You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2023/01/15 19:47:32 UTC
sharepoint phish routed through sharepointonline/outlook
Hi,
X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01,
LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1, RELAYCOUNTRY_US=0.01,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166] autolearn=disabled
I'm reporting it to spamcop and training bayes, but does anyone have any
other ideas?
Is this just someone using their sharepoint account to send a phish?
Perhaps account takeover?
https://pastebin.com/2CJ3SLf2
Re: sharepoint phish routed through sharepointonline/outlook
Posted by Raymond Dijkxhoorn via users <us...@spamassassin.apache.org>.
Hi!
> Yes, I am running SA4 and have been for probably more than a year. What
> am I doing wrong that RBL checks wouldn't be checking the FQDN?
Could be several reasons but will contact you offlist.
> uniabujaedung-my[.]sharepoint[.]com[.]multi[.]surbl[.]org
> has address 127.0.0.64
> Meaning its lised in ABUSE.
>
> I suspect then that I received it prior to it being listed there. Any
> way to correlate those dates (if it's even worth it)?
And sure we can do that.
Thanks! Raymond
Re: sharepoint phish routed through sharepointonline/outlook
Posted by Alex <my...@gmail.com>.
Hi,
> RBL checks for FQDN not just domains would be a good idea...
>
...
>
> I assume you are not running SA4. That does this. (And the sharepoint
> domain you have in your mail is listed on SURBL.... )
>
Yes, I am running SA4 and have been for probably more than a year. What am
I doing wrong that RBL checks wouldn't be checking the FQDN?
uniabujaedung-my[.]sharepoint[.]com[.]multi[.]surbl[.]org
> has address 127.0.0.64
>
> Meaning its lised in ABUSE.
>
I suspect then that I received it prior to it being listed there. Any way
to correlate those dates (if it's even worth it)?
Thanks! Raymond
>
Thank you :-)
Re: sharepoint phish routed through sharepointonline/outlook
Posted by Raymond Dijkxhoorn via users <us...@spamassassin.apache.org>.
Hello All,
> RBL checks for FQDN not just domains would be a good idea...
> >X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
> >tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
> >DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
> >FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
> >LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01,
> >LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1,
> >RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
> >RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1, RELAYCOUNTRY_US=0.01,
> >SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166] autolearn=disabled
I assume you are not running SA4. That does this. (And the sharepoint
domain you have in your mail is listed on SURBL.... )
uniabujaedung-my[.]sharepoint[.]com[.]multi[.]surbl[.]org
has address 127.0.0.64
Meaning its lised in ABUSE.
Thanks! Raymond
Re: sharepoint phish routed through sharepointonline/outlook
Posted by Pedro David Marco via users <us...@spamassassin.apache.org>.
RBL checks for FQDN not just domains would be a good idea...
Pedro.
>On Sunday, January 15, 2023 at 08:47:59 PM GMT+1, Alex <my...@gmail.com> wrote:
>Hi,
>X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
>tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
>DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
>FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
>LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01,
>LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1,
>RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
>RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1, RELAYCOUNTRY_US=0.01,
>SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166] autolearn=disabled
>'m reporting it to spamcop and training bayes, but does anyone have any other ideas?
>Is this just someone using their sharepoint account to send a phish? Perhaps account takeover?
>https://pastebin.com/2CJ3SLf2
Re: sharepoint phish routed through sharepointonline/outlook
Posted by Benny Pedersen <me...@junc.eu>.
Alex skrev den 2023-01-15 20:47:
> Hi,
>
> X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
> tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
> DKIM_VALID_AU=-0.1,
> DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
> FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
> LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01,
> LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1,
> RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
> RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1,
> RELAYCOUNTRY_US=0.01,
> SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166]
> autolearn=disabled
>
> I'm reporting it to spamcop and training bayes, but does anyone have
> any other ideas?
>
> Is this just someone using their sharepoint account to send a phish?
> Perhaps account takeover?
>
> https://pastebin.com/2CJ3SLf2
Content analysis details: (3.1 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.7 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?s=mfrom;id=no-reply%40sharepointonline.com;ip=199.199.178.197;r=localhost.junc.eu]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.0 ARC_VALID Message has a valid ARC signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.0 ARC_SIGNED Message has a ARC signature
0.1 DKIM_INVALID DKIM or DK signature exists, but is not
valid
0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with
Strict
Alignment
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
2.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
message and
the domain has a DMARC reject policy
0.1 DMARC_REJECT DMARC reject policy
it gets neutral score since its maillist of some kind imho ?
reject it by dkim valid, one of the signers is valid, if not just arc,
if only arc is then do setup AuthRes plugin in spamassassin 4.x.x
i dont know how, but i belive spammers die slowly in 2023
Re: sharepoint phish routed through sharepointonline/outlook
Posted by Rupert Gallagher <ru...@protonmail.com>.
Message-Id: <od...@DAEB5AAE0CFE>
Read RFC 822, pp. 44-46.
If your answer is that the latest RFC allows for it, the my reply is: my mail, my rules, so I apply the most stringent rules.
-------- Original Message --------
On 15 Jan 2023, 20:47, Alex wrote:
> Hi,
>
> X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
> tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
> DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
> FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
> LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01,
> LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1,
> RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
> RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1, RELAYCOUNTRY_US=0.01,
> SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166] autolearn=disabled
>
> I'm reporting it to spamcop and training bayes, but does anyone have any other ideas?
>
> Is this just someone using their sharepoint account to send a phish? Perhaps account takeover?
>
> https://pastebin.com/2CJ3SLf2