spample.
Sent from ProtonMail Mobile
On Wed, Oct 25, 2017 at 6:00 PM, Alex <my...@gmail.com> wrote:
> On Tue, Oct 24, 2017 at 2:49 PM, David Jones wrote: > On 10/24/2017 01:32 PM, Alex wrote: >> >> Hi all, I'm wondering if someone has some ideas to handle bank fraud >> phishing emails, and in particular this one: >> >> https://pastebin.com/wxFtKK16 >> >> It doesn't hit bayes99 because we haven't seen one before, and txrep >> subtracts points. It also doesn't hit any blacklists. >> >> Ideas for blocking these, and more general advice for blocking banking >> fraud/phish attacks would be appreciated. >> > > Zero-hour phishing emails from Office 365 are going to be tough to block. > About all you can do is add a blacklist_from *@mybenefitswallet.com entry > and report it to SpamCop and phish@office365.microsoft.com. Is the only way to submit to spamcop to use their custom email address assigned to the account, or is there some command-line way to do it? We're still seeing tons of those "payment enclosed" emails with the short body and compromised URLs that automatically download a docx. I'd like to report the spam, but really would like to see the URLs blacklisted, and at the time I receive them, they are not. Ideally I'd like something where I can pass an email as a filename as an argument to a shell script. If submitting to spamcop by email is the only way, what is the format? As an attachment? In-line? Does anyone have a command-line shell script that can be used to send this email? @ena.com>
Re: Bank fraud phish
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 25 Oct 2017, at 12:00, Alex wrote:
> Is the only way to submit to spamcop to use their custom email address
> assigned to the account, or is there some command-line way to do it?
For all the details of various ways to send mail from the command line,
see the man pages for mail, mailx, and/or sendmail.
or the TL;DR answer:
mailx -s "report spam" submit.[your SC account
gibberish]@spam.spamcop.net < rawspam.txt
But since this is the SpamAssassin-Users list, I assume you'd rather use
this feature of the 'spamassassin' script (as described in the
'spamassassin-run' man page):
-r, --report
Report this message as manually-verified spam. This will sub-
mit the mail message read from STDIN to various spam-blocker
databases. Currently, these are the Distributed Checksum
Clearinghouse "http://www.rhyolite.com/anti-spam/dcc/", Pyzor
"http://pyzor.sourceforge.net/", Vipul's Razor
"http://razor.sourceforge.net/", and SpamCop "http://www.spam-
cop.net/".
If the message contains SpamAssassin markup, the markup will be
stripped out automatically before submission. The support mod-
ules for DCC, Pyzor, and Razor must be installed for spam to be
reported to each service. SpamCop reports will have greater
effect if you register and set the "spamcop_to_address" option.
The message will also be submitted to SpamAssassin's learning
systems; currently this is the internal Bayesian statistical-
filtering system (the BAYES rules). (Note that if you only
want to perform statistical learning, and do not want to report
mail to third-parties, you should use the "sa-learn" command
directly instead.)
Note that if you are paranoid and have X-Original-To, Delivered-To, or
other headers in delivered mail that expose internal address plumbing,
you may want to pre-process the input message to remove those.
Re: Bank fraud phish
Posted by Larry Rosenman <le...@lerctr.org>.
On Wed, Oct 25, 2017 at 11:52:17AM -0500, David Jones wrote:
> I have a script (see below) watching a "SpamCop" folder that sends it to my
> custom SpamCop address as an attachment using mutt. All I have to do is
> drag-n-drop into that folder and the submission is automated. I wait a
> couple of minutes for the SpamCop submission email with it's link to the
> spam report then click it to confirm the submission.
>
> > We're still seeing tons of those "payment enclosed" emails with the
> > short body and compromised URLs that automatically download a docx.
> > I'd like to report the spam, but really would like to see the URLs
> > blacklisted, and at the time I receive them, they are not.
> >
>
> Spammers tend to batch these up and blast them out in waves so they can get
> maximum usage for each compromised web server. They only get a few hours or
> so before that URL is blocked or taken down (hopefully) so again these
> zero-hour spam are going to hard to block. We still need to report them.
> The feedback does help.
>
> Coincidentally, I am seeing a ton of new spam today from compromised
> accounts all around the Internet. The subjects have "from" or "to" and the
> recipients name along with a URL containing the recipients name. Many are
> abusing .webcam URLs so the bad guys must have found new exploits of webcams
> and have saved up a bunch of compromised accounts to burn through today.
>
> > Ideally I'd like something where I can pass an email as a filename as
> > an argument to a shell script. If submitting to spamcop by email is
> > the only way, what is the format? As an attachment? In-line? Does
> > anyone have a command-line shell script that can be used to send this
> > email?
> >
>
> If you have access to the filesystem and cron on your mail server then you
> can run something simple like this directly on your mail server:
>
> cd /var/vmail/vmail1/.../Maildir/.Spamcop/new
> mv * ../cur
> cd ../cur
>
> for FILE in *; do
> echo "Spam attached." | mutt -e 'my_hdr From:someone@example.com' -a
> "$FILE" -s "Spam Submission" -- submit.special.address@spam.spamcop.net
> sleep 9
> done
>
> I have an iRedMail Dovecot spamtrap server that stores the emails in maildir
> format where I can run this from cron every 5 minutes. I am also able to
> release emails from my MailScanner servers to this spamtrap mailbox
> retaining the original headers.
>
> If you don't have direct access to your server and it's a remote POP or
> IMAP, collect the spam via fetchmail or something to get it into a local
> folder then use mutt to send it as an attachment.
>
> --
> David Jones
You might also be able to set up something using imapsieve to do the same thing as the mail gets copied to
that folder. I have my SpamAssassin getting trained for messages in and out of my spam folder.
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler@lerctr.org
US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106
Re: Bank fraud phish
Posted by David Jones <dj...@ena.com>.
On 10/25/2017 11:00 AM, Alex wrote:
> On Tue, Oct 24, 2017 at 2:49 PM, David Jones <dj...@ena.com> wrote:
>> On 10/24/2017 01:32 PM, Alex wrote:
>>>
>>> Hi all, I'm wondering if someone has some ideas to handle bank fraud
>>> phishing emails, and in particular this one:
>>>
>>> https://pastebin.com/wxFtKK16
>>>
>>> It doesn't hit bayes99 because we haven't seen one before, and txrep
>>> subtracts points. It also doesn't hit any blacklists.
>>>
>>> Ideas for blocking these, and more general advice for blocking banking
>>> fraud/phish attacks would be appreciated.
>>>
>>
>> Zero-hour phishing emails from Office 365 are going to be tough to block.
>> About all you can do is add a blacklist_from *@mybenefitswallet.com entry
>> and report it to SpamCop and phish@office365.microsoft.com.
>
> Is the only way to submit to spamcop to use their custom email address
> assigned to the account, or is there some command-line way to do it?
>
I have a script (see below) watching a "SpamCop" folder that sends it to
my custom SpamCop address as an attachment using mutt. All I have to do
is drag-n-drop into that folder and the submission is automated. I wait
a couple of minutes for the SpamCop submission email with it's link to
the spam report then click it to confirm the submission.
> We're still seeing tons of those "payment enclosed" emails with the
> short body and compromised URLs that automatically download a docx.
> I'd like to report the spam, but really would like to see the URLs
> blacklisted, and at the time I receive them, they are not.
>
Spammers tend to batch these up and blast them out in waves so they can
get maximum usage for each compromised web server. They only get a few
hours or so before that URL is blocked or taken down (hopefully) so
again these zero-hour spam are going to hard to block. We still need to
report them. The feedback does help.
Coincidentally, I am seeing a ton of new spam today from compromised
accounts all around the Internet. The subjects have "from" or "to" and
the recipients name along with a URL containing the recipients name.
Many are abusing .webcam URLs so the bad guys must have found new
exploits of webcams and have saved up a bunch of compromised accounts to
burn through today.
> Ideally I'd like something where I can pass an email as a filename as
> an argument to a shell script. If submitting to spamcop by email is
> the only way, what is the format? As an attachment? In-line? Does
> anyone have a command-line shell script that can be used to send this
> email?
>
If you have access to the filesystem and cron on your mail server then
you can run something simple like this directly on your mail server:
cd /var/vmail/vmail1/.../Maildir/.Spamcop/new
mv * ../cur
cd ../cur
for FILE in *; do
echo "Spam attached." | mutt -e 'my_hdr From:someone@example.com' -a
"$FILE" -s "Spam Submission" -- submit.special.address@spam.spamcop.net
sleep 9
done
I have an iRedMail Dovecot spamtrap server that stores the emails in
maildir format where I can run this from cron every 5 minutes. I am
also able to release emails from my MailScanner servers to this spamtrap
mailbox retaining the original headers.
If you don't have direct access to your server and it's a remote POP or
IMAP, collect the spam via fetchmail or something to get it into a local
folder then use mutt to send it as an attachment.
--
David Jones
Re: Bank fraud phish
Posted by Alex <my...@gmail.com>.
On Tue, Oct 24, 2017 at 2:49 PM, David Jones <dj...@ena.com> wrote:
> On 10/24/2017 01:32 PM, Alex wrote:
>>
>> Hi all, I'm wondering if someone has some ideas to handle bank fraud
>> phishing emails, and in particular this one:
>>
>> https://pastebin.com/wxFtKK16
>>
>> It doesn't hit bayes99 because we haven't seen one before, and txrep
>> subtracts points. It also doesn't hit any blacklists.
>>
>> Ideas for blocking these, and more general advice for blocking banking
>> fraud/phish attacks would be appreciated.
>>
>
> Zero-hour phishing emails from Office 365 are going to be tough to block.
> About all you can do is add a blacklist_from *@mybenefitswallet.com entry
> and report it to SpamCop and phish@office365.microsoft.com.
Is the only way to submit to spamcop to use their custom email address
assigned to the account, or is there some command-line way to do it?
We're still seeing tons of those "payment enclosed" emails with the
short body and compromised URLs that automatically download a docx.
I'd like to report the spam, but really would like to see the URLs
blacklisted, and at the time I receive them, they are not.
Ideally I'd like something where I can pass an email as a filename as
an argument to a shell script. If submitting to spamcop by email is
the only way, what is the format? As an attachment? In-line? Does
anyone have a command-line shell script that can be used to send this
email?
Re: Bank fraud phish
Posted by David Jones <dj...@ena.com>.
On 10/24/2017 07:41 PM, Alex wrote:
> On Tue, Oct 24, 2017 at 2:49 PM, David Jones <dj...@ena.com> wrote:
>> On 10/24/2017 01:32 PM, Alex wrote:
>>>
>>> Hi all, I'm wondering if someone has some ideas to handle bank fraud
>>> phishing emails, and in particular this one:
>>>
>>> https://pastebin.com/wxFtKK16
>>>
>>> It doesn't hit bayes99 because we haven't seen one before, and txrep
>>> subtracts points. It also doesn't hit any blacklists.
>>>
>>> Ideas for blocking these, and more general advice for blocking banking
>>> fraud/phish attacks would be appreciated.
>>>
>>
>> Zero-hour phishing emails from Office 365 are going to be tough to block.
>> About all you can do is add a blacklist_from *@mybenefitswallet.com entry
>> and report it to SpamCop and phish@office365.microsoft.com.
>
> For the most part, I agree, but the client here has also contracted
> with Wombat and they managed to detect this email as "Probably Phish".
> We're missing something with spamassassin.
>
They could have some general rules like:
/account.{1,30}locked/i
/email.{1,50}security/i
that would flag a lot of legit emails as "Probably Phish". If they do
this a lot then users will ignore that flag and quickly it becomes useless.
Are they modifying the subject with "Probably Phish" to tell the users?
It's much easier to modify the subject of false positives with a very
low score vs. what Spamassassin has to do by accurately scoring the message.
That message did have a lot of bad English and mispellings. Too bad we
can't introduce AI into SA somehow in a secure way locally where no
information was sent out to the cloud. This would be about the only
chance to stop zero-hour spam that has been hand crafted to pass through
most mail filters before DCC, Razor, Bayes, RBLs, DBLs, detect and react
to it.
--
David Jones
Re: Bank fraud phish
Posted by Pedro David Marco <pe...@yahoo.com>.
>For the most part, I agree, but the client here has also contracted
>with Wombat and they managed to detect this email as "Probably Phish".
>We're missing something with spamassassin.
Any security system, Antiviruses, Sandboxes, etc... that can be tested in advance can be bypassed... it is just a matter of time (and maybe money).
----Pedro
Re: Bank fraud phish
Posted by Alex <my...@gmail.com>.
On Tue, Oct 24, 2017 at 2:49 PM, David Jones <dj...@ena.com> wrote:
> On 10/24/2017 01:32 PM, Alex wrote:
>>
>> Hi all, I'm wondering if someone has some ideas to handle bank fraud
>> phishing emails, and in particular this one:
>>
>> https://pastebin.com/wxFtKK16
>>
>> It doesn't hit bayes99 because we haven't seen one before, and txrep
>> subtracts points. It also doesn't hit any blacklists.
>>
>> Ideas for blocking these, and more general advice for blocking banking
>> fraud/phish attacks would be appreciated.
>>
>
> Zero-hour phishing emails from Office 365 are going to be tough to block.
> About all you can do is add a blacklist_from *@mybenefitswallet.com entry
> and report it to SpamCop and phish@office365.microsoft.com.
For the most part, I agree, but the client here has also contracted
with Wombat and they managed to detect this email as "Probably Phish".
We're missing something with spamassassin.
Re: Bank fraud phish
Posted by David Jones <dj...@ena.com>.
On 10/24/2017 01:32 PM, Alex wrote:
> Hi all, I'm wondering if someone has some ideas to handle bank fraud
> phishing emails, and in particular this one:
>
> https://pastebin.com/wxFtKK16
>
> It doesn't hit bayes99 because we haven't seen one before, and txrep
> subtracts points. It also doesn't hit any blacklists.
>
> Ideas for blocking these, and more general advice for blocking banking
> fraud/phish attacks would be appreciated.
>
Zero-hour phishing emails from Office 365 are going to be tough to
block. About all you can do is add a blacklist_from
*@mybenefitswallet.com entry and report it to SpamCop and
phish@office365.microsoft.com.
--
David Jones
Re: Bank fraud phish
Posted by Pedro David Marco <pe...@yahoo.com>.
Thanks David!
i totally agree... and the photo is also a fake :-) children learning to ride a bike do not smile! they suffer panic! :-p
cheer...
Pedro.
From: David B Funk <db...@engineering.uiowa.edu>
To: SA Mailing list <us...@spamassassin.apache.org>
Sent: Tuesday, October 24, 2017 11:12 PM
Subject: Re: Bank fraud phish
On Tue, 24 Oct 2017, Pedro David Marco wrote:
> Out of curiosity...
>
> "account is deactivated due to inactive,"
>
> is this correct in english? shouldn't it be "inactivity"?
It isn't good English, but I've seen worse from official notices.
Now the fact that it claims to be a US financial company being served from a
South African website with a cPanel SSL certificate which has a ONE MONTH life
span is darned fishy.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Bank fraud phish
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Tue, 24 Oct 2017, Pedro David Marco wrote:
> Out of curiosity...
>
> "account is deactivated due to inactive,"
>
> is this correct in english? shouldn't it be "inactivity"?
It isn't good English, but I've seen worse from official notices.
Now the fact that it claims to be a US financial company being served from a
South African website with a cPanel SSL certificate which has a ONE MONTH life
span is darned fishy.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Bank fraud phish
Posted by Alex <my...@gmail.com>.
Hi,
On Tue, Oct 24, 2017 at 4:34 PM, Pedro David Marco
<pe...@yahoo.com> wrote:
> Out of curiosity...
>
> "account is deactivated due to inactive,"
>
> is this correct in english? shouldn't it be "inactivity"?
Yes, it's not proper English, but I don't think it really matters -
there are innumerable potential variations, so using some body pattern
to block them continues to be difficult.
Re: Bank fraud phish
Posted by Pedro David Marco <pe...@yahoo.com>.
Out of curiosity...
"account is deactivated due to inactive,"
is this correct in english? shouldn't it be "inactivity"?
----Pedro
Re: Bank fraud phish
Posted by Pedro David Marco <pe...@yahoo.com>.
Probably it would be a good idea to have a list of potential "phishing-able" important companies... just as there is one for freemailers..
very greedy, i know... :-)
---Pedro
Re: Bank fraud phish
Posted by Merijn van den Kroonenberg <me...@web2all.nl>.
> Hi all, I'm wondering if someone has some ideas to handle bank fraud
> phishing emails, and in particular this one:
>
> https://pastebin.com/wxFtKK16
>
> It doesn't hit bayes99 because we haven't seen one before, and txrep
> subtracts points. It also doesn't hit any blacklists.
>
> Ideas for blocking these, and more general advice for blocking banking
> fraud/phish attacks would be appreciated.
>
You can create custom rules for each bank used by your userbase.
Basically you give penalties for the bank name being used in the From
address. And then you undo these penalties for legitimate bank mails. This
you can do by spf/dkim whitelisting them or by checking the From:addr
domain and DKIM_VALID_AU.
Or you can do something like this:
header __BENEFIT_FROM From =~ /Benefitwallet/i
describe __BENEFIT_FROM From name includes Benefitwallet
header __BENEFIT_PHISHING_BADFROMADDR From:addr !~ /benefitwallet/
describe __BENEFIT_PHISHING_BADFROMADDR The from e-mail address does
not contain benefitwallet
meta BENEFIT_PHISHING_BADFROM (__BENEFIT_FROM &&
__BENEFIT_PHISHING_BADFROMADDR)
describe BENEFIT_PHISHING_BADFROM Fake Benefitwallet mail
score BENEFIT_PHISHING_BADFROM 3.5
Above rule assumes the legit domain at least has benefitwallet in it.
Basically it all depends about what you know about the bank and how unique
their name is. The more unique, the easier to give penalties to its usage.
And if you can find out from what domains the bank sends legit mail, you
can do dkim whitelisting or DKIM_VALID_AU checks in your rules.