Re: [mailop] Gmail funny: flagged their own DSN message as spam

2022-11-19 Thread Jaroslaw Rafa via mailop 
Dnia 19.11.2022 o godz. 10:41:32 Chris Adams via mailop pisze:
> I have a Gmail address - I don't give it out, the only legit mail I get
> to it is generally Google account related stuff (bills and such).  I
> have a forward set up on it to send everything to my personal server.
> 
> This morning, there was some spam that got through Gmail's filters sent
> to it.  Gmail tried to forward it, but my server's spam filters rejected
> the message (reject during SMTP, no bounce generated from my server).
> Gmail generated a delivery status notification message...  and sent that
> directly to the Gmail spam folder.
> 
> Oops... :)

Probably because the DSN contained a part of the spam message that was
rejected. It's a common mistake of spam filtering systems (not only Gmail's)
that they don't treat DSNs (even their own) specially and often classify
DSNs for spam messages as spam.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Phishing and 2FA auth

2022-11-19 Thread Ken Simpson via mailop 
Hi Slavko

Not all 2FA approaches are equal. The most robust 2FA systems are ones in
which both the service and the second-factor client robustly authenticate
each other. Two-way authentication eliminates the possibility that someone
can sit in the middle of the second-factor exchange to gain access.

For example, if SMS is used as the second factor, an attacker can present a
convincing website that collects your password and forwards it to the
service you are trying to log in to. That convincing website can also ask
you for the SMS code the service sends to your device, passing the second
factor along and completing the login.

The same goes for OTP systems like Authy or Google Authenticator.

With the advent of the secure enclave and other trusted execution
environments in mobile devices, services can now rely on an encrypted
exchange with your mobile device as the second factor. Many large,
frequently phished services, such as Google and Adobe, provide a
dedicated authentication app that fulfills this purpose. Enterprise options
like Duo perform the same function.

Fido U2F keys are yet another very secure 2FA option. These devices
participate in a secure exchange with the service, with the web browser
only acting as an intermediary to carry encrypted data between the hardware
key and the service itself. A phishing site would not gain anything of
value by intercepting the hardware key's information because the data is
encrypted directly with the service and cannot be tampered with by an
intermediary.

Unfortunately, authentication is only as secure as the weakest link. If a
service offers a weak two-factor option, some users will opt for that, and
their accounts will be less secure and more open to phishing.

Regards,
Ken



On Sat, Nov 19, 2022 at 7:51 AM Slavko via mailop  wrote:

> Hi all,
>
> recently i search in github projects to find some tools/templates for
> phishing messages as i want to train my colleagues (i am not
> interested in real phishing).
>
> As result i found one Go project for that, but i found a lot of projects,
> which declares itself as for training/learning of course, with pished
> sites templates/copies and some of them declares, that they are
> able even to get 2FA OTPs. I have no links to them and i didn't inspect
> in details how it works as i am not interested in that. I only remember,
> that they catch OTPs too by some way in their site copies.
>
> But my curiousity grows with time in topic what 2FA solves then,
> thus i want ask about it here, in hope to better understand it.
>
> Please, can it be really as "simple"? If yes, then my inderstanding is,
> that 2FA doesn't solves leaked passwords problem, as asvertised
> by many sites, but it solves only that this problem will be selfsolved
> as token expires (week or two), without user's password changes.
> Is my understanding right?
>
> If yes, then 2FA is not holly grail of solving the SPAM & leaked
> passwords problem, as attacker can send a lot of SPAM via this
> phished account (ignore rate limiting for now) until OTP expires.
> Right?
>
> Or i miss something?
>
> thanks
>
> --
> Slavko
> https://www.slavino.sk/
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>


-- 

Ken Simpson

CEO, MailChannels



Facebook   |  Twitter   |
LinkedIn  |  Help Center


Our latest case study video: watch here!

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning

2022-11-19 Thread Ken Simpson via mailop 
PayPal is best positioned to solve this problem because it can police the
logo images its customers upload. That being said, this type of platform
abuse, while not entirely new, seems to be increasing.

Please get in touch with me if you are interested in testing our computer
vision API that recognizes brand impersonation by rendering messages in
headless browsers and then running a computer vision model. The API is
experimental, but we are keen to get feedback from others.

Regards,
Ken (MailChannels)

On Fri, Nov 18, 2022 at 2:53 PM Jarland Donnell via mailop <
mailop@mailop.org> wrote:

> Basically, you go here:
> https://www.paypal.com/invoice/s/manage
>
> Click the gear symbol, Business Information, fill out what you want and
> add a logo. Then click Save, create an invoice for someone, and PayPal
> will send it to them. There's not much of anything that any of us can do
> to filter it without risking false positives, because we'll never have
> any consistent idea of what's real and fake when it all comes from such
> a high reputation sender using a feature that we don't necessarily want
> to block recipients from being able to use.
>
> On 2022-11-18 15:30, Michael Wise via mailop wrote:
> > This .. is what I wanted to see.
> >
> > Did it really go to you, or did it stop off somewhere else first?
> >
> >   To: zachery Rose 
> >
> > It does appear that it went direct, so my initial theory is off I
> > guess.
> >
> > Aloha,
> >
> > Michael.
> >
> > --
> >
> > Michael J Wise
> > Microsoft Corporation| Spam Analysis
> >
> > "Your Spam Specimen Has Been Processed."
> >
> > Open a ticket for Hotmail [3] ?
> >
> > From: mailop  On Behalf Of Zach Rose via
> > mailop
> > Sent: Friday, November 18, 2022 11:38 AM
> > Cc: mailop@mailop.org
> > Subject: Re: [mailop] [EXTERNAL] Really good paypal phishing email
> > this morning
> >
> > Yeah, that's my theory at the moment, very likely that the call is
> > coming from inside the house, but they didn't find the person who made
> > the call before it was made.
> >
> > Delivered-To: REDACTED
> > Received: by 2002:a05:640c:1b81:b0:190:7afb:ee7a with SMTP id
> > r1csp516216eiw;
> > Fri, 18 Nov 2022 06:23:32 -0800 (PST)
> > X-Google-Smtp-Source:
> >
> AA0mqf6dcoQaNhG4JYaaq7jvwEAJxfF8XCQ2Zy1qPt4mGssaSyPzrvU0HsohJxkBvLOIjhuKLb6N
> > X-Received: by 2002:a65:67d1:0:b0:476:87ad:9d78 with SMTP id
> > b17-20020a6567d100b0047687ad9d78mr6785903pgs.169.1668781412334;
> > Fri, 18 Nov 2022 06:23:32 -0800 (PST)
> > ARC-Seal: i=1; a=rsa-sha256; t=1668781412; cv=none;
> > d=google.com [4]; s=arc-20160816;
> >
> > b=U4pbrfCYSxjulk8kCNLer1j7TfaCaowzf2yDYMqeQMVmG4g/JvAXzf0m4serzWoqTi
> >
> > OBEY9TrwfM2j3yQssfS8OMOnWmBP+pO7KYBmg67sBb57BdZlx/+txIylik9rNKuyXsEh
> >
> > O5+LN63Y1RqiSPLK44tgV3uHSeYS5n+qE0gJHgS1lojzvH/tEkxESiQHix+K7sWYnBUt
> >
> > EXjoD4UKa4x1WGOsOPsb64AYM/AMs2TImhoZCqg+tT2Otsn1/Hz34iMozy9tR0yBB15q
> >
> > +Eq4bNx9gjV8EpetyAjAQF7XHwWknzhig/MtiVy76GwNuCpUxd8yW+Bw3/fwTtBL6zl6
> >  QFYQ==
> > ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
> > d=google.com [4]; s=arc-20160816;
> > h=amq-delivery-message-id:mime-version:from:to:subject
> >  :pp-correlation-id:message-id:date:content-transfer-encoding
> >  :dkim-signature;
> > bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=;
> >
> > b=PbkHny3v4CR7wqQUcdh8f9PRFBMO+7dUlCVLzG9d8uDG0Uc+4jNqlkRB5chwPq1AUw
> >
> > QG3rN1n+lpU1t/MEz0fnZ2k1Rwzrr0j/2L0fHhhX0eJ8UheOHbcVNDSF1hjDfwPayN43
> >
> > ggWon6WA5mEYJ6jTPt5ODvSC0shj5SrQBq2C57tCG4WOjWGK63UhilfiZS/GgpoyzgvG
> >
> > UItaCRQKijOkG9k8bNub0rZ77LEdRoCK6RaEe6mhKmTv0doesmgdyhlb8+1e8V8Uvy7T
> >
> > tqhqfvqUyzVOgL5HmUZIjNl/XkNXA966EGTLfDqf1DWDsf0LRjpZpJiJViixPJ63UMKA
> >  /azQ==
> > ARC-Authentication-Results: i=1; mx.google.com [5];
> >dkim=pass header.i=@paypal.com [6] header.s=pp-dkim1
> > header.b=i5V5Jd8P;
> >spf=pass (google.com [4]: domain of serv...@paypal.com
> > designates 66.211.170.89 as permitted sender)
> > smtp.mailfrom=serv...@paypal.com;
> >dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
> > [6]
> > Return-Path: 
> > Received: from mx1.phx.paypal.com [7] (mx3.phx.paypal.com [8].
> > [66.211.170.89])
> > by mx.google.com [5] with ESMTPS id
> > c5-20020a655a8500b0044fb332e9c2si4180181pgt.560.2022.11.18.06.23.32
> > for 
> > (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256
> > bits=128/128);
> > Fri, 18 Nov 2022 06:23:32 -0800 (PST)
> > Received-SPF: pass (google.com [4]: domain of serv...@paypal.com
> > designates 66.211.170.89 as permitted sender) client-ip=66.211.170.89;
> > Authentication-Results: mx.google.com [9];
> >dkim=pass header.i=@paypal.com [10] header.s=pp-dkim1
> > header.b=i5V5Jd8P;
> >spf=pass (google.com [11]: domain of serv...@paypal.com
> > designates 66.211.170.89 as permitted sender)
> > smtp.mailfrom=serv...@paypal.com;
> >dmarc=pass (p=REJECT sp=REJECT dis=NO

[mailop] Gmail funny: flagged their own DSN message as spam

2022-11-19 Thread Chris Adams via mailop 
I have a Gmail address - I don't give it out, the only legit mail I get
to it is generally Google account related stuff (bills and such).  I
have a forward set up on it to send everything to my personal server.

This morning, there was some spam that got through Gmail's filters sent
to it.  Gmail tried to forward it, but my server's spam filters rejected
the message (reject during SMTP, no bounce generated from my server).
Gmail generated a delivery status notification message...  and sent that
directly to the Gmail spam folder.

Oops... :)

-- 
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning

2022-11-19 Thread Alessandro Vesely via mailop 

On Sat 19/Nov/2022 12:46:01 +0100 Alessandro Vesely wrote:


Something is strange in that header...  There is no local A-R, based on 
that header, both signatures (DKIM and AMS) fail to verify irrespective of 
the body hash.



Oops, that's the redaction.  ARC-Seal is good, which means Google really 
wrote dkim=pass; spf=pass; dmarc=pass.



Best
Ale
--




___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Phishing and 2FA auth

2022-11-19 Thread Slavko via mailop 
Hi all,

recently i search in github projects to find some tools/templates for
phishing messages as i want to train my colleagues (i am not
interested in real phishing).

As result i found one Go project for that, but i found a lot of projects,
which declares itself as for training/learning of course, with pished
sites templates/copies and some of them declares, that they are
able even to get 2FA OTPs. I have no links to them and i didn't inspect
in details how it works as i am not interested in that. I only remember,
that they catch OTPs too by some way in their site copies.

But my curiousity grows with time in topic what 2FA solves then,
thus i want ask about it here, in hope to better understand it.

Please, can it be really as "simple"? If yes, then my inderstanding is,
that 2FA doesn't solves leaked passwords problem, as asvertised
by many sites, but it solves only that this problem will be selfsolved
as token expires (week or two), without user's password changes.
Is my understanding right?

If yes, then 2FA is not holly grail of solving the SPAM & leaked
passwords problem, as attacker can send a lot of SPAM via this
phished account (ignore rate limiting for now) until OTP expires.
Right?

Or i miss something?

thanks

-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning

2022-11-19 Thread Alessandro Vesely via mailop 

On Fri 18/Nov/2022 20:38:11 +0100 Ken Simpson via mailop wrote:


I've seen the raw email;



You mean not the header Zach posted?



it did come from PayPal.



Something is strange in that header...  There is no local A-R, based on that 
header, both signatures (DKIM and AMS) fail to verify irrespective of the body 
hash.




PayPal needs to get better at recognizing brand images so that this kind of
impersonation is more difficult on their platform. No doubt they are already
working on that.



If the message was from Paypal, I guess if Zach had paid he'd have been 
eligible for reimbursement.



Best
Ale
--






___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning

2022-11-19 Thread Laura Atkins via mailop 
Looks like this is evolving. The first round was the scammers impersonating 
PayPal. Looks like they got a handle on that (after a few weeks) but failed to 
think like the bad guys and anticipate the next round. 

Hopefully the fix is something that can be tweaked to cover brands not PayPal 
rather than having to invent a new system to identify this kind of phish. 

Laura

Sent from my iPhone

> On Nov 18, 2022, at 9:35 PM, Michael Wise via mailop  
> wrote:
> 
> 
>  
> This .. is what I wanted to see.
> Did it really go to you, or did it stop off somewhere else first?
> 
>   To: zachery Rose 
>  
> It does appear that it went direct, so my initial theory is off I guess.
>  
> Aloha,
> Michael.
> --
> Michael J Wise
> Microsoft Corporation| Spam Analysis
> "Your Spam Specimen Has Been Processed."
> Open a ticket for Hotmail ?
>  
> From: mailop  On Behalf Of Zach Rose via mailop
> Sent: Friday, November 18, 2022 11:38 AM
> Cc: mailop@mailop.org
> Subject: Re: [mailop] [EXTERNAL] Really good paypal phishing email this 
> morning
>  
> Yeah, that's my theory at the moment, very likely that the call is coming 
> from inside the house, but they didn't find the person who made the call 
> before it was made. 
>  
>  
> Delivered-To: REDACTED
> Received: by 2002:a05:640c:1b81:b0:190:7afb:ee7a with SMTP id r1csp516216eiw;
> Fri, 18 Nov 2022 06:23:32 -0800 (PST)
> X-Google-Smtp-Source: 
> AA0mqf6dcoQaNhG4JYaaq7jvwEAJxfF8XCQ2Zy1qPt4mGssaSyPzrvU0HsohJxkBvLOIjhuKLb6N
> X-Received: by 2002:a65:67d1:0:b0:476:87ad:9d78 with SMTP id 
> b17-20020a6567d100b0047687ad9d78mr6785903pgs.169.1668781412334;
> Fri, 18 Nov 2022 06:23:32 -0800 (PST)
> ARC-Seal: i=1; a=rsa-sha256; t=1668781412; cv=none;
> d=google.com; s=arc-20160816;
> b=U4pbrfCYSxjulk8kCNLer1j7TfaCaowzf2yDYMqeQMVmG4g/JvAXzf0m4serzWoqTi
>  OBEY9TrwfM2j3yQssfS8OMOnWmBP+pO7KYBmg67sBb57BdZlx/+txIylik9rNKuyXsEh
>  O5+LN63Y1RqiSPLK44tgV3uHSeYS5n+qE0gJHgS1lojzvH/tEkxESiQHix+K7sWYnBUt
>  EXjoD4UKa4x1WGOsOPsb64AYM/AMs2TImhoZCqg+tT2Otsn1/Hz34iMozy9tR0yBB15q
>  +Eq4bNx9gjV8EpetyAjAQF7XHwWknzhig/MtiVy76GwNuCpUxd8yW+Bw3/fwTtBL6zl6
>  QFYQ==
> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; 
> s=arc-20160816;
> h=amq-delivery-message-id:mime-version:from:to:subject
>  :pp-correlation-id:message-id:date:content-transfer-encoding
>  :dkim-signature;
> bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=;
> b=PbkHny3v4CR7wqQUcdh8f9PRFBMO+7dUlCVLzG9d8uDG0Uc+4jNqlkRB5chwPq1AUw
>  QG3rN1n+lpU1t/MEz0fnZ2k1Rwzrr0j/2L0fHhhX0eJ8UheOHbcVNDSF1hjDfwPayN43
>  ggWon6WA5mEYJ6jTPt5ODvSC0shj5SrQBq2C57tCG4WOjWGK63UhilfiZS/GgpoyzgvG
>  UItaCRQKijOkG9k8bNub0rZ77LEdRoCK6RaEe6mhKmTv0doesmgdyhlb8+1e8V8Uvy7T
>  tqhqfvqUyzVOgL5HmUZIjNl/XkNXA966EGTLfDqf1DWDsf0LRjpZpJiJViixPJ63UMKA
>  /azQ==
> ARC-Authentication-Results: i=1; mx.google.com;
>dkim=pass header.i=@paypal.com header.s=pp-dkim1 header.b=i5V5Jd8P;
>spf=pass (google.com: domain of serv...@paypal.com designates 
> 66.211.170.89 as permitted sender) smtp.mailfrom=serv...@paypal.com;
>dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
> Return-Path: 
> Received: from mx1.phx.paypal.com (mx3.phx.paypal.com. [66.211.170.89])
> by mx.google.com with ESMTPS id 
> c5-20020a655a8500b0044fb332e9c2si4180181pgt.560.2022.11.18.06.23.32
> for 
> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
> Fri, 18 Nov 2022 06:23:32 -0800 (PST)
> Received-SPF: pass (google.com: domain of serv...@paypal.com designates 
> 66.211.170.89 as permitted sender) client-ip=66.211.170.89;
> Authentication-Results: mx.google.com;
>dkim=pass header.i=@paypal.com header.s=pp-dkim1 header.b=i5V5Jd8P;
>spf=pass (google.com: domain of serv...@paypal.com designates 
> 66.211.170.89 as permitted sender) smtp.mailfrom=serv...@paypal.com;
>dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
> DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; 
> c=relaxed/relaxed;
> q=dns/txt; i=@paypal.com; t=1668781410;
> h=From:From:Subject:Date:To:MIME-Version:Content-Type;
> bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=;
> b=i5V5Jd8PU85hThj/qbYYNVtrAe9utMx13ls4RqO/wxfIUwhUDUQ0jzygOkTfY88K
> BE74YiE8NsQGHdn4tMuGpInCw+7bnGFPBmOrlk22QztSUjqPH80z6lDtI7NrPpF6
> RYaiNevk4cJU4eEXXyr6fIT1fdcDwFdL4WErZ0w0KLpgYwd7dnwgqDrgvDWNJQWd
> wzgmA+qZ+9UUrDCsv/h3JCmWBoJaFs3Eaph019ifvg2hLCvZ6Zo3iEqE8aLFQx3b
> PDgFKnpTxxI+E1HaIpZJGQwpSI2q7TYrSKvwEBwko9OFXkWe9zlngcE/Km17TlpB
> 0ujZJGDU7e4EtiOBfTM96g==;
> Content-Transfer-Encoding: quoted-printable
> Content-Type: text/html; charset="UTF-8"
> Date: Fri, 18 Nov 2022 06:23:30 -0800
> Message-ID: <65.AC.09725.26597736@ccg01mail05>
> X-PP-REQUESTED-TIME: 1668781403501
> X-PP-Email-transmission-Id: 917850f8-674c-11ed-96b4-3cecef6afc2b
> PP-Correlation-Id: f3