Re: Corpus of Spam/Ham headers(Source IP) for research

[Shivram Krishnan]

Hello Bill,

Thank you so much for your views. I agree that your customers would not
like it if you share information. But Oliver suggested , I need only the
source IP addresses of the Spam and Ham emails , which can even be
anonymized in the last octet.

Will that still be a privacy concern?



On Tue, Jun 28, 2016 at 9:04 PM, Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:

> On 28 Jun 2016, at 20:33, Shivram Krishnan wrote:
>
> Hey Guys,
>>
>> I am a researcher at the University of Southern California (
>> https://steel.isi.edu/ ), and I have been working on making  Blacklists
>> more effective by combining different sources of Blacklists, and creating
>> a
>> Blacklists specific for a particular network.
>>
>> Though I have devised a mechanism to generate these blacklists,  I am not
>> finding a suitable evaluation metric. It would be great if somebody could
>> give me a dataset of source IP addresses of emails received by your
>> network
>> which have been marked as HAM/SPAM by Spamassassin for the year 2016.  I
>> do
>> not require the entire SPAM/HAM emails. Using this , I could evaluate the
>> false positives/ true positives of my technique.
>>
>> I had posted a similar question in the previous thread, but that did not
>> get much response.
>>
>> Looking forward to your replies!
>>
>
> You may be disappointed...
>
> It is extremely difficult to get a diverse corpus of non-bulk "Ham" for
> any form of research because most people consider such mail private, even
> when it is not very well protected in practice. I help run mail systems for
> a number of small and medium sized businesses, which handle thousands of
> pieces of one-to-one mail and about as much non-spam B2B bulk mail every
> day. It is functionally impossible for me to try to provide a researcher
> any of that due to real personal privacy and business confidentiality
> issues and the hard cost of the simple logistics of getting permission and
> gathering the mail.  Consumer ISPs would be even less able and willing than
> corporate mail operators, because most of them have highly impersonal
> relationships with their customers and have staff to users ratios that make
> such a project inconceivable without necessarily deceiving users: their
> only way would be to hide permission deep in a TOS no one reads.
>
> The simple bottom line: Mail system operators are not able to give you the
> corpus you need. It's not that we wouldn't like to be able to, but we don't
> have it assembled because we can't ethically do so without investing huge
> amounts of time we do not have.
>
> HOWEVER...
>
> USC is in a particularly good position to be collecting such a corpus. "
> isi.edu" and "usc.edu are two of the oldest domains on the Internet and
> unless they are very strange among such domains, they are targeted by huge
> streams of spam. Less noticeable: they are probably targeted by substantial
> streams of non-spam "oops" mail. I'd bet that Jon Postel's old address gets
> targeted by hundreds of innocent messages every day, along with thousands
> of pieces of spam. Someone could hand-classify that. You also have the
> advantage of being a sizable private university, so you aren't limited by
> some of the rules public universities have, and you could probably do more
> than a public school -- for example, UCLA or UCB -- could to encourage
> students and staff to let you do research on their Ham.
>
> IOW: MY users would resist or refuse me handing you their private and/or
> confidential mail for "research" they don't care about, I can't quickly
> explain, and none of us is being paid to help. OTOH: YOUR institution is
> well-situated to generate exactly the corpus you seek.
>

Re: Catching well directed spear phishing messages

[Chip M.]

On Tue, 28 Jun 2016 14:13:57 + David Jones wrote:
>If I search the Internet for the CEO/CIO/CTO/etc of a company
>and send and email from my domain but make the displayed name
>in the visible From: be that CEO/CIO/CTO/etc's full name that
>the recipient is used to seeing in the mail client, then I have
>spoofed nothing detectable in advance by SA or any mail filter
>technology.

Excellent summary!
The key is that the number of spoofed people is extremely SMALL,
and we _CAN_ anticipate who they are.

It's easy to write a CUSTOM set of rules just for actual/likely
targeted senders (CEO/etc).
For each person/target, create a rule that tests an explicit
list of that person's normal Realname(s) (including reasonable
variations), against the Realname part of the From header, and
if there's a match, test whether the From Address is in a list
of allowed addresses.  Score only if it's a probable phish
Realname from an unknown/unallowed address.

There's lots of potential metas for even a low-scoring rule
(e.g John Hardin's tip).

I've been doing this since 2009, both on a generic basis
(built into my "phishy tokens in headers" anti-phish system),
and on a custom domain level as we notice/anticipate targeted
individuals (all in my post-SA filter - sorry, I have no
examples of SA rules, and am ASSuming they'll be easy to write).

It works extremely well and is easy to maintain. :)


*** Implementation issues:

1. There's potential for name collision, however these would be
manually generated rules, so the maintainer would use his/her
judgement to assign scores.  For example, "Mark Sheppard" is
more likely to have a collision than "Chiwetel Ejiofor". :)

It would be straight forward to add an explicit list of (sender
verified) email addresses to exclude from testing.

In the seven years I've been doing this, I have had zero
collisions, however I have had an occasional FP when a targeted
sender starts sending stuff from himself using a new personal
email address, and does not notify the email admin.  In those
cases, even without a quarantine, the sender should notice it.
A smart quarantine always makes life better.

2. Ideally, one should remove chaff (including potentially
obfuscatory middle initials) and excess whitespace from each
email's From Realname before doing the comparisons.

3. A big issue is fuzzing of Realnames, which is name dependant.
For most Westerners, most spelling variations in "Mark Sheppard"
are much easier to notice than in "Chiwetel Ejiofor".  Leaving
out one of the double-ps in "Sheppard" would be a sensible
variation to add to his (hypothetical) list.

I have not yet noticed any fuzzing "in the wild", however all of
my targets have extremely "anglo" names.  I recommend looking at
tools that create fuzzy variations.

I have seen MANY fuzzes of big non-spear phish targets
(e.g. "paypa1" "paypa"), and have been adding them as they occur.
I plan to add a fuzzy algorithm during my next dev cycle.

4. As John Wilcock mentions, fuzzy domains are an issue.
If you're a target, it's worth generating a list of most likely
variations, then score/block the un-registered ones, and make an
informed decision on the rest.

5. I STRONGLY recommend scoring all "ACE prefix" domains, to
reduce/eliminate all the subtle and/or invisible variations.
We've been doing that for two years, and so far have had 
zero "skip" domain requests.  Note that all our domains are
"Western" centric, though we have a few accounts who do have
regular contact with Unicode-type nations.
You all know your own email ecologies. :)


+1 to all the sensible remarks about good authorization policies.
The best defense has as many layers as practical. :)
- "Chip"

Re: Corpus of Spam/Ham headers(Source IP) for research

[Olivier]

Shivram

> Though I have devised a mechanism to generate these blacklists,  I am 
> not
> finding a suitable evaluation metric. It would be great if somebody 
> could
> give me a dataset of source IP addresses of emails received by your 
> network
> which have been marked as HAM/SPAM by Spamassassin for the year 2016.

Maybe you need to be a bit more specific in what you need: when you
write "source IP", do you mean the enveloppe? The first Received-by:, the
>From hearder?

I think people would be less concerned about privacy if all you ask is
in a form:

Ham
list of ham IPs

Spam
List of spam IPs

with no name or personnal data attached (the list could even be posted
to pastebin through a proxy :)

Best regards,

Olivier

Re: Corpus of Spam/Ham headers(Source IP) for research

[Bill Cole]

On 28 Jun 2016, at 20:33, Shivram Krishnan wrote:


Hey Guys,

I am a researcher at the University of Southern California (
https://steel.isi.edu/ ), and I have been working on making  
Blacklists
more effective by combining different sources of Blacklists, and 
creating a

Blacklists specific for a particular network.

Though I have devised a mechanism to generate these blacklists,  I am 
not
finding a suitable evaluation metric. It would be great if somebody 
could
give me a dataset of source IP addresses of emails received by your 
network
which have been marked as HAM/SPAM by Spamassassin for the year 2016.  
I do
not require the entire SPAM/HAM emails. Using this , I could evaluate 
the

false positives/ true positives of my technique.

I had posted a similar question in the previous thread, but that did 
not

get much response.

Looking forward to your replies!


You may be disappointed...

It is extremely difficult to get a diverse corpus of non-bulk "Ham" for 
any form of research because most people consider such mail private, 
even when it is not very well protected in practice. I help run mail 
systems for a number of small and medium sized businesses, which handle 
thousands of pieces of one-to-one mail and about as much non-spam B2B 
bulk mail every day. It is functionally impossible for me to try to 
provide a researcher any of that due to real personal privacy and 
business confidentiality issues and the hard cost of the simple 
logistics of getting permission and gathering the mail.  Consumer ISPs 
would be even less able and willing than corporate mail operators, 
because most of them have highly impersonal relationships with their 
customers and have staff to users ratios that make such a project 
inconceivable without necessarily deceiving users: their only way would 
be to hide permission deep in a TOS no one reads.


The simple bottom line: Mail system operators are not able to give you 
the corpus you need. It's not that we wouldn't like to be able to, but 
we don't have it assembled because we can't ethically do so without 
investing huge amounts of time we do not have.


HOWEVER...

USC is in a particularly good position to be collecting such a corpus. 
"isi.edu" and "usc.edu are two of the oldest domains on the Internet and 
unless they are very strange among such domains, they are targeted by 
huge streams of spam. Less noticeable: they are probably targeted by 
substantial streams of non-spam "oops" mail. I'd bet that Jon Postel's 
old address gets targeted by hundreds of innocent messages every day, 
along with thousands of pieces of spam. Someone could hand-classify 
that. You also have the advantage of being a sizable private university, 
so you aren't limited by some of the rules public universities have, and 
you could probably do more than a public school -- for example, UCLA or 
UCB -- could to encourage students and staff to let you do research on 
their Ham.


IOW: MY users would resist or refuse me handing you their private and/or 
confidential mail for "research" they don't care about, I can't quickly 
explain, and none of us is being paid to help. OTOH: YOUR institution is 
well-situated to generate exactly the corpus you seek.

Corpus of Spam/Ham headers(Source IP) for research

[Shivram Krishnan]

Hey Guys,

I am a researcher at the University of Southern California (
https://steel.isi.edu/ ), and I have been working on making  Blacklists
more effective by combining different sources of Blacklists, and creating a
Blacklists specific for a particular network.

Though I have devised a mechanism to generate these blacklists,  I am not
finding a suitable evaluation metric. It would be great if somebody could
give me a dataset of source IP addresses of emails received by your network
which have been marked as HAM/SPAM by Spamassassin for the year 2016.  I do
not require the entire SPAM/HAM emails. Using this , I could evaluate the
false positives/ true positives of my technique.

I had posted a similar question in the previous thread, but that did not
get much response.

Looking forward to your replies!

Re: Catching well directed spear phishing messages

[Sidney Markowitz]

David Jones wrote on 29/06/16 2:13 AM:
>> From: RW 
>> That wont work in this example because nothing has actually been 
>> spoofed.
> 
> Exactly.  If I search the Internet for the CEO/CIO/CTO/etc of a company
> and send and email from my domain but make the displayed name in
> the visible From: be that CEO/CIO/CTO/etc's full name

Oh, that's right. I misunderstood the situation described in the initial post
in this thread. SpamAssassin is not the right tool for a spear fishing attack
that is a perfectly innocent email that claims nothing wrong from a technical
perspective might have no spam signals and relies on the recipient being
technically naive and not looking behind the displayed From name.

As Dianne Skoll pointed out the proper defense against this type of attack is
to have proper financial processes in place. That can include technical
measures that would require the CEO to have entered the request in a secure
web form instead of by email. But even that is subject to social engineering
as ultimately somebody with authority can receive a spear phishing email
apparently from someone who can ask them to use that authority. The right
thing to do is to actually put in place the measures that people have spent
time working out over the years as "proper financial processes" to help
prevent not only social engineering hacks but internal fraud and simple
mistakes. Bottom line is that the CEO should not be able to initiate a bank
transfer with even a legitimate phone call to accounting and a promise to send
the details "later".

 Sidney

Re: Catching well directed spear phishing messages

[John Wilcock]

Le 28/06/2016 à 16:13, David Jones a écrit :

From: RW 



That wont work in this example because nothing has actually been
spoofed.


...


All it takes is a compromised account on a trusted mail server (happens
all of the time) to provide a conduit for this type of phishing email.  Very
easy to do which is why we are going to see more and more of this.


Or, if your company is a worthwhile target, it is equally easy for the 
scammer to setup a lookalike domain and configure it with proper SPF, 
DKIM and the like. Who's going to notice that the message came from 
examp1e.com instead of example.com?


Theoretically, of course, custom SA rules could be written to detect 
such lookalikes, but even then, all it takes is for a scammer to have a 
slightly better imagination than the person writing the rules!


--
John

Re: Catching well directed spear phishing messages

[David Jones]

>Am I missing something here:

Respectfully, you are.

>An email comes in from the CEO of the business - seemingly from the company, 
>and has a Spam score of 7.5

I am talking about legit emails from trusted senders that won't
hit FREEMAIL_FORGED, RBLs, DBLs or any high scoring rules so
they are below the SA block threshold.  This would be common
from compromised accounts that the bad guy can use in a stealth
manner by deleting the message in the Sent folder and quickly
remove the inbound email from the reply.  The average user would
never notice their account is being used by a second person.


>Content analysis details:   (7.5 points, 5.5 required) 

 >pts rule name  description 
> -- -- 
> 0.0 TVD_RCVD_SPACE_BRACKET No description available. 
> 0.1 HK_RANDOM_FROM From username looks random 
>-0.1 CUST_DNSWL_5_ORG_NT    RBL: list.dnswl.org (No Trust) 
>    [173.201.193.64 listed in list.dnswl.org] 
>-0.1 RCVD_IN_MSPIKE_H3  RBL: Good reputation (+3) 
>    [173.201.193.64 listed in wl.mailspike.net] 
> 0.0 HTML_MESSAGE   BODY: HTML included in message 
> 1.5 BAYES_50   BODY: Bayes spam probability is 40 to 60% 
>    [score: 0.5000] 
> 0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 
> 0.0 MIME_QP_LONG_LINE  RAW: Quoted-printable line longer than 76 chars 
>-0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust) 
>    [173.201.193.64 listed in score.senderscore.com] 
>-0.0 RCVD_IN_MSPIKE_WL  Mailspike good senders 
> 1.2 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag 
> 3.0 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From 
> 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 
> 1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) 
> 

>Content analysis details:   (13.9 points, 5.5 required) 


>How many INTERNAL EMAILS will have a score of 7.5???  Or even 3?  Or 1?

You are correct.  Internal emails (i.e. within Office 365 that don't get 
scanned)
would not be scored but this scenario I am talking about is from the outside
but the recipient would not notice.  The average user only looks at the visible
"Display Name " and never looks closely at the
actual email address inside the < >.

>In fact, if it came in through the INTERNAL_NETWORK ip range then it wouldnt 
>even be scanned (seen as trusted).  So any email coming "from the CEO" that 
>has a SPAM score is definitely dodgy!

It only takes a couple of external emails to get to the right person to get
thousands of dollars wired to you account to make this worth it.  Some may
get blocked by Reindl Harald's super duper trained Bayesian or meta rules
that he has put thousands of hours into creating with complex scripts that
the rest of us don't have time to setup since mail filtering is only part of our
job and we have a life outside of work.

>How hard can it be to say "if FROM = 'a company address' and a SPAM SCORE 
>EXISTS then treat with rubber gloves.

>So ensure all company emails are pupt through the company email servers and 
>set the INTERNAL_NETWORK parameters. 

>Whats wrong with this?

Compromised accounts and other trusted senders can get through good SA setups.
Bottom line, If the accounting department doesn't have proper procedures
then they can be easily tricked into wiring money to bad guys.
If they can get one person a day to wire thousands of US dollars to them,
then that's a pretty nice income with very little effort once they have
control of a compromised account.  They don't have to blast out tons of
spam like traditionally seen which gets them listed on RBLs and DBLs.

Re: Protected Sky?

[RW]

On Tue, 28 Jun 2016 16:10:12 +0200
Reindl Harald wrote:

> Am 28.06.2016 um 16:00 schrieb RW:
> > On Mon, 27 Jun 2016 22:15:30 +0200
> > Reindl Harald wrote:
> >  
> >> Am 27.06.2016 um 21:27 schrieb Vincent Fox:  
> >>> I saw a reference today in my MxToolbox report, to an RBL named
> >>> Protected Sky which had like double the listing activity of
> >>> Spamhaus. Does anyone know anything about this outfit?  
> >>
> >> that's a bullshit RBL with large amounts of FP's  
> >
> > Is that on the 127.0.0.3 response?  
> 
> well, i saw a few rejects from our servers (mrons using it to reject 
> unsocred) and got that confirmed from 2 other sysadmins
> 
> all of the sending machines where on no other RBL and on several DNSWL
> 
> DUNNO which response they got to reject, but i only took notice that 
> this RBL exists by wrong rejections

The 127.0.0.2 response is only intended for controlling greylisting.

Re: Catching well directed spear phishing messages

[Jari Fredriksson]

Groach kirjoitti 28.6.2016 17:24:

> On 28/06/2016 16:13, David Jones wrote:
> 
> David Jones wrote on 29/06/16 12:46 AM:
> 
> No, technology can help. The IT department sets up the mail client
> that the CEO uses when out of the office so that it sends mail using
> the company mail server with SSL/TLS and user authentication. Or it
> uses the company's ISP's mail server. Or send domain mail using GMail
> for business. There are a number of choices that are as easy for the
> CEO to use as any personal email method is, but will restrict email
> sent from the company domain to being sent through one of a known set
> of mail servers. Then the company's receiving mail server blocks any
> mail that pretends to be from a company domain sender address that
> was not sent through one of the known valid mail servers. That can be
> a local SpamAssassin rule or something run even earlier in the
> process.
> 
> You are right that social engineering can't be stopped by technology.
> The company should have procedures in place that provide the
> flexibility that CEO seems to need but will still prevent the fraud
> even in the face of successful social engineering. But there is no
> reason the mail setup has to allow spoofed headers From the company
> domain.

Am I missing something here:

An email comes in from the CEO of the business - seemingly from the
company, and has a Spam score of 7.5

Content analysis details:   (7.5 points, 5.5 required) 

 pts rule name  description 
 --
-- 
 0.0 TVD_RCVD_SPACE_BRACKET No description available. 
 0.1 HK_RANDOM_FROM From username looks random 
-0.1 CUST_DNSWL_5_ORG_NTRBL: list.dnswl.org (No Trust) 
[173.201.193.64 listed in list.dnswl.org] 
-0.1 RCVD_IN_MSPIKE_H3  RBL: Good reputation (+3) 
[173.201.193.64 listed in wl.mailspike.net] 
 0.0 HTML_MESSAGE   BODY: HTML included in message 
 1.5 BAYES_50   BODY: Bayes spam probability is 40 to 60% 
[score: 0.5000] 
 0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 
 0.0 MIME_QP_LONG_LINE  RAW: Quoted-printable line longer than 76
chars 
-0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust) 
[173.201.193.64 listed in
score.senderscore.com] 
-0.0 RCVD_IN_MSPIKE_WL  Mailspike good senders 
 1.2 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag 
 3.0 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From 
 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
information 
 1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) 
 

Content analysis details:   (13.9 points, 5.5 required) 

How many INTERNAL EMAILS will have a score of 7.5???  Or even 3?  Or 1?

In fact, if it came in through the INTERNAL_NETWORK ip range then it
wouldnt even be scanned (seen as trusted).  So any email coming "from
the CEO" that has a SPAM score is definitely dodgy!

How hard can it be to say "if FROM = 'a company address' and a SPAM
SCORE EXISTS then treat with rubber gloves. 

> So ensure all company emails are pupt through the company email servers and 
> set the INTERNAL_NETWORK parameters.  
> 
> Whats wrong with this?

Sure, but the case now is that the FROM != 'company adress' as this info
is not even show to the user. What is shown is the CEO Name only. I
could't even find a setting for this behaviour in my MUA! 

The FROM address can be anything, as long as the CEO's real name is
there before the address part.

-- 
Jari Fredriksson
Bitwell Oy
+358 400 779 440
ja...@bitwell.biz
https://www.bitwell.biz - cost effective hosting and security for
ecommerce

signature.asc
Description: OpenPGP digital signature

Re: Catching well directed spear phishing messages

[Groach]

On 28/06/2016 16:13, David Jones wrote:

David Jones wrote on 29/06/16 12:46 AM:

No, technology can help. The IT department sets up the mail client
that the CEO uses when out of the office so that it sends mail using
the company mail server with SSL/TLS and user authentication. Or it
uses the company's ISP's mail server. Or send domain mail using GMail
for business. There are a number of choices that are as easy for the
CEO to use as any personal email method is, but will restrict email
sent from the company domain to being sent through one of a known set
of mail servers. Then the company's receiving mail server blocks any
mail that pretends to be from a company domain sender address that
was not sent through one of the known valid mail servers. That can be
a local SpamAssassin rule or something run even earlier in the
process.

You are right that social engineering can't be stopped by technology.
The company should have procedures in place that provide the
flexibility that CEO seems to need but will still prevent the fraud
even in the face of successful social engineering. But there is no
reason the mail setup has to allow spoofed headers From the company
domain.


Am I missing something here:

An email comes in from the CEO of the business - seemingly from the 
company, and has a Spam score of 7.5



Content analysis details:   (7.5 points, 5.5 required)

 pts rule name  description
 -- 
--

 0.0 TVD_RCVD_SPACE_BRACKET No description available.
 0.1 HK_RANDOM_FROM From username looks random
-0.1 CUST_DNSWL_5_ORG_NTRBL: list.dnswl.org (No Trust)
[173.201.193.64 listed in list.dnswl.org]
-0.1 RCVD_IN_MSPIKE_H3  RBL: Good reputation (+3)
[173.201.193.64 listed in wl.mailspike.net]
 0.0 HTML_MESSAGE   BODY: HTML included in message
 1.5 BAYES_50   BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
 0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.0 MIME_QP_LONG_LINE  RAW: Quoted-printable line longer than 76 
chars

-0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust)
[173.201.193.64 listed in 
score.senderscore.com]

-0.0 RCVD_IN_MSPIKE_WL  Mailspike good senders
 1.2 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
 3.0 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
 1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)


Content analysis details:   (13.9 points, 5.5 required)



How many INTERNAL EMAILS will have a score of 7.5???  Or even 3?  Or 1?

In fact, if it came in through the INTERNAL_NETWORK ip range then it 
wouldnt even be scanned (seen as trusted).  So any email coming "from 
the CEO" that has a SPAM score is definitely dodgy!


How hard can it be to say "if FROM = 'a company address' and a SPAM 
SCORE EXISTS then treat with rubber gloves.


So ensure all company emails are pupt through the company email servers 
and set the INTERNAL_NETWORK parameters.


Whats wrong with this?

Re: Catching well directed spear phishing messages

[Dianne Skoll]

About the only way to combat these sorts of things is to have proper
financial processes in place.  In other words, have checks to ensure
that no-one can initiate a wire transfer without a vendor invoice,
etc.  Common sense stuff... but it's so easy to slip and you only have
to slip once. :(

Regards,

Dianne.

Re: Catching well directed spear phishing messages

[Jari Fredriksson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Reindl Harald kirjoitti 28.6.2016 16:56:
> Am 28.06.2016 um 15:25 schrieb Jari Fredriksson:
>>> Almost all the phishes I've received in the last few years have done
>>> this - except that they have something like "paypal support" rather
>>> than an individual's name.
>> 
>> Ah, so true
> 
> you should look at that - enters my junk folder even with a
> whitelist_auth because of the domain-blacklist
> 
> URIBL_BLACK
> Contains an URL listed in the URIBL blacklist
> [URIs: bitwell.biz]

I don't see that happening in my SA, nor at
https://admin.uribl.com/?section=lookup;

X-Spam-Report:
* -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/,
high
*  trust
*  [140.211.11.3 listed in list.dnswl.org]
* -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
*  [140.211.11.3 listed in wl.mailspike.net]
*  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail
*  domains are different
* -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
* -0.0 DKIM_VERIFIED No description available.
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
*  valid
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's
*   domain
*  0.8 KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz
domains
*  in spam/malware
* -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders


- -- 
Jari Fredriksson
Bitwell Oy
+358 400 779 440
ja...@bitwell.biz
https://www.bitwell.biz - cost effective hosting and security for
ecommerce
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAldyhMwACgkQKL4IzOyjSrbYBwCg5zgAMJeY84myBgJgV1cq6ahF
JDwAn0D7emcEdi5uHSpcbSHKHTJi3lwP
=ZK0P
-END PGP SIGNATURE-

Re: Catching well directed spear phishing messages

[David Jones]

>From: RW 
>Sent: Tuesday, June 28, 2016 8:50 AM
>To: users@spamassassin.apache.org
>Subject: Re: Catching well directed spear phishing messages
    
>On Wed, 29 Jun 2016 01:30:55 +1200
>Sidney Markowitz wrote:

>> David Jones wrote on 29/06/16 12:46 AM:
>> > This is pure social engineering that can't be stopped by
>> > technology.  The AP dept has to have proper safeguards and out of
>> > band validation (i.e. phone call to the "Recognized Name").  
>> 
>> No, technology can help. The IT department sets up the mail client
>> that the CEO uses when out of the office so that it sends mail using
>> the company mail server with SSL/TLS and user authentication. Or it
>> uses the company's ISP's mail server. Or send domain mail using GMail
>> for business. There are a number of choices that are as easy for the
>> CEO to use as any personal email method is, but will restrict email
>> sent from the company domain to being sent through one of a known set
>> of mail servers. Then the company's receiving mail server blocks any
>> mail that pretends to be from a company domain sender address that
>> was not sent through one of the known valid mail servers. That can be
>> a local SpamAssassin rule or something run even earlier in the
>> process.
>> 
>> You are right that social engineering can't be stopped by technology.
>> The company should have procedures in place that provide the
>> flexibility that CEO seems to need but will still prevent the fraud
>> even in the face of successful social engineering. But there is no
>> reason the mail setup has to allow spoofed headers From the company
>> domain.

>That wont work in this example because nothing has actually been 
>spoofed.

Exactly.  If I search the Internet for the CEO/CIO/CTO/etc of a company
and send and email from my domain but make the displayed name in
the visible From: be that CEO/CIO/CTO/etc's full name that the recipient
is used to seeing in the mail client, then I have spoofed nothing detectable
in advance by SA or any mail filter technology.  The sender could be anyone
and as long as that sending domain is not on any DBLs and the sending IP
is not on any RBLs (yet), then the email would pass through.

Envelope-from = ena.com
Header From: = ena.com
Visible/Displayed From: = "Recognized Name "

That email would pass SPF and strict DMARC (p=reject) checking.  If the
recipient just looked at "Recognized Name" and ignored the "ena.com",
then they wire the money and don't think twice about it until they follow
up with the C-level person later which wouldn't know anything about it.

All it takes is a compromised account on a trusted mail server (happens
all of the time) to provide a conduit for this type of phishing email.  Very
easy to do which is why we are going to see more and more of this.

Re: Catching well directed spear phishing messages

[Reindl Harald]

Am 28.06.2016 um 16:08 schrieb Jari Fredriksson:

Reindl Harald kirjoitti 28.6.2016 16:56:

Am 28.06.2016 um 15:25 schrieb Jari Fredriksson:

Almost all the phishes I've received in the last few years have done
this - except that they have something like "paypal support" rather
than an individual's name.


Ah, so true



you should look at that - enters my junk folder even with a
whitelist_auth because of the domain-blacklist



URIBL_BLACK
Contains an URL listed in the URIBL blacklist
[URIs: bitwell.biz]


I don't see that happening in my SA, nor at
https://admin.uribl.com/?section=lookup


dunno - but all your mails including my own to the list pointing it out 
are ending in the junk folder


X-Spam-Report: Flag: No,*  6.5 URIBL_BLACK Contains an URL listed in the
 URIBL blacklist	*  [URIs: bitwell.biz]	* -0.1 
CUST_DNSWL_2_SENDERSC_LOW

 RBL: score.senderscore.com (Low Trust) *  [140.211.11.3 listed in
 score.senderscore.com] * -0.5 CUST_DNSWL_11_ORG_HIGH RBL: list.dnswl.org
 (High Trust)   *  [140.211.11.3 listed in list.dnswl.org]  * -0.2
 CUST_DNSWL_8_TL_NT RBL: dnswl-aggregate.thelounge.net (No Trust)   *
 [140.211.11.3 listed in dnswl-aggregate.thelounge.net] * -0.1
 CUST_DNSWL_3_JEF_LOW RBL: hostkarma.junkemailfilter.com (Low Trust)*
 [140.211.11.3 listed in hostkarma.junkemailfilter.com] * -0.1
 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)*  [140.211.11.3 listed in
 wl.mailspike.net]  * -100 USER_IN_SPF_WHITELIST From: address is in the
 user's SPF whitelist   *  0.0 SHORTCIRCUIT Not all rules were run, due to a
 shortcircuited rule*  0.0 CUST_SHORTCIRCUIT Skip tests based on
 whitelists/blacklists and  *  local relays
Return-Path:
 users-return-112640-h.reindl=thelounge@spamassassin.apache.org
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit



signature.asc
Description: OpenPGP digital signature

Re: Protected Sky?

[Reindl Harald]

Am 28.06.2016 um 16:00 schrieb RW:

On Mon, 27 Jun 2016 22:15:30 +0200
Reindl Harald wrote:


Am 27.06.2016 um 21:27 schrieb Vincent Fox:

I saw a reference today in my MxToolbox report, to an RBL named
Protected Sky which had like double the listing activity of
Spamhaus. Does anyone know anything about this outfit?


that's a bullshit RBL with large amounts of FP's


Is that on the 127.0.0.3 response?


well, i saw a few rejects from our servers (mrons using it to reject 
unsocred) and got that confirmed from 2 other sysadmins


all of the sending machines where on no other RBL and on several DNSWL

DUNNO which response they got to reject, but i only took notice that 
this RBL exists by wrong rejections




signature.asc
Description: OpenPGP digital signature

Re: Catching well directed spear phishing messages

[RW]

On Wed, 29 Jun 2016 01:30:55 +1200
Sidney Markowitz wrote:

> David Jones wrote on 29/06/16 12:46 AM:
> > This is pure social engineering that can't be stopped by
> > technology.  The AP dept has to have proper safeguards and out of
> > band validation (i.e. phone call to the "Recognized Name").  
> 
> No, technology can help. The IT department sets up the mail client
> that the CEO uses when out of the office so that it sends mail using
> the company mail server with SSL/TLS and user authentication. Or it
> uses the company's ISP's mail server. Or send domain mail using GMail
> for business. There are a number of choices that are as easy for the
> CEO to use as any personal email method is, but will restrict email
> sent from the company domain to being sent through one of a known set
> of mail servers. Then the company's receiving mail server blocks any
> mail that pretends to be from a company domain sender address that
> was not sent through one of the known valid mail servers. That can be
> a local SpamAssassin rule or something run even earlier in the
> process.
> 
> You are right that social engineering can't be stopped by technology.
> The company should have procedures in place that provide the
> flexibility that CEO seems to need but will still prevent the fraud
> even in the face of successful social engineering. But there is no
> reason the mail setup has to allow spoofed headers From the company
> domain.

That wont work in this example because nothing has actually been 
spoofed.

Re: Catching well directed spear phishing messages

[Jari Fredriksson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Reindl Harald kirjoitti 28.6.2016 16:56:
> Am 28.06.2016 um 15:25 schrieb Jari Fredriksson:
>>> Almost all the phishes I've received in the last few years have done
>>> this - except that they have something like "paypal support" rather
>>> than an individual's name.
>> 
>> Ah, so true
> 
> you should look at that - enters my junk folder even with a
> whitelist_auth because of the domain-blacklist
> 
> URIBL_BLACK
> Contains an URL listed in the URIBL blacklist
> [URIs: bitwell.biz]

Thanks for the heads up!

- -- 
Jari Fredriksson
Bitwell Oy
+358 400 779 440
ja...@bitwell.biz
https://www.bitwell.biz - cost effective hosting and security for
ecommerce
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAldygwgACgkQKL4IzOyjSrYjJwCg583oP4MHMYYZ45c+U52zTOCr
1lAAoPmF+3VwFoITyIdXgv1kLotRTHE3
=k/Yb
-END PGP SIGNATURE-

Re: Protected Sky?

[RW]

On Mon, 27 Jun 2016 22:15:30 +0200
Reindl Harald wrote:

> Am 27.06.2016 um 21:27 schrieb Vincent Fox:
> > I saw a reference today in my MxToolbox report, to an RBL named
> > Protected Sky which had like double the listing activity of
> > Spamhaus. Does anyone know anything about this outfit?  
> 
> that's a bullshit RBL with large amounts of FP's

Is that on the 127.0.0.3 response?

Re: Catching well directed spear phishing messages

[Reindl Harald]

Am 28.06.2016 um 15:25 schrieb Jari Fredriksson:

Almost all the phishes I've received in the last few years have done
this - except that they have something like "paypal support" rather
than an individual's name.


Ah, so true


you should look at that - enters my junk folder even with a 
whitelist_auth because of the domain-blacklist


URIBL_BLACK
Contains an URL listed in the URIBL blacklist
[URIs: bitwell.biz]



signature.asc
Description: OpenPGP digital signature

Re: Catching well directed spear phishing messages

[Reindl Harald]

Am 28.06.2016 um 15:30 schrieb Sidney Markowitz:

You are right that social engineering can't be stopped by technology. The
company should have procedures in place that provide the flexibility that CEO
seems to need but will still prevent the fraud even in the face of successful
social engineering. But there is no reason the mail setup has to allow spoofed
headers From the company domain


if things only would be that easy


blacklist_from *@your-bank.tld
whitelist_auth *@your-bank.tld

in theory that would stop any forgery, in real life i had to revert this 
after a big payment service using proper SPF then sent their newsletters 
with a external service, envelope of the external service but From 
header matching the blacklist_from preventing hit whitelist_auth



in fact to make such things working without breaking mailing-lists and 
what not else one would be required to use a dedicated subdomain for 
business-email which never is used outside the own network and *then* 
you can easily block any message with envelope or from-header touching 
your MX


but that would also require that the users understand "THIS address MUST 
NOT be used for anything then submission mail and use THIS email adress 
for mailing-lists and other things"


one can now come with "DKIM exists" - then look how often the DKIM check 
failed in the past up to become T_DKIM_INVALID as a testing rule because 
of too much false positives


https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6462



signature.asc
Description: OpenPGP digital signature

Re: Catching well directed spear phishing messages

[Jari Fredriksson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

RW kirjoitti 28.6.2016 16:10:
> On Tue, 28 Jun 2016 15:52:10 +0300
> Jari Fredriksson wrote:
> 
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>> 
>> David Jones kirjoitti 28.6.2016 15:46:
> 
>> > One of my customers has been hit by at least one of these emails
>> > even with good RBLs in use and properly trained Bayes.  The emails
>> > themselves are perfectly formed and score very low.  They use an
>> > envelope-from of their own domain to pass all SPF checks but they
>> > use a visible From: of "Recognized Name
>> > ".  Even DMARC checks would pass for the
>> > otherdomain.com.  The issue is the finance person sees the
>> > "Recognized Name" and doesn't look closely at the otherdomain.com.
>> > This is pure social engineering that can't be stopped by
>> > technology.  The AP dept has to have proper safeguards and out of
>> > band validation (i.e. phone call to the "Recognized Name").
> 
>> I just refuse the believe that the technology has to trust to the
>> From:.*xxx in the smtp payload and not reject this at once. Does the
>> customer use some dmarc-implementation in their mail chain at all?
> 
> There's actually nothing to link it to the recipient's domain. The
> envelope address and header from domain are whatever the sender wants
> to use. It's all down to the displayed first name and surname which is
> all most email clients display.
> 
> Almost all the phishes I've received in the last few years have done
> this - except that they have something like "paypal support" rather
> than an individual's name.


Ah, so true.


- -- 
Jari Fredriksson
Bitwell Oy
+358 400 779 440
ja...@bitwell.biz
https://www.bitwell.biz - cost effective hosting and security for
ecommerce
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAldyeuEACgkQKL4IzOyjSrZMlQCgsgwpMrayXJO7kVotYnBpF2xO
HucAnRICLQhEqEu65mVMWuBQIA08JWHe
=Npc6
-END PGP SIGNATURE-

Re: Catching well directed spear phishing messages

[Sidney Markowitz]

David Jones wrote on 29/06/16 12:46 AM:
> This is pure social engineering that can't be stopped by technology.  The AP
> dept has to have proper safeguards and out of band validation (i.e. phone
> call to the "Recognized Name").

No, technology can help. The IT department sets up the mail client that the
CEO uses when out of the office so that it sends mail using the company mail
server with SSL/TLS and user authentication. Or it uses the company's ISP's
mail server. Or send domain mail using GMail for business. There are a number
of choices that are as easy for the CEO to use as any personal email method
is, but will restrict email sent from the company domain to being sent through
one of a known set of mail servers. Then the company's receiving mail server
blocks any mail that pretends to be from a company domain sender address that
was not sent through one of the known valid mail servers. That can be a local
SpamAssassin rule or something run even earlier in the process.

You are right that social engineering can't be stopped by technology. The
company should have procedures in place that provide the flexibility that CEO
seems to need but will still prevent the fraud even in the face of successful
social engineering. But there is no reason the mail setup has to allow spoofed
headers From the company domain.

Sidney

Re: Catching well directed spear phishing messages

[RW]

On Tue, 28 Jun 2016 15:52:10 +0300
Jari Fredriksson wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> David Jones kirjoitti 28.6.2016 15:46:

> > One of my customers has been hit by at least one of these emails
> > even with good RBLs in use and properly trained Bayes.  The emails
> > themselves are perfectly formed and score very low.  They use an
> > envelope-from of their own domain to pass all SPF checks but they
> > use a visible From: of "Recognized Name
> > ".  Even DMARC checks would pass for the
> > otherdomain.com.  The issue is the finance person sees the
> > "Recognized Name" and doesn't look closely at the otherdomain.com.
> > This is pure social engineering that can't be stopped by
> > technology.  The AP dept has to have proper safeguards and out of
> > band validation (i.e. phone call to the "Recognized Name").

> I just refuse the believe that the technology has to trust to the
> From:.*xxx in the smtp payload and not reject this at once. Does the
> customer use some dmarc-implementation in their mail chain at all?

There's actually nothing to link it to the recipient's domain. The
envelope address and header from domain are whatever the sender wants
to use. It's all down to the displayed first name and surname which is
all most email clients display.

Almost all the phishes I've received in the last few years have done
this - except that they have something like "paypal support" rather
than an individual's name.

Re: Catching well directed spear phishing messages

[Reindl Harald]

Am 28.06.2016 um 14:52 schrieb Jari Fredriksson:

I just refuse the believe that the technology has to trust to the
From:.*xxx in the smtp payload and not reject this at once. Does the
customer use some dmarc-implementation in their mail chain at all?


well, when none of your users are supposed to use maling lists like this 
you can reject with http://www.postfix.org/header_checks.5.html and a 
simple regex-rule


that depends on a sane setup where your MX server is *never* used to 
handle internal email by have a dedicated inbound and a dedicated 
submission server




signature.asc
Description: OpenPGP digital signature

Re: Catching well directed spear phishing messages

[Jari Fredriksson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

David Jones kirjoitti 28.6.2016 15:46:
>> From: Sidney Markowitz 
>> Sent: Tuesday, June 28, 2016 3:15 AM
>> To: Ram; users@spamassassin.apache.org
>> Subject: Re: Catching well directed spear phishing messages
>  
>> Ram wrote on 28/06/16 7:19 PM:
>>> 
>>> 
>>> On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote:
 Hai!
 
 I dont understand why they would match your spf record either. Are they 
 sended out by a IP adres you 'approved' ??
>>> SPF does not fail , because they use a different envelope address..
>>> which may pass SPF
>>> The end recipient does not check the envelope anyway
> 
>> You should have local SpamAssassin rules that do check the envelope sender.
>> This is about official company mail from the company domain. You can require
>> that all employees use mail clients that are properly configured by the
>> company IT to send all official company mail. SpamAssassin can be configured
>> with local rules that stop anything that has a company domain header sender
>> address that does not also have a matching envelope sender address and passes
>> SPF. There is no reason to allow the CEO to send company mail without using a
>> proper mail server that appears on the SPF record.
> 
>> The end recipient can't be expected to check all the headers, but 
>> SpamAssassin
>> can do that before the end recipient receives the mail.
> 
>>  Sidney
> 
> One of my customers has been hit by at least one of these emails even with
> good RBLs in use and properly trained Bayes.  The emails themselves are
> perfectly formed and score very low.  They use an envelope-from of their
> own domain to pass all SPF checks but they use a visible From: of
> "Recognized Name ".  Even DMARC checks
> would pass for the otherdomain.com.  The issue is the finance person sees
> the "Recognized Name" and doesn't look closely at the otherdomain.com.
> This is pure social engineering that can't be stopped by technology.  The AP
> dept has to have proper safeguards and out of band validation (i.e. phone
> call to the "Recognized Name").
> 
> In my instance, the finance person was told to wire thousands of dollars
> and the bad guy changed the banking information twice and the person
> still wasn't suspicious enough to stop and validate the request.  The real
> problem is this is a very common practice for high-level people to request
> wire transfers for legitimate projects while out on the road so the AP dept
> lets down their guard.

I just refuse the believe that the technology has to trust to the
From:.*xxx in the smtp payload and not reject this at once. Does the
customer use some dmarc-implementation in their mail chain at all?

- -- 
Jari Fredriksson
Bitwell Oy
+358 400 779 440
ja...@bitwell.biz
https://www.bitwell.biz - cost effective hosting and security for
ecommerce
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAldycvsACgkQKL4IzOyjSrZFcQCgo28pdB9piIMlt9lktMpTnxgw
9IEAnibpGKGmR2geqgpQ2IpMGwqb+7aA
=kBlj
-END PGP SIGNATURE-

Re: Catching well directed spear phishing messages

[David Jones]

>From: Sidney Markowitz 
>Sent: Tuesday, June 28, 2016 3:15 AM
>To: Ram; users@spamassassin.apache.org
>Subject: Re: Catching well directed spear phishing messages
    
>Ram wrote on 28/06/16 7:19 PM:
>> 
>> 
>> On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote:
>>> Hai!
>>>
>>> I dont understand why they would match your spf record either. Are they 
>>> sended out by a IP adres you 'approved' ??
>> SPF does not fail , because they use a different envelope address.. 
>> which may pass SPF
>> The end recipient does not check the envelope anyway

>You should have local SpamAssassin rules that do check the envelope sender.
>This is about official company mail from the company domain. You can require
>that all employees use mail clients that are properly configured by the
>company IT to send all official company mail. SpamAssassin can be configured
>with local rules that stop anything that has a company domain header sender
>address that does not also have a matching envelope sender address and passes
>SPF. There is no reason to allow the CEO to send company mail without using a
>proper mail server that appears on the SPF record.

>The end recipient can't be expected to check all the headers, but SpamAssassin
>can do that before the end recipient receives the mail.

> Sidney

One of my customers has been hit by at least one of these emails even with
good RBLs in use and properly trained Bayes.  The emails themselves are
perfectly formed and score very low.  They use an envelope-from of their
own domain to pass all SPF checks but they use a visible From: of
"Recognized Name ".  Even DMARC checks
would pass for the otherdomain.com.  The issue is the finance person sees
the "Recognized Name" and doesn't look closely at the otherdomain.com.
This is pure social engineering that can't be stopped by technology.  The AP
dept has to have proper safeguards and out of band validation (i.e. phone
call to the "Recognized Name").

In my instance, the finance person was told to wire thousands of dollars
and the bad guy changed the banking information twice and the person
still wasn't suspicious enough to stop and validate the request.  The real
problem is this is a very common practice for high-level people to request
wire transfers for legitimate projects while out on the road so the AP dept
lets down their guard.

Re: Catching well directed spear phishing messages

[Sidney Markowitz]

Ram wrote on 28/06/16 7:19 PM:
> 
> 
> On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote:
>> Hai!
>>
>> I dont understand why they would match your spf record either. Are they 
>> sended out by a IP adres you 'approved' ??
> SPF does not fail , because they use a different envelope address.. 
> which may pass SPF
> The end recipient does not check the envelope anyway

You should have local SpamAssassin rules that do check the envelope sender.
This is about official company mail from the company domain. You can require
that all employees use mail clients that are properly configured by the
company IT to send all official company mail. SpamAssassin can be configured
with local rules that stop anything that has a company domain header sender
address that does not also have a matching envelope sender address and passes
SPF. There is no reason to allow the CEO to send company mail without using a
proper mail server that appears on the SPF record.

The end recipient can't be expected to check all the headers, but SpamAssassin
can do that before the end recipient receives the mail.

 Sidney

Re: Catching well directed spear phishing messages

[Ram]

On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote:

Hai!

I dont understand why they would match your spf record either. Are they sended 
out by a IP adres you 'approved' ??
SPF does not fail , because they use a different envelope address.. 
which may pass SPF

The end recipient does not check the envelope anyway






Thanks,
Raymond Dijkxhoorn


Op 28 jun. 2016 om 03:27 heeft jdebert  het volgende 
geschreven:

On Mon, 27 Jun 2016 18:41:04 +0530
Ram  wrote:


I am seeing messages that appear to come from the MD or the CEO of
the company to the accounts department asking people to transfer
money to some fake account

These messages were initially few and I ignored. But now this has
become a problem.
I know these are not spam messages so catching them will be out of
scope for a spam filter.

These messages have different envelope ids  so SPF checks always pass.
The header from is properly formatted exactly how it will be in a
normal mail

What measures do you take for such spear phishing

Thanks
Ram

You're not using the proper tools. you cannot expect spamassassin to
magically prevent all such messages. Just because spamassassin or any
other filter passes such a message does not mean it is valid. To use
spamassassin and filters to block such messages gives a false sense
of security and leads to false assumptions of authenticity. Your company
must enforce strict AP controls to prevent payouts based on such
messages and the controls must apply to everyone, including the CEO. Those are 
the proper tools.

Given that these messages are appearing more frequently, it may be that
some have already been successful. I suggest you consider an AP audit
to ensure that this is not the case

Re: Catching well directed spear phishing messages

[Raymond Dijkxhoorn]

Hai!

I dont understand why they would match your spf record either. Are they sended 
out by a IP adres you 'approved' ??

Thanks,
Raymond Dijkxhoorn

> Op 28 jun. 2016 om 03:27 heeft jdebert  het volgende 
> geschreven:
> 
> On Mon, 27 Jun 2016 18:41:04 +0530
> Ram  wrote:
> 
>> I am seeing messages that appear to come from the MD or the CEO of
>> the company to the accounts department asking people to transfer
>> money to some fake account
>> 
>> These messages were initially few and I ignored. But now this has
>> become a problem.
>> I know these are not spam messages so catching them will be out of
>> scope for a spam filter.
>> 
>> These messages have different envelope ids  so SPF checks always pass.
>> The header from is properly formatted exactly how it will be in a
>> normal mail
>> 
>> What measures do you take for such spear phishing
>> 
>> Thanks
>> Ram
> 
> You're not using the proper tools. you cannot expect spamassassin to
> magically prevent all such messages. Just because spamassassin or any
> other filter passes such a message does not mean it is valid. To use
> spamassassin and filters to block such messages gives a false sense
> of security and leads to false assumptions of authenticity. Your company
> must enforce strict AP controls to prevent payouts based on such
> messages and the controls must apply to everyone, including the CEO. Those 
> are the proper tools. 
> 
> Given that these messages are appearing more frequently, it may be that
> some have already been successful. I suggest you consider an AP audit
> to ensure that this is not the case
>