Re: Phish triggered short circuit 'ham' (Solved)

[Chris <cp...@embarqmail.com>]

On Thu, 2010-09-23 at 17:55 -0500, Chris wrote:
> http://pastebin.com/ypiHcyvK
> 
> The above phish for my ISP came in this morning, it triggered the short
> circuit 'ham' rule. Is it because I have this in my local.cf and the
> message has a dkim signature?
> 
> def_whitelist_from_dkim *@embarqmail.com
> 
> DKIM-Signature: v=1; a=rsa-sha1; d=embarqmail.com; s=s012408;
>  c=relaxed/simple; q=dns/txt; i=@embarqmail.com; t=1285235699;
>  h=From:Subject:Date:To:MIME-Version:Content-Type;
>  bh=9FOJPKqN2Ht/0QapcfDg7uQayg4=;
>  b=WMoex2VshAez5cqfiXbdykBskGnhCxMtG4ojE3+VaHxS2tB466/bZ2YjLuY3afkV
>  gSsc8wS1MU8RdOVs2AcIrWmIz/h8RQHuuN1hl2tPSHiN9vCBRbx5qEKa3qpTlnAy;
> 
> Do I have def_whitelist_from_dkim configured incorrectly?
> 
> Chris
> 
Got this from my ISP today:

The phishing email was from a compromised user account.  Some foreign
entity had logged onto to our outbound email server with a customer's
stolen credentials and sent out phishing emails.  This is quite a
desirable scenario for phishers as their email goes out through a valid
server when they have pilfered ISP user accounts.  This causes a couple
of issues.  The phishing emails are more likely to be accepted from a
trusted SMTP server.  After such an attack is detected, the formerly
trusted SMTP server is soon subject to blocking based on the smear to
its reputation.


-- 
Chris
KeyID 0xE372A7DA98E6705C