You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Daryl Rose <ro...@gmail.com> on 2020/11/08 22:00:55 UTC
Crap getting through
I'm getting obvious phishing attempts. This one was made to look like it
was from Wells Fargo with an obvious spoofed email address. However, when
I examined the headers, the From Address was this garbage:
*=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= *
I received another one that was meant to be an Amazon Prime Membership
failure. How can I block these? The last time I inquired about phishing,
it was suggested to install KAM, which I did, but this crap is still
getting through. Any other suggestions?
Thank you.
Daryl
Re: Crap getting through
Posted by Benny Pedersen <me...@junc.eu>.
Daryl Rose skrev den 2020-11-08 23:00:
> I'm getting obvious phishing attempts.
report to https://phishtank.com/ then
> This one was made to look like
> it was from Wells Fargo with an obvious spoofed email address.
so what did spamassassin say about that ?
> However, when I examined the headers, the From Address was this
> garbage: =?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?=
nice trick to avoid testing ?
developpers of sa, utf-8 and qp is basicly fucked everywhere :/
but this one is base64
> I received another one that was meant to be an Amazon Prime Membership
> failure.
maybe amazon prime hands out to many free accounts ? :-)
> How can I block these?
if you like me to answer that i could give next weeks lotto numbers in
return :-)
> The last time I inquired about
> phishing, it was suggested to install KAM,
now it seems you need to build corpus without rescoreing anything in
kam.cf
make a DR.cf to build localy on you self control
> which I did, but this crap
> is still getting through. Any other suggestions?
without any samples no one can help
you have all that is needed to make DR.cf ?
Re: Crap getting through
Posted by John Hardin <jh...@impsec.org>.
On Sun, 8 Nov 2020, Daryl Rose wrote:
> I'm getting obvious phishing attempts. This one was made to look like it
> was from Wells Fargo with an obvious spoofed email address. However, when
> I examined the headers, the From Address was this garbage:
> *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= *
Easy enough to write a "FUZZY_WELLSFARGO" rule for that, but it probably
won't pass masscheck and get published because there are probably few
examples of that in the corpus.
Added to my sandbox:
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FUZZY_WELLSFARGO_BODY /<W>(?!ells[-\s]?Fargo)<E><L><L><S>[-\s]?<F><A><R><G><O>/i
replace_rules __FUZZY_WELLSFARGO_BODY
header __FUZZY_WELLSFARGO_FROM From:name =~ /<W>(?!ells[-\s]?Fargo)<E><L><L><S>[-\s]?<F><A><R><G><O>/i
replace_rules __FUZZY_WELLSFARGO_FROM
meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
endif
Do you have something like this in place?
whitelist_auth *@wellsfargo.com
blacklist_from *@wellsfargo.com
whitelist_auth *@*.wellsfargo.com
blacklist_from *@*.wellsfargo.com
whitelist_auth *@bankofamerica.com
blacklist_from *@bankofamerica.com
whitelist_auth *@*.bankofamerica.com
blacklist_from *@*.bankofamerica.com
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Sheep have only two speeds: graze and stampede. -- LTC Grossman
-----------------------------------------------------------------------
Tomorrow: The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: Crap getting through
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 09.11.20 05:07, Daryl Rose wrote:
>Sorry, I deleted it right away. I normally delete that crap as soon as it
>comes in. I'll remember to keep it next time I get something so I can
>post the headers.
i keep spam ans phishes in special mail directories for later examination
>On Sun, Nov 8, 2020 at 6:49 PM Rob McEwen <ro...@invaluement.com> wrote:
>> Can you please post a copy of the raw email message - with headers -
>> perhaps with your own user's email address (and name?) masked out (change
>> to "XXXXXXXX") - to pastebin, or to a similar site - then reply here with
>> the link. It is difficult to give specific suggestions without having the
>> raw underlying text of the message (w/headers). But please try to avoid
>> pasting that directly to this list. Thanks!
>> On 11/8/2020 5:00 PM, Daryl Rose wrote:
>>
>> I'm getting obvious phishing attempts. This one was made to look like it
>> was from Wells Fargo with an obvious spoofed email address. However, when
>> I examined the headers, the From Address was this garbage:
>> *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= *
this is not garbage, this is mime-encoded string:
> *WễllsḞargo Bank *
...and that is a garbage.
But should be quite easily catched.
>> I received another one that was meant to be an Amazon Prime Membership
>> failure. How can I block these? The last time I inquired about phishing,
>> it was suggested to install KAM, which I did, but this crap is still
>> getting through. Any other suggestions?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe.
Re: Crap getting through
Posted by Daryl Rose <ro...@gmail.com>.
Sorry, I deleted it right away. I normally delete that crap as soon as it
comes in. I'll remember to keep it next time I get something so I can
post the headers.
Daryl
On Sun, Nov 8, 2020 at 6:49 PM Rob McEwen <ro...@invaluement.com> wrote:
> Daryl,
>
> Can you please post a copy of the raw email message - with headers -
> perhaps with your own user's email address (and name?) masked out (change
> to "XXXXXXXX") - to pastebin, or to a similar site - then reply here with
> the link. It is difficult to give specific suggestions without having the
> raw underlying text of the message (w/headers). But please try to avoid
> pasting that directly to this list. Thanks!
>
> Rob McEwen
>
>
> On 11/8/2020 5:00 PM, Daryl Rose wrote:
>
> I'm getting obvious phishing attempts. This one was made to look like it
> was from Wells Fargo with an obvious spoofed email address. However, when
> I examined the headers, the From Address was this garbage:
> *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= *
>
> I received another one that was meant to be an Amazon Prime Membership
> failure. How can I block these? The last time I inquired about phishing,
> it was suggested to install KAM, which I did, but this crap is still
> getting through. Any other suggestions?
>
> Thank you.
>
> Daryl
>
>
>
>
> --
> Rob McEwen, invaluement
>
>
Re: Crap getting through
Posted by RW <rw...@googlemail.com>.
On Mon, 9 Nov 2020 12:44:04 +0000
RW wrote:
> On Sun, 8 Nov 2020 19:49:20 -0500
> Rob McEwen wrote:
>
> > Daryl,
> >
> > Can you please post a copy of the raw email message - with headers
> > - perhaps with your own user's email address (and name?) masked out
> > (change to "XXXXXXXX")
>
> It's best to leave it syntactically correct and with self-consistent
> obfuscation, so it can be run though SA without having to be edited a
> send time.
second time
Re: Crap getting through
Posted by RW <rw...@googlemail.com>.
On Sun, 8 Nov 2020 19:49:20 -0500
Rob McEwen wrote:
> Daryl,
>
> Can you please post a copy of the raw email message - with headers -
> perhaps with your own user's email address (and name?) masked out
> (change to "XXXXXXXX")
It's best to leave it syntactically correct and with self-consistent
obfuscation, so it can be run though SA without having to be edited a
send time.
Re: Crap getting through
Posted by Rob McEwen <ro...@invaluement.com>.
Daryl,
Can you please post a copy of the raw email message - with headers -
perhaps with your own user's email address (and name?) masked out
(change to "XXXXXXXX") - to pastebin, or to a similar site - then reply
here with the link. It is difficult to give specific suggestions without
having the raw underlying text of the message (w/headers). But please
try to avoid pasting that directly to this list. Thanks!
Rob McEwen
On 11/8/2020 5:00 PM, Daryl Rose wrote:
> I'm getting obvious phishing attempts. This one was made to look like
> it was from Wells Fargo with an obvious spoofed email address.
> However, when I examined the headers, the From Address was this
> garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= *
>
> I received another one that was meant to be an Amazon Prime Membership
> failure. How can I block these? The last time I inquired about
> phishing, it was suggested to install KAM, which I did, but this crap
> is still getting through. Any other suggestions?
>
> Thank you.
>
> Daryl
>
>
>
--
Rob McEwen, invaluement