You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Jones <dj...@ena.com> on 2018/01/23 21:52:56 UTC
Pretty good spoof of AmEx
Here is a good example of a spoof that might get user clicks. It didn't
have good SPF or DKIM but it could have pretty easily making it look
pretty clean in a default SA installation.
https://pastebin.com/GTG8K56a
Need to get this IP off of the HostKarma and dnswl.org whitelists if
anyone from there is on this list.
On the other hand, here is a legit AmEx email that looks nearly
identical. I challenge everyone to run these through your SA instances
by saving them to your servers as a file then running "spamassassin -D <
file" and see how they score.
https://pastebin.com/KLQyaZrJ
I will be adding this entry to 60_whitelist_auth.cf soon so in less than
a week the authentic AmEx emails will be scoring very low for everyone
that is running sa-update regularly:
def_whitelist_auth *@*.aexp.com
Kevin already had something similar to this in KAM.cf checking for
SPF_FAIL from aexp.com but it wouldn't help with that spoofed one at the
top with the "m" in the domain.
--
David Jones
Re: Pretty good spoof of AmEx
Posted by RW <rw...@googlemail.com>.
On Thu, 25 Jan 2018 01:05:48 +0000
RW wrote:
> On Wed, 24 Jan 2018 03:07:48 -0500
> Rupert Gallagher wrote:
>
> > To: address matches Reply-To: address.
>
>
> From: Rupert Gallagher <ru...@protonmail.com>
> Reply-To: Rupert Gallagher <ru...@protonmail.com>
Sorry I misread that.
Re: Pretty good spoof of AmEx
Posted by RW <rw...@googlemail.com>.
On Wed, 24 Jan 2018 03:07:48 -0500
Rupert Gallagher wrote:
> To: address matches Reply-To: address.
From: Rupert Gallagher <ru...@protonmail.com>
Reply-To: Rupert Gallagher <ru...@protonmail.com>
Re: Pretty good spoof of AmEx
Posted by Rupert Gallagher <ru...@protonmail.com>.
To: address matches Reply-To: address.
Sent from ProtonMail Mobile
Re: Pretty good spoof of AmEx
Posted by John Hardin <jh...@impsec.org>.
On Tue, 23 Jan 2018, David Jones wrote:
> Here is a good example of a spoof that might get user clicks. It didn't have
> good SPF or DKIM but it could have pretty easily making it look pretty clean
> in a default SA installation.
>
> https://pastebin.com/GTG8K56a
Possible spam sign: multiple instances of "http:///" (three slashes)
followed by something that does not look even remotely like a FDQN.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
[People] are socialists because they are blinded by
envy and ignorance. -- economist Ludwig von Mises (1881-1973)
-----------------------------------------------------------------------
Today: John Moses Browning's 163rd Birthday
Re: Pretty good spoof of AmEx
Posted by Tobi <ja...@gmx.ch>.
Not 100% sure about 168.100.1.4 ip but the 168.100.1.3 ip is used by the official postfix mailinglist. Pretty sure they should not be removed from dnswl :-)
----- Originale Nachricht -----
Von: David Jones <dj...@ena.com>
Gesendet: 24.01.18 - 03:26
An: users@spamassassin.apache.org
Betreff: Re: Pretty good spoof of AmEx
> On 01/23/2018 07:11 PM, Alex wrote:
>> Hi,
>>
>> On Tue, Jan 23, 2018 at 4:52 PM, David Jones <dj...@ena.com> wrote:
>>> Here is a good example of a spoof that might get user clicks. It didn't
>>> have good SPF or DKIM but it could have pretty easily making it look pretty
>>> clean in a default SA installation.
>>>
>>> https://pastebin.com/GTG8K56a
>>>
>>> Need to get this IP off of the HostKarma and dnswl.org whitelists if anyone
>>> from there is on this list.
>>
>
> Sounds like this is a shared IP with some good senders so this may need
> to be reported to cloud9.net so they can find the source of this abuse
> of their server.
>
>> This appears to have hit on your side. Is this just an FYI?
>>
>
> Do you mean my SA (MailScanner) blocked it? Yes it did. Mostly due to
> properly trained Bayes DB, DCC, Pyzor, and a local rules. Just trying
> to show my strategy for detecting and blocking spoofing as SPF, DKIM,
> and DMARC are being properly implemented by companies that are common
> targets of spoofing.
>
> Safely whitelist_auth the Envelope-From domain and then setup
> header/body rules to block the spoofing text.
>
>> X-ENA-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (cached,
>> score=17.85, required 4, BAYES_99 5.20, BAYES_999 0.20,
>>
>> Yeah, not good.
>> -2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
>> [168.100.1.4 listed in hostkarma.junkemailfilter.com]
>> -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
>> trust [168.100.1.4 listed in list.dnswl.org]
>>
>> Were there no EnvelopeFrom or Return-Path header?
>>
>
> EnvelopeFrom domain was welcome.aexp.com as you can see in the
> Authentication-Results added by my MTA with OpenDMARC. The legit email
> has perfect DMARC alignment on both SPF and DKIM and they run with p=reject.
>
> No Return-Path header in the original.
>
>> This hits a local rule involving undisclosed-recips and/or not to my
>> domain and "urgent" messages. It also now hits pyzor and dcc
>>
>
> Is this Bcc'd recipients? That can be helpful information but probably
> not a high scoring rule unless you are combining it in a meta with other
> hits.
>
>> I also have a rule that adds 1.2 points to emails that hit hostkarma
>> with no domain security.
>>
>
> How is this a sign of spam? Have you noticed a pattern? I will search
> my logs (actually run a SQL query) for this to see if you are onto
> something here.
>
>>> Kevin already had something similar to this in KAM.cf checking for SPF_FAIL
>>> from aexp.com but it wouldn't help with that spoofed one at the top with the
>>> "m" in the domain.
>>
>> Should we try to do something about "american express" with a faked
>> domain (amexp.com)?
>>
>
> We could setup a 60_blacklist_from.cf file in the SA ruleset for
> definite bad domains but that's probably not the best place to maintain
> that. It really should be in major DBLs that SA already knows to check.
>
> --
> David Jones
Re: Pretty good spoof of AmEx
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 23 Jan 2018, at 21:26 (-0500), David Jones wrote:
> We could setup a 60_blacklist_from.cf file in the SA ruleset for
> definite bad domains but that's probably not the best place to
> maintain that. It really should be in major DBLs that SA already
> knows to check.
+1
Unsurprisingly, running a derogatory reputation service is a toxic
quagmire that the Apache SpamAssassin Project should not dive into. I
have nothing but awe and respect for Steve Linford & his team at
Spamhaus, precisely because they have figured out how to survive while
publicly saying blatantly unflattering things about many people who have
little respect for law or basic human decency. Doing that requires human
and technical infrastructure that I would not expect the ASF or
independent benefactors to be able or willing to provide. IMHO it is
risky enough that we essentially bless a subset of a restricted class of
senders via the "default whitelist" subsystem and we don't need the
headache of distributing a list of "bad guys" that would need constant
diligent maintenance to avoid being de facto defamatory. After all,
domain registrations do expire and people do blindly re-register
"burner" domains that spammers have had their fill of and let expire.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
Re: Pretty good spoof of AmEx
Posted by David Jones <dj...@ena.com>.
On 01/23/2018 07:11 PM, Alex wrote:
> Hi,
>
> On Tue, Jan 23, 2018 at 4:52 PM, David Jones <dj...@ena.com> wrote:
>> Here is a good example of a spoof that might get user clicks. It didn't
>> have good SPF or DKIM but it could have pretty easily making it look pretty
>> clean in a default SA installation.
>>
>> https://pastebin.com/GTG8K56a
>>
>> Need to get this IP off of the HostKarma and dnswl.org whitelists if anyone
>> from there is on this list.
>
Sounds like this is a shared IP with some good senders so this may need
to be reported to cloud9.net so they can find the source of this abuse
of their server.
> This appears to have hit on your side. Is this just an FYI?
>
Do you mean my SA (MailScanner) blocked it? Yes it did. Mostly due to
properly trained Bayes DB, DCC, Pyzor, and a local rules. Just trying
to show my strategy for detecting and blocking spoofing as SPF, DKIM,
and DMARC are being properly implemented by companies that are common
targets of spoofing.
Safely whitelist_auth the Envelope-From domain and then setup
header/body rules to block the spoofing text.
> X-ENA-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (cached,
> score=17.85, required 4, BAYES_99 5.20, BAYES_999 0.20,
>
> Yeah, not good.
> -2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
> [168.100.1.4 listed in hostkarma.junkemailfilter.com]
> -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
> trust [168.100.1.4 listed in list.dnswl.org]
>
> Were there no EnvelopeFrom or Return-Path header?
>
EnvelopeFrom domain was welcome.aexp.com as you can see in the
Authentication-Results added by my MTA with OpenDMARC. The legit email
has perfect DMARC alignment on both SPF and DKIM and they run with p=reject.
No Return-Path header in the original.
> This hits a local rule involving undisclosed-recips and/or not to my
> domain and "urgent" messages. It also now hits pyzor and dcc
>
Is this Bcc'd recipients? That can be helpful information but probably
not a high scoring rule unless you are combining it in a meta with other
hits.
> I also have a rule that adds 1.2 points to emails that hit hostkarma
> with no domain security.
>
How is this a sign of spam? Have you noticed a pattern? I will search
my logs (actually run a SQL query) for this to see if you are onto
something here.
>> Kevin already had something similar to this in KAM.cf checking for SPF_FAIL
>> from aexp.com but it wouldn't help with that spoofed one at the top with the
>> "m" in the domain.
>
> Should we try to do something about "american express" with a faked
> domain (amexp.com)?
>
We could setup a 60_blacklist_from.cf file in the SA ruleset for
definite bad domains but that's probably not the best place to maintain
that. It really should be in major DBLs that SA already knows to check.
--
David Jones
Re: Pretty good spoof of AmEx
Posted by Alex <my...@gmail.com>.
Hi,
On Tue, Jan 23, 2018 at 4:52 PM, David Jones <dj...@ena.com> wrote:
> Here is a good example of a spoof that might get user clicks. It didn't
> have good SPF or DKIM but it could have pretty easily making it look pretty
> clean in a default SA installation.
>
> https://pastebin.com/GTG8K56a
>
> Need to get this IP off of the HostKarma and dnswl.org whitelists if anyone
> from there is on this list.
This appears to have hit on your side. Is this just an FYI?
X-ENA-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (cached,
score=17.85, required 4, BAYES_99 5.20, BAYES_999 0.20,
Yeah, not good.
-2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
[168.100.1.4 listed in hostkarma.junkemailfilter.com]
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust [168.100.1.4 listed in list.dnswl.org]
Were there no EnvelopeFrom or Return-Path header?
This hits a local rule involving undisclosed-recips and/or not to my
domain and "urgent" messages. It also now hits pyzor and dcc
I also have a rule that adds 1.2 points to emails that hit hostkarma
with no domain security.
> Kevin already had something similar to this in KAM.cf checking for SPF_FAIL
> from aexp.com but it wouldn't help with that spoofed one at the top with the
> "m" in the domain.
Should we try to do something about "american express" with a faked
domain (amexp.com)?