You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Benny Pedersen <me...@junc.eu> on 2021/01/20 02:07:22 UTC
netflix phishing emails forwarded via sendgrid
i have added urls to phishtank
if its could be added rules to spamassassin to detect it better i can
send sample to sa pmc members
X-Spam-Status: Yes, score=8.9, required=5.0, Autolearn=no
autolearn_force=no,
LastExt=149.72.91.245
X-Spam-Rules_score:
DATE_IN_PAST_03_06=1.076,DKIM_SIGNED=-0.1,DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_IMAGE_ONLY_32=0.001,
HTML_MESSAGE=0.1,KAM_NUMSUBJECT=0.5,KAM_REALLYHUGEIMGSRC=0.5,
KAM_SENDGRID=1.5,RCVD_IN_BRUKALAI_BLACK=2,SENDGRID_REDIR=0.932,
SPF_HELO_NONE=3,SPF_PASS=-0.1,TXREP=-0.187,UNPARSEABLE_RELAY=0.001
mx relay is sendgrid, but enveloppe sender is not sendgrid
https://phishtank.com/phish_detail.php?phish_id=6927641
https://phishtank.com/phish_detail.php?phish_id=6927893
Re: netflix phishing emails forwarded via sendgrid
Posted by "Anne P. Mitchell, Esq." <am...@isipp.com>.
Does anyone have a copy of the netflix phishing that they could forward to me at amitchell@isipp.com, including the body of it?
TIA!
Anne
> On Feb 2, 2021, at 1:04 AM, Benny Pedersen <me...@junc.eu> wrote:
>
> On 2021-02-02 03:25, Kevin A. McGrail wrote:
>> Since it's already hitting 8.9, why do more?
>
> too much phishing in winter half year to my taste
>
> i just google report urls now, and still add to phishtank, hopefully phishers get a real life
>
> you can safely add 1.5 more to KAM_SENDGRID, if it continues i do it localy
>
> no need to argue http://multirbl.valli.org/lookup/149.72.91.245.html :-)
>
>> On 1/19/2021 9:07 PM, Benny Pedersen wrote:
>>> i have added urls to phishtank
>>> if its could be added rules to spamassassin to detect it better i can send sample to sa pmc members
>>> X-Spam-Status: Yes, score=8.9, required=5.0, Autolearn=no autolearn_force=no,
>>> LastExt=149.72.91.245
>>> X-Spam-Rules_score: DATE_IN_PAST_03_06=1.076,DKIM_SIGNED=-0.1,DKIM_VALID=-0.1,
>>> DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_IMAGE_ONLY_32=0.001,
>>> HTML_MESSAGE=0.1,KAM_NUMSUBJECT=0.5,KAM_REALLYHUGEIMGSRC=0.5,
>>> KAM_SENDGRID=1.5,RCVD_IN_BRUKALAI_BLACK=2,SENDGRID_REDIR=0.932,
>>> SPF_HELO_NONE=3,SPF_PASS=-0.1,TXREP=-0.187,UNPARSEABLE_RELAY=0.001
>>> mx relay is sendgrid, but enveloppe sender is not sendgrid
>>> https://phishtank.com/phish_detail.php?phish_id=6927641
>>> https://phishtank.com/phish_detail.php?phish_id=6927893
Re: netflix phishing emails forwarded via sendgrid
Posted by Benny Pedersen <me...@junc.eu>.
On 2021-02-02 03:25, Kevin A. McGrail wrote:
> Since it's already hitting 8.9, why do more?
too much phishing in winter half year to my taste
i just google report urls now, and still add to phishtank, hopefully
phishers get a real life
you can safely add 1.5 more to KAM_SENDGRID, if it continues i do it
localy
no need to argue http://multirbl.valli.org/lookup/149.72.91.245.html :-)
>
> On 1/19/2021 9:07 PM, Benny Pedersen wrote:
>> i have added urls to phishtank
>>
>> if its could be added rules to spamassassin to detect it better i can
>> send sample to sa pmc members
>>
>> X-Spam-Status: Yes, score=8.9, required=5.0, Autolearn=no
>> autolearn_force=no,
>> LastExt=149.72.91.245
>> X-Spam-Rules_score:
>> DATE_IN_PAST_03_06=1.076,DKIM_SIGNED=-0.1,DKIM_VALID=-0.1,
>> DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_IMAGE_ONLY_32=0.001,
>> HTML_MESSAGE=0.1,KAM_NUMSUBJECT=0.5,KAM_REALLYHUGEIMGSRC=0.5,
>> KAM_SENDGRID=1.5,RCVD_IN_BRUKALAI_BLACK=2,SENDGRID_REDIR=0.932,
>> SPF_HELO_NONE=3,SPF_PASS=-0.1,TXREP=-0.187,UNPARSEABLE_RELAY=0.001
>>
>> mx relay is sendgrid, but enveloppe sender is not sendgrid
>>
>> https://phishtank.com/phish_detail.php?phish_id=6927641
>> https://phishtank.com/phish_detail.php?phish_id=6927893
Re: netflix phishing emails forwarded via sendgrid
Posted by John Hardin <jh...@impsec.org>.
On Thu, 11 Feb 2021, Giovanni Bechis wrote:
> On 2/9/21 10:03 PM, Benny Pedersen wrote:
>> On 2021-02-02 03:25, Kevin A. McGrail wrote:
>>> Since it's already hitting 8.9, why do more?
>>
>> got one more today
>>
>> http://multirbl.valli.org/lookup/167.89.112.86.html
>>
>> envelope sender is not sendgrid.net
>>
>> spamurls to the phishing is sendgrid redir to hide all detalts of spam domain
>>
>> why is so many uribl not blocking phish attemps better ?
>>
> With the updated Esp plugin[¹] just committed to trunk you could use Sendgrid files downloaded from Invaluement as well as local generated files.
> Local files can be generated by looking at the Return-path of the offending email.
> Return-Path: <bo...@example.com>
> In this case "1234" is the id you are interested in.
I have a script that generates a static rule based on sendgrid sender ids
in local corpora + the invaluement download if (for some reason) you don't
want to / can't use the plugin.
https://www.impsec.org/~jhardin/antispam/make_sendgrid_rule.sh
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Tomorrow: Abraham Lincoln's and Charles Darwin's 212th Birthdays
Re: netflix phishing emails forwarded via sendgrid
Posted by Benny Pedersen <me...@junc.eu>.
On 2021-02-11 14:56, John Hardin wrote:
> On Thu, 11 Feb 2021, Benny Pedersen wrote:
>
>> On 2021-02-11 12:46, Giovanni Bechis wrote:
>>
>>> With the updated Esp plugin[¹] just committed to trunk you could use
>>> Sendgrid files downloaded from Invaluement as well as local generated
>>> files.
>>
>> this files do work if sendgrid did not allow non sendgrid.net envelope
>> senders :(
>
> Try the script generator I posted, it isn't domain-specific.
good and tested now, it works
if Invaluement want data to add i would like to share my local id file
now
Re: netflix phishing emails forwarded via sendgrid
Posted by John Hardin <jh...@impsec.org>.
On Thu, 11 Feb 2021, Benny Pedersen wrote:
> On 2021-02-11 12:46, Giovanni Bechis wrote:
>
>> With the updated Esp plugin[¹] just committed to trunk you could use
>> Sendgrid files downloaded from Invaluement as well as local generated
>> files.
>
> this files do work if sendgrid did not allow non sendgrid.net envelope
> senders :(
Try the script generator I posted, it isn't domain-specific.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Tomorrow: Abraham Lincoln's and Charles Darwin's 212th Birthdays
Re: netflix phishing emails forwarded via sendgrid
Posted by Benny Pedersen <me...@junc.eu>.
On 2021-02-11 12:46, Giovanni Bechis wrote:
> With the updated Esp plugin[¹] just committed to trunk you could use
> Sendgrid files downloaded from Invaluement as well as local generated
> files.
this files do work if sendgrid did not allow non sendgrid.net envelope
senders :(
KAM_SENDGRID_REDIR is best defence now, local scored at 10 here
fun can continue as long sendgrid is major whitelisted :(
> Local files can be generated by looking at the Return-path of the
> offending email.
> Return-Path: <bo...@example.com>
> In this case "1234" is the id you are interested in.
good to know if building local blacklists
> [¹] https://github.com/bigio/spamassassin-esp/releases/tag/esp-v1.2
there is lint error in line 249
Re: netflix phishing emails forwarded via sendgrid
Posted by Giovanni Bechis <gi...@paclan.it>.
On 2/9/21 10:03 PM, Benny Pedersen wrote:
> On 2021-02-02 03:25, Kevin A. McGrail wrote:
>> Since it's already hitting 8.9, why do more?
>
> got one more today
>
> http://multirbl.valli.org/lookup/167.89.112.86.html
>
> envelope sender is not sendgrid.net
>
> spamurls to the phishing is sendgrid redir to hide all detalts of spam domain
>
> why is so many uribl not blocking phish attemps better ?
>
With the updated Esp plugin[¹] just committed to trunk you could use Sendgrid files downloaded from Invaluement as well as local generated files.
Local files can be generated by looking at the Return-path of the offending email.
Return-Path: <bo...@example.com>
In this case "1234" is the id you are interested in.
Giovanni
[¹] https://github.com/bigio/spamassassin-esp/releases/tag/esp-v1.2
Re: netflix phishing emails forwarded via sendgrid
Posted by Giovanni Bechis <gi...@paclan.it>.
On Tue, Feb 09, 2021 at 10:03:57PM +0100, Benny Pedersen wrote:
> On 2021-02-02 03:25, Kevin A. McGrail wrote:
> > Since it's already hitting 8.9, why do more?
>
> got one more today
>
> http://multirbl.valli.org/lookup/167.89.112.86.html
>
> envelope sender is not sendgrid.net
>
> spamurls to the phishing is sendgrid redir to hide all detalts of spam
> domain
>
> why is so many uribl not blocking phish attemps better ?
>
> i can send sample on request to pmc members
Please send me spamples, I will take a look at them.
Giovanni
Re: netflix phishing emails forwarded via sendgrid
Posted by Benny Pedersen <me...@junc.eu>.
On 2021-02-02 03:25, Kevin A. McGrail wrote:
> Since it's already hitting 8.9, why do more?
got one more today
http://multirbl.valli.org/lookup/167.89.112.86.html
envelope sender is not sendgrid.net
spamurls to the phishing is sendgrid redir to hide all detalts of spam
domain
why is so many uribl not blocking phish attemps better ?
i can send sample on request to pmc members
Re: netflix phishing emails forwarded via sendgrid
Posted by "Kevin A. McGrail" <km...@apache.org>.
Since it's already hitting 8.9, why do more?
On 1/19/2021 9:07 PM, Benny Pedersen wrote:
> i have added urls to phishtank
>
> if its could be added rules to spamassassin to detect it better i can
> send sample to sa pmc members
>
> X-Spam-Status: Yes, score=8.9, required=5.0, Autolearn=no
> autolearn_force=no,
> LastExt=149.72.91.245
> X-Spam-Rules_score:
> DATE_IN_PAST_03_06=1.076,DKIM_SIGNED=-0.1,DKIM_VALID=-0.1,
> DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_IMAGE_ONLY_32=0.001,
> HTML_MESSAGE=0.1,KAM_NUMSUBJECT=0.5,KAM_REALLYHUGEIMGSRC=0.5,
> KAM_SENDGRID=1.5,RCVD_IN_BRUKALAI_BLACK=2,SENDGRID_REDIR=0.932,
> SPF_HELO_NONE=3,SPF_PASS=-0.1,TXREP=-0.187,UNPARSEABLE_RELAY=0.001
>
> mx relay is sendgrid, but enveloppe sender is not sendgrid
>
> https://phishtank.com/phish_detail.php?phish_id=6927641
> https://phishtank.com/phish_detail.php?phish_id=6927893
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171