[MBF] Re: how did this get through?

[David Barker]

The declude sender is the information received from the envelope. which 
is shown here: X-Declude-Sender: serv...@intl.paypal.com [74.255.41.130] 
obviously the information is spoofed this is why we suggest not to 
whitelist email addresses such as paypal etc. What could be better is 
using the reverse dns to validate this is how we do it with 
FILTER-FORGED which is scoring emails that claim to be paypal but are not.

REVDNS        END    PCRE    (?i:\.(paypal|ebay)\.com$)
HEADERS        10    PCRE    (?im:From:.*@paypal\.com)
MAILFROM    10    PCRE    (?i:\@paypal\.com)
You could also just do this:

REVDNS        WHITELIST    PCRE    (?i:\.paypal\.com$)

David


On 1/13/2015 12:38 PM, Carl Wagar wrote:

There is some really subtle phishing going on that tells people to 
login to their paypal account.

I have been whitelisting serv...@intl.paypal.com 
<mailto:serv...@intl.paypal.com>. Bad idea.

How did Declude decide the declude-sender here is really 
serv...@intl.paypal.com <mailto:serv...@intl.paypal.com> when it

was sent by hackers from mail.prismpoint.com ???

Carl

Received: from mail.prismpointe.com [74.255.41.130] by 
mail.thehostingservice.com with ESMTP

(SMTPD-12.2.0.235) id 22180000192305cf; Tue, 13 Jan 2015 11:40:44 -0500

Received: from pptatlsrvexch01.prismpointe.local ([192.168.1.26]) by 
mail.prismpointe.com with Microsoft SMTPSVC(6.0.3790.3959);

Tue, 13 Jan 2015 11:23:48 -0500

Received: from PPTATLSRVCF04 ([192.168.105.34]) by 
pptatlsrvexch01.prismpointe.local with Microsoft SMTPSVC(6.0.3790.3959);

Mon, 12 Jan 2015 21:41:37 -0500

Message-ID: <11089776.1421116897014.JavaMail.CFWebService@PPTATLSRVCF04>

Date: Mon, 12 Jan 2015 21:41:36 -0500 (EST)

From: paypal Inc <serv...@intl.paypal.com>

To: jcwa...@entrenet.com

Subject: Your Acount Has Ben Limited ! Please Update Your Account

Mime-Version: 1.0

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: 7bit

X-Mailer: ColdFusion MX Application Server

Return-Path: serv...@intl.paypal.com

X-OriginalArrivalTime: 13 Jan 2015 02:41:37.0940 (UTC) 
FILETIME=[741AB540:01D02EDA]

X-MessageSniffer-Identifier: 
C:\IMail\spool\proc\work\D22180000192305cf.smd

X-GBUdb-Analysis: 0, 74.255.41.130, Ugly c=0.313739 p=0.142857 Source 
Normal

X-MessageSniffer-Scan-Result: 53

X-MessageSniffer-Rules:

53-6648802-695-1091-m

53-6648802-0-32199-f

X-Declude-Sender: serv...@intl.paypal.com [74.255.41.130]

X-Declude-Spoolname: D22180000192305cf.smd

X-Declude-Whitelist: [Whitelist file: 
C:\IMail\Declude\mywhitelist.txt, From: [serv...@intl.paypal.com]]

X-Declude-RefID:

X-Declude-Note: Scanned by Declude 4.12.05 
"http://www.declude.com/x-note.htm";

X-Declude-Scan: Incoming Score [0] at 11:40:51 on 13 Jan 2015

X-Declude-Tests: Whitelisted

X-Country-Chain: UNITED STATES->destination

X-Declude-Code: e

X-Declude-Recipcount: 1

X-Helo: mail.prismpointe.com

X-RevDNS: mail.prismpoint.com

X-RCPT-TO: <jcwa...@entrenet.com>

Status:

X-UIDL: 721073535

X-IMail-ThreadID: 22180000192305cf

J. Carl Wagar

EntreNet Communications Inc
www.entrenet.com <http://www.entrenet.com> www.thehostingservice.com 
<http://www.thehostingservice.com>

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email: jcwa...@entrenet.com <mailto:jcwa...@entrenet.com>, skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898


--
David Barker
Mail’s Best Friend
Email     : david.bar...@mailsbestfriend.com
Web      :  www.mailsbestfriend.com
Office    :  866.919.2075
Mobile  :  978.518.6461