Re: Corpus of Spam/Ham headers(Source IP) for research
Hello Bill, Thank you so much for your views. I agree that your customers would not like it if you share information. But Oliver suggested , I need only the source IP addresses of the Spam and Ham emails , which can even be anonymized in the last octet. Will that still be a privacy concern? On Tue, Jun 28, 2016 at 9:04 PM, Bill Cole < sausers-20150...@billmail.scconsult.com> wrote: > On 28 Jun 2016, at 20:33, Shivram Krishnan wrote: > > Hey Guys, >> >> I am a researcher at the University of Southern California ( >> https://steel.isi.edu/ ), and I have been working on making Blacklists >> more effective by combining different sources of Blacklists, and creating >> a >> Blacklists specific for a particular network. >> >> Though I have devised a mechanism to generate these blacklists, I am not >> finding a suitable evaluation metric. It would be great if somebody could >> give me a dataset of source IP addresses of emails received by your >> network >> which have been marked as HAM/SPAM by Spamassassin for the year 2016. I >> do >> not require the entire SPAM/HAM emails. Using this , I could evaluate the >> false positives/ true positives of my technique. >> >> I had posted a similar question in the previous thread, but that did not >> get much response. >> >> Looking forward to your replies! >> > > You may be disappointed... > > It is extremely difficult to get a diverse corpus of non-bulk "Ham" for > any form of research because most people consider such mail private, even > when it is not very well protected in practice. I help run mail systems for > a number of small and medium sized businesses, which handle thousands of > pieces of one-to-one mail and about as much non-spam B2B bulk mail every > day. It is functionally impossible for me to try to provide a researcher > any of that due to real personal privacy and business confidentiality > issues and the hard cost of the simple logistics of getting permission and > gathering the mail. Consumer ISPs would be even less able and willing than > corporate mail operators, because most of them have highly impersonal > relationships with their customers and have staff to users ratios that make > such a project inconceivable without necessarily deceiving users: their > only way would be to hide permission deep in a TOS no one reads. > > The simple bottom line: Mail system operators are not able to give you the > corpus you need. It's not that we wouldn't like to be able to, but we don't > have it assembled because we can't ethically do so without investing huge > amounts of time we do not have. > > HOWEVER... > > USC is in a particularly good position to be collecting such a corpus. " > isi.edu" and "usc.edu are two of the oldest domains on the Internet and > unless they are very strange among such domains, they are targeted by huge > streams of spam. Less noticeable: they are probably targeted by substantial > streams of non-spam "oops" mail. I'd bet that Jon Postel's old address gets > targeted by hundreds of innocent messages every day, along with thousands > of pieces of spam. Someone could hand-classify that. You also have the > advantage of being a sizable private university, so you aren't limited by > some of the rules public universities have, and you could probably do more > than a public school -- for example, UCLA or UCB -- could to encourage > students and staff to let you do research on their Ham. > > IOW: MY users would resist or refuse me handing you their private and/or > confidential mail for "research" they don't care about, I can't quickly > explain, and none of us is being paid to help. OTOH: YOUR institution is > well-situated to generate exactly the corpus you seek. >
Re: Catching well directed spear phishing messages
On Tue, 28 Jun 2016 14:13:57 + David Jones wrote: >If I search the Internet for the CEO/CIO/CTO/etc of a company >and send and email from my domain but make the displayed name >in the visible From: be that CEO/CIO/CTO/etc's full name that >the recipient is used to seeing in the mail client, then I have >spoofed nothing detectable in advance by SA or any mail filter >technology. Excellent summary! The key is that the number of spoofed people is extremely SMALL, and we _CAN_ anticipate who they are. It's easy to write a CUSTOM set of rules just for actual/likely targeted senders (CEO/etc). For each person/target, create a rule that tests an explicit list of that person's normal Realname(s) (including reasonable variations), against the Realname part of the From header, and if there's a match, test whether the From Address is in a list of allowed addresses. Score only if it's a probable phish Realname from an unknown/unallowed address. There's lots of potential metas for even a low-scoring rule (e.g John Hardin's tip). I've been doing this since 2009, both on a generic basis (built into my "phishy tokens in headers" anti-phish system), and on a custom domain level as we notice/anticipate targeted individuals (all in my post-SA filter - sorry, I have no examples of SA rules, and am ASSuming they'll be easy to write). It works extremely well and is easy to maintain. :) *** Implementation issues: 1. There's potential for name collision, however these would be manually generated rules, so the maintainer would use his/her judgement to assign scores. For example, "Mark Sheppard" is more likely to have a collision than "Chiwetel Ejiofor". :) It would be straight forward to add an explicit list of (sender verified) email addresses to exclude from testing. In the seven years I've been doing this, I have had zero collisions, however I have had an occasional FP when a targeted sender starts sending stuff from himself using a new personal email address, and does not notify the email admin. In those cases, even without a quarantine, the sender should notice it. A smart quarantine always makes life better. 2. Ideally, one should remove chaff (including potentially obfuscatory middle initials) and excess whitespace from each email's From Realname before doing the comparisons. 3. A big issue is fuzzing of Realnames, which is name dependant. For most Westerners, most spelling variations in "Mark Sheppard" are much easier to notice than in "Chiwetel Ejiofor". Leaving out one of the double-ps in "Sheppard" would be a sensible variation to add to his (hypothetical) list. I have not yet noticed any fuzzing "in the wild", however all of my targets have extremely "anglo" names. I recommend looking at tools that create fuzzy variations. I have seen MANY fuzzes of big non-spear phish targets (e.g. "paypa1" "paypa"), and have been adding them as they occur. I plan to add a fuzzy algorithm during my next dev cycle. 4. As John Wilcock mentions, fuzzy domains are an issue. If you're a target, it's worth generating a list of most likely variations, then score/block the un-registered ones, and make an informed decision on the rest. 5. I STRONGLY recommend scoring all "ACE prefix" domains, to reduce/eliminate all the subtle and/or invisible variations. We've been doing that for two years, and so far have had zero "skip" domain requests. Note that all our domains are "Western" centric, though we have a few accounts who do have regular contact with Unicode-type nations. You all know your own email ecologies. :) +1 to all the sensible remarks about good authorization policies. The best defense has as many layers as practical. :) - "Chip"
Re: Corpus of Spam/Ham headers(Source IP) for research
Shivram > Though I have devised a mechanism to generate these blacklists, I am > not > finding a suitable evaluation metric. It would be great if somebody > could > give me a dataset of source IP addresses of emails received by your > network > which have been marked as HAM/SPAM by Spamassassin for the year 2016. Maybe you need to be a bit more specific in what you need: when you write "source IP", do you mean the enveloppe? The first Received-by:, the >From hearder? I think people would be less concerned about privacy if all you ask is in a form: Ham list of ham IPs Spam List of spam IPs with no name or personnal data attached (the list could even be posted to pastebin through a proxy :) Best regards, Olivier
Re: Corpus of Spam/Ham headers(Source IP) for research
On 28 Jun 2016, at 20:33, Shivram Krishnan wrote: Hey Guys, I am a researcher at the University of Southern California ( https://steel.isi.edu/ ), and I have been working on making Blacklists more effective by combining different sources of Blacklists, and creating a Blacklists specific for a particular network. Though I have devised a mechanism to generate these blacklists, I am not finding a suitable evaluation metric. It would be great if somebody could give me a dataset of source IP addresses of emails received by your network which have been marked as HAM/SPAM by Spamassassin for the year 2016. I do not require the entire SPAM/HAM emails. Using this , I could evaluate the false positives/ true positives of my technique. I had posted a similar question in the previous thread, but that did not get much response. Looking forward to your replies! You may be disappointed... It is extremely difficult to get a diverse corpus of non-bulk "Ham" for any form of research because most people consider such mail private, even when it is not very well protected in practice. I help run mail systems for a number of small and medium sized businesses, which handle thousands of pieces of one-to-one mail and about as much non-spam B2B bulk mail every day. It is functionally impossible for me to try to provide a researcher any of that due to real personal privacy and business confidentiality issues and the hard cost of the simple logistics of getting permission and gathering the mail. Consumer ISPs would be even less able and willing than corporate mail operators, because most of them have highly impersonal relationships with their customers and have staff to users ratios that make such a project inconceivable without necessarily deceiving users: their only way would be to hide permission deep in a TOS no one reads. The simple bottom line: Mail system operators are not able to give you the corpus you need. It's not that we wouldn't like to be able to, but we don't have it assembled because we can't ethically do so without investing huge amounts of time we do not have. HOWEVER... USC is in a particularly good position to be collecting such a corpus. "isi.edu" and "usc.edu are two of the oldest domains on the Internet and unless they are very strange among such domains, they are targeted by huge streams of spam. Less noticeable: they are probably targeted by substantial streams of non-spam "oops" mail. I'd bet that Jon Postel's old address gets targeted by hundreds of innocent messages every day, along with thousands of pieces of spam. Someone could hand-classify that. You also have the advantage of being a sizable private university, so you aren't limited by some of the rules public universities have, and you could probably do more than a public school -- for example, UCLA or UCB -- could to encourage students and staff to let you do research on their Ham. IOW: MY users would resist or refuse me handing you their private and/or confidential mail for "research" they don't care about, I can't quickly explain, and none of us is being paid to help. OTOH: YOUR institution is well-situated to generate exactly the corpus you seek.
Corpus of Spam/Ham headers(Source IP) for research
Hey Guys, I am a researcher at the University of Southern California ( https://steel.isi.edu/ ), and I have been working on making Blacklists more effective by combining different sources of Blacklists, and creating a Blacklists specific for a particular network. Though I have devised a mechanism to generate these blacklists, I am not finding a suitable evaluation metric. It would be great if somebody could give me a dataset of source IP addresses of emails received by your network which have been marked as HAM/SPAM by Spamassassin for the year 2016. I do not require the entire SPAM/HAM emails. Using this , I could evaluate the false positives/ true positives of my technique. I had posted a similar question in the previous thread, but that did not get much response. Looking forward to your replies!
Re: Catching well directed spear phishing messages
David Jones wrote on 29/06/16 2:13 AM: >> From: RW>> That wont work in this example because nothing has actually been >> spoofed. > > Exactly. If I search the Internet for the CEO/CIO/CTO/etc of a company > and send and email from my domain but make the displayed name in > the visible From: be that CEO/CIO/CTO/etc's full name Oh, that's right. I misunderstood the situation described in the initial post in this thread. SpamAssassin is not the right tool for a spear fishing attack that is a perfectly innocent email that claims nothing wrong from a technical perspective might have no spam signals and relies on the recipient being technically naive and not looking behind the displayed From name. As Dianne Skoll pointed out the proper defense against this type of attack is to have proper financial processes in place. That can include technical measures that would require the CEO to have entered the request in a secure web form instead of by email. But even that is subject to social engineering as ultimately somebody with authority can receive a spear phishing email apparently from someone who can ask them to use that authority. The right thing to do is to actually put in place the measures that people have spent time working out over the years as "proper financial processes" to help prevent not only social engineering hacks but internal fraud and simple mistakes. Bottom line is that the CEO should not be able to initiate a bank transfer with even a legitimate phone call to accounting and a promise to send the details "later". Sidney
Re: Catching well directed spear phishing messages
Le 28/06/2016 à 16:13, David Jones a écrit : From: RWThat wont work in this example because nothing has actually been spoofed. ... All it takes is a compromised account on a trusted mail server (happens all of the time) to provide a conduit for this type of phishing email. Very easy to do which is why we are going to see more and more of this. Or, if your company is a worthwhile target, it is equally easy for the scammer to setup a lookalike domain and configure it with proper SPF, DKIM and the like. Who's going to notice that the message came from examp1e.com instead of example.com? Theoretically, of course, custom SA rules could be written to detect such lookalikes, but even then, all it takes is for a scammer to have a slightly better imagination than the person writing the rules! -- John
Re: Catching well directed spear phishing messages
>Am I missing something here: Respectfully, you are. >An email comes in from the CEO of the business - seemingly from the company, >and has a Spam score of 7.5 I am talking about legit emails from trusted senders that won't hit FREEMAIL_FORGED, RBLs, DBLs or any high scoring rules so they are below the SA block threshold. This would be common from compromised accounts that the bad guy can use in a stealth manner by deleting the message in the Sent folder and quickly remove the inbound email from the reply. The average user would never notice their account is being used by a second person. >Content analysis details: (7.5 points, 5.5 required) >pts rule name description > -- -- > 0.0 TVD_RCVD_SPACE_BRACKET No description available. > 0.1 HK_RANDOM_FROM From username looks random >-0.1 CUST_DNSWL_5_ORG_NT RBL: list.dnswl.org (No Trust) > [173.201.193.64 listed in list.dnswl.org] >-0.1 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) > [173.201.193.64 listed in wl.mailspike.net] > 0.0 HTML_MESSAGE BODY: HTML included in message > 1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60% > [score: 0.5000] > 0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars >-0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust) > [173.201.193.64 listed in score.senderscore.com] >-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders > 1.2 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag > 3.0 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From > 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information > 1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) > >Content analysis details: (13.9 points, 5.5 required) >How many INTERNAL EMAILS will have a score of 7.5??? Or even 3? Or 1? You are correct. Internal emails (i.e. within Office 365 that don't get scanned) would not be scored but this scenario I am talking about is from the outside but the recipient would not notice. The average user only looks at the visible "Display Name" and never looks closely at the actual email address inside the < >. >In fact, if it came in through the INTERNAL_NETWORK ip range then it wouldnt >even be scanned (seen as trusted). So any email coming "from the CEO" that >has a SPAM score is definitely dodgy! It only takes a couple of external emails to get to the right person to get thousands of dollars wired to you account to make this worth it. Some may get blocked by Reindl Harald's super duper trained Bayesian or meta rules that he has put thousands of hours into creating with complex scripts that the rest of us don't have time to setup since mail filtering is only part of our job and we have a life outside of work. >How hard can it be to say "if FROM = 'a company address' and a SPAM SCORE >EXISTS then treat with rubber gloves. >So ensure all company emails are pupt through the company email servers and >set the INTERNAL_NETWORK parameters. >Whats wrong with this? Compromised accounts and other trusted senders can get through good SA setups. Bottom line, If the accounting department doesn't have proper procedures then they can be easily tricked into wiring money to bad guys. If they can get one person a day to wire thousands of US dollars to them, then that's a pretty nice income with very little effort once they have control of a compromised account. They don't have to blast out tons of spam like traditionally seen which gets them listed on RBLs and DBLs.
Re: Protected Sky?
On Tue, 28 Jun 2016 16:10:12 +0200 Reindl Harald wrote: > Am 28.06.2016 um 16:00 schrieb RW: > > On Mon, 27 Jun 2016 22:15:30 +0200 > > Reindl Harald wrote: > > > >> Am 27.06.2016 um 21:27 schrieb Vincent Fox: > >>> I saw a reference today in my MxToolbox report, to an RBL named > >>> Protected Sky which had like double the listing activity of > >>> Spamhaus. Does anyone know anything about this outfit? > >> > >> that's a bullshit RBL with large amounts of FP's > > > > Is that on the 127.0.0.3 response? > > well, i saw a few rejects from our servers (mrons using it to reject > unsocred) and got that confirmed from 2 other sysadmins > > all of the sending machines where on no other RBL and on several DNSWL > > DUNNO which response they got to reject, but i only took notice that > this RBL exists by wrong rejections The 127.0.0.2 response is only intended for controlling greylisting.
Re: Catching well directed spear phishing messages
Groach kirjoitti 28.6.2016 17:24: > On 28/06/2016 16:13, David Jones wrote: > > David Jones wrote on 29/06/16 12:46 AM: > > No, technology can help. The IT department sets up the mail client > that the CEO uses when out of the office so that it sends mail using > the company mail server with SSL/TLS and user authentication. Or it > uses the company's ISP's mail server. Or send domain mail using GMail > for business. There are a number of choices that are as easy for the > CEO to use as any personal email method is, but will restrict email > sent from the company domain to being sent through one of a known set > of mail servers. Then the company's receiving mail server blocks any > mail that pretends to be from a company domain sender address that > was not sent through one of the known valid mail servers. That can be > a local SpamAssassin rule or something run even earlier in the > process. > > You are right that social engineering can't be stopped by technology. > The company should have procedures in place that provide the > flexibility that CEO seems to need but will still prevent the fraud > even in the face of successful social engineering. But there is no > reason the mail setup has to allow spoofed headers From the company > domain. Am I missing something here: An email comes in from the CEO of the business - seemingly from the company, and has a Spam score of 7.5 Content analysis details: (7.5 points, 5.5 required) pts rule name description -- -- 0.0 TVD_RCVD_SPACE_BRACKET No description available. 0.1 HK_RANDOM_FROM From username looks random -0.1 CUST_DNSWL_5_ORG_NTRBL: list.dnswl.org (No Trust) [173.201.193.64 listed in list.dnswl.org] -0.1 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [173.201.193.64 listed in wl.mailspike.net] 0.0 HTML_MESSAGE BODY: HTML included in message 1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5000] 0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars -0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust) [173.201.193.64 listed in score.senderscore.com] -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.2 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag 3.0 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) Content analysis details: (13.9 points, 5.5 required) How many INTERNAL EMAILS will have a score of 7.5??? Or even 3? Or 1? In fact, if it came in through the INTERNAL_NETWORK ip range then it wouldnt even be scanned (seen as trusted). So any email coming "from the CEO" that has a SPAM score is definitely dodgy! How hard can it be to say "if FROM = 'a company address' and a SPAM SCORE EXISTS then treat with rubber gloves. > So ensure all company emails are pupt through the company email servers and > set the INTERNAL_NETWORK parameters. > > Whats wrong with this? Sure, but the case now is that the FROM != 'company adress' as this info is not even show to the user. What is shown is the CEO Name only. I could't even find a setting for this behaviour in my MUA! The FROM address can be anything, as long as the CEO's real name is there before the address part. -- Jari Fredriksson Bitwell Oy +358 400 779 440 ja...@bitwell.biz https://www.bitwell.biz - cost effective hosting and security for ecommerce signature.asc Description: OpenPGP digital signature
Re: Catching well directed spear phishing messages
On 28/06/2016 16:13, David Jones wrote: David Jones wrote on 29/06/16 12:46 AM: No, technology can help. The IT department sets up the mail client that the CEO uses when out of the office so that it sends mail using the company mail server with SSL/TLS and user authentication. Or it uses the company's ISP's mail server. Or send domain mail using GMail for business. There are a number of choices that are as easy for the CEO to use as any personal email method is, but will restrict email sent from the company domain to being sent through one of a known set of mail servers. Then the company's receiving mail server blocks any mail that pretends to be from a company domain sender address that was not sent through one of the known valid mail servers. That can be a local SpamAssassin rule or something run even earlier in the process. You are right that social engineering can't be stopped by technology. The company should have procedures in place that provide the flexibility that CEO seems to need but will still prevent the fraud even in the face of successful social engineering. But there is no reason the mail setup has to allow spoofed headers From the company domain. Am I missing something here: An email comes in from the CEO of the business - seemingly from the company, and has a Spam score of 7.5 Content analysis details: (7.5 points, 5.5 required) pts rule name description -- -- 0.0 TVD_RCVD_SPACE_BRACKET No description available. 0.1 HK_RANDOM_FROM From username looks random -0.1 CUST_DNSWL_5_ORG_NTRBL: list.dnswl.org (No Trust) [173.201.193.64 listed in list.dnswl.org] -0.1 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [173.201.193.64 listed in wl.mailspike.net] 0.0 HTML_MESSAGE BODY: HTML included in message 1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5000] 0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars -0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust) [173.201.193.64 listed in score.senderscore.com] -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.2 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag 3.0 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) Content analysis details: (13.9 points, 5.5 required) How many INTERNAL EMAILS will have a score of 7.5??? Or even 3? Or 1? In fact, if it came in through the INTERNAL_NETWORK ip range then it wouldnt even be scanned (seen as trusted). So any email coming "from the CEO" that has a SPAM score is definitely dodgy! How hard can it be to say "if FROM = 'a company address' and a SPAM SCORE EXISTS then treat with rubber gloves. So ensure all company emails are pupt through the company email servers and set the INTERNAL_NETWORK parameters. Whats wrong with this?
Re: Catching well directed spear phishing messages
About the only way to combat these sorts of things is to have proper financial processes in place. In other words, have checks to ensure that no-one can initiate a wire transfer without a vendor invoice, etc. Common sense stuff... but it's so easy to slip and you only have to slip once. :( Regards, Dianne.
Re: Catching well directed spear phishing messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Reindl Harald kirjoitti 28.6.2016 16:56: > Am 28.06.2016 um 15:25 schrieb Jari Fredriksson: >>> Almost all the phishes I've received in the last few years have done >>> this - except that they have something like "paypal support" rather >>> than an individual's name. >> >> Ah, so true > > you should look at that - enters my junk folder even with a > whitelist_auth because of the domain-blacklist > > URIBL_BLACK > Contains an URL listed in the URIBL blacklist > [URIs: bitwell.biz] I don't see that happening in my SA, nor at https://admin.uribl.com/?section=lookup; X-Spam-Report: * -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high * trust * [140.211.11.3 listed in list.dnswl.org] * -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) * [140.211.11.3 listed in wl.mailspike.net] * 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail * domains are different * -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain * -0.0 DKIM_VERIFIED No description available. * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * 0.8 KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz domains * in spam/malware * -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders - -- Jari Fredriksson Bitwell Oy +358 400 779 440 ja...@bitwell.biz https://www.bitwell.biz - cost effective hosting and security for ecommerce -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAldyhMwACgkQKL4IzOyjSrbYBwCg5zgAMJeY84myBgJgV1cq6ahF JDwAn0D7emcEdi5uHSpcbSHKHTJi3lwP =ZK0P -END PGP SIGNATURE-
Re: Catching well directed spear phishing messages
>From: RW>Sent: Tuesday, June 28, 2016 8:50 AM >To: users@spamassassin.apache.org >Subject: Re: Catching well directed spear phishing messages >On Wed, 29 Jun 2016 01:30:55 +1200 >Sidney Markowitz wrote: >> David Jones wrote on 29/06/16 12:46 AM: >> > This is pure social engineering that can't be stopped by >> > technology. The AP dept has to have proper safeguards and out of >> > band validation (i.e. phone call to the "Recognized Name"). >> >> No, technology can help. The IT department sets up the mail client >> that the CEO uses when out of the office so that it sends mail using >> the company mail server with SSL/TLS and user authentication. Or it >> uses the company's ISP's mail server. Or send domain mail using GMail >> for business. There are a number of choices that are as easy for the >> CEO to use as any personal email method is, but will restrict email >> sent from the company domain to being sent through one of a known set >> of mail servers. Then the company's receiving mail server blocks any >> mail that pretends to be from a company domain sender address that >> was not sent through one of the known valid mail servers. That can be >> a local SpamAssassin rule or something run even earlier in the >> process. >> >> You are right that social engineering can't be stopped by technology. >> The company should have procedures in place that provide the >> flexibility that CEO seems to need but will still prevent the fraud >> even in the face of successful social engineering. But there is no >> reason the mail setup has to allow spoofed headers From the company >> domain. >That wont work in this example because nothing has actually been >spoofed. Exactly. If I search the Internet for the CEO/CIO/CTO/etc of a company and send and email from my domain but make the displayed name in the visible From: be that CEO/CIO/CTO/etc's full name that the recipient is used to seeing in the mail client, then I have spoofed nothing detectable in advance by SA or any mail filter technology. The sender could be anyone and as long as that sending domain is not on any DBLs and the sending IP is not on any RBLs (yet), then the email would pass through. Envelope-from = ena.com Header From: = ena.com Visible/Displayed From: = "Recognized Name " That email would pass SPF and strict DMARC (p=reject) checking. If the recipient just looked at "Recognized Name" and ignored the "ena.com", then they wire the money and don't think twice about it until they follow up with the C-level person later which wouldn't know anything about it. All it takes is a compromised account on a trusted mail server (happens all of the time) to provide a conduit for this type of phishing email. Very easy to do which is why we are going to see more and more of this.
Re: Catching well directed spear phishing messages
Am 28.06.2016 um 16:08 schrieb Jari Fredriksson: Reindl Harald kirjoitti 28.6.2016 16:56: Am 28.06.2016 um 15:25 schrieb Jari Fredriksson: Almost all the phishes I've received in the last few years have done this - except that they have something like "paypal support" rather than an individual's name. Ah, so true you should look at that - enters my junk folder even with a whitelist_auth because of the domain-blacklist URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: bitwell.biz] I don't see that happening in my SA, nor at https://admin.uribl.com/?section=lookup dunno - but all your mails including my own to the list pointing it out are ending in the junk folder X-Spam-Report: Flag: No,* 6.5 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: bitwell.biz] * -0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust) * [140.211.11.3 listed in score.senderscore.com] * -0.5 CUST_DNSWL_11_ORG_HIGH RBL: list.dnswl.org (High Trust) * [140.211.11.3 listed in list.dnswl.org] * -0.2 CUST_DNSWL_8_TL_NT RBL: dnswl-aggregate.thelounge.net (No Trust) * [140.211.11.3 listed in dnswl-aggregate.thelounge.net] * -0.1 CUST_DNSWL_3_JEF_LOW RBL: hostkarma.junkemailfilter.com (Low Trust)* [140.211.11.3 listed in hostkarma.junkemailfilter.com] * -0.1 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)* [140.211.11.3 listed in wl.mailspike.net] * -100 USER_IN_SPF_WHITELIST From: address is in the user's SPF whitelist * 0.0 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule* 0.0 CUST_SHORTCIRCUIT Skip tests based on whitelists/blacklists and * local relays Return-Path: users-return-112640-h.reindl=thelounge@spamassassin.apache.org Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit signature.asc Description: OpenPGP digital signature
Re: Protected Sky?
Am 28.06.2016 um 16:00 schrieb RW: On Mon, 27 Jun 2016 22:15:30 +0200 Reindl Harald wrote: Am 27.06.2016 um 21:27 schrieb Vincent Fox: I saw a reference today in my MxToolbox report, to an RBL named Protected Sky which had like double the listing activity of Spamhaus. Does anyone know anything about this outfit? that's a bullshit RBL with large amounts of FP's Is that on the 127.0.0.3 response? well, i saw a few rejects from our servers (mrons using it to reject unsocred) and got that confirmed from 2 other sysadmins all of the sending machines where on no other RBL and on several DNSWL DUNNO which response they got to reject, but i only took notice that this RBL exists by wrong rejections signature.asc Description: OpenPGP digital signature
Re: Catching well directed spear phishing messages
On Wed, 29 Jun 2016 01:30:55 +1200 Sidney Markowitz wrote: > David Jones wrote on 29/06/16 12:46 AM: > > This is pure social engineering that can't be stopped by > > technology. The AP dept has to have proper safeguards and out of > > band validation (i.e. phone call to the "Recognized Name"). > > No, technology can help. The IT department sets up the mail client > that the CEO uses when out of the office so that it sends mail using > the company mail server with SSL/TLS and user authentication. Or it > uses the company's ISP's mail server. Or send domain mail using GMail > for business. There are a number of choices that are as easy for the > CEO to use as any personal email method is, but will restrict email > sent from the company domain to being sent through one of a known set > of mail servers. Then the company's receiving mail server blocks any > mail that pretends to be from a company domain sender address that > was not sent through one of the known valid mail servers. That can be > a local SpamAssassin rule or something run even earlier in the > process. > > You are right that social engineering can't be stopped by technology. > The company should have procedures in place that provide the > flexibility that CEO seems to need but will still prevent the fraud > even in the face of successful social engineering. But there is no > reason the mail setup has to allow spoofed headers From the company > domain. That wont work in this example because nothing has actually been spoofed.
Re: Catching well directed spear phishing messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Reindl Harald kirjoitti 28.6.2016 16:56: > Am 28.06.2016 um 15:25 schrieb Jari Fredriksson: >>> Almost all the phishes I've received in the last few years have done >>> this - except that they have something like "paypal support" rather >>> than an individual's name. >> >> Ah, so true > > you should look at that - enters my junk folder even with a > whitelist_auth because of the domain-blacklist > > URIBL_BLACK > Contains an URL listed in the URIBL blacklist > [URIs: bitwell.biz] Thanks for the heads up! - -- Jari Fredriksson Bitwell Oy +358 400 779 440 ja...@bitwell.biz https://www.bitwell.biz - cost effective hosting and security for ecommerce -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAldygwgACgkQKL4IzOyjSrYjJwCg583oP4MHMYYZ45c+U52zTOCr 1lAAoPmF+3VwFoITyIdXgv1kLotRTHE3 =k/Yb -END PGP SIGNATURE-
Re: Protected Sky?
On Mon, 27 Jun 2016 22:15:30 +0200 Reindl Harald wrote: > Am 27.06.2016 um 21:27 schrieb Vincent Fox: > > I saw a reference today in my MxToolbox report, to an RBL named > > Protected Sky which had like double the listing activity of > > Spamhaus. Does anyone know anything about this outfit? > > that's a bullshit RBL with large amounts of FP's Is that on the 127.0.0.3 response?
Re: Catching well directed spear phishing messages
Am 28.06.2016 um 15:25 schrieb Jari Fredriksson: Almost all the phishes I've received in the last few years have done this - except that they have something like "paypal support" rather than an individual's name. Ah, so true you should look at that - enters my junk folder even with a whitelist_auth because of the domain-blacklist URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: bitwell.biz] signature.asc Description: OpenPGP digital signature
Re: Catching well directed spear phishing messages
Am 28.06.2016 um 15:30 schrieb Sidney Markowitz: You are right that social engineering can't be stopped by technology. The company should have procedures in place that provide the flexibility that CEO seems to need but will still prevent the fraud even in the face of successful social engineering. But there is no reason the mail setup has to allow spoofed headers From the company domain if things only would be that easy blacklist_from *@your-bank.tld whitelist_auth *@your-bank.tld in theory that would stop any forgery, in real life i had to revert this after a big payment service using proper SPF then sent their newsletters with a external service, envelope of the external service but From header matching the blacklist_from preventing hit whitelist_auth in fact to make such things working without breaking mailing-lists and what not else one would be required to use a dedicated subdomain for business-email which never is used outside the own network and *then* you can easily block any message with envelope or from-header touching your MX but that would also require that the users understand "THIS address MUST NOT be used for anything then submission mail and use THIS email adress for mailing-lists and other things" one can now come with "DKIM exists" - then look how often the DKIM check failed in the past up to become T_DKIM_INVALID as a testing rule because of too much false positives https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6462 signature.asc Description: OpenPGP digital signature
Re: Catching well directed spear phishing messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 RW kirjoitti 28.6.2016 16:10: > On Tue, 28 Jun 2016 15:52:10 +0300 > Jari Fredriksson wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> David Jones kirjoitti 28.6.2016 15:46: > >> > One of my customers has been hit by at least one of these emails >> > even with good RBLs in use and properly trained Bayes. The emails >> > themselves are perfectly formed and score very low. They use an >> > envelope-from of their own domain to pass all SPF checks but they >> > use a visible From: of "Recognized Name >> >". Even DMARC checks would pass for the >> > otherdomain.com. The issue is the finance person sees the >> > "Recognized Name" and doesn't look closely at the otherdomain.com. >> > This is pure social engineering that can't be stopped by >> > technology. The AP dept has to have proper safeguards and out of >> > band validation (i.e. phone call to the "Recognized Name"). > >> I just refuse the believe that the technology has to trust to the >> From:.*xxx in the smtp payload and not reject this at once. Does the >> customer use some dmarc-implementation in their mail chain at all? > > There's actually nothing to link it to the recipient's domain. The > envelope address and header from domain are whatever the sender wants > to use. It's all down to the displayed first name and surname which is > all most email clients display. > > Almost all the phishes I've received in the last few years have done > this - except that they have something like "paypal support" rather > than an individual's name. Ah, so true. - -- Jari Fredriksson Bitwell Oy +358 400 779 440 ja...@bitwell.biz https://www.bitwell.biz - cost effective hosting and security for ecommerce -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAldyeuEACgkQKL4IzOyjSrZMlQCgsgwpMrayXJO7kVotYnBpF2xO HucAnRICLQhEqEu65mVMWuBQIA08JWHe =Npc6 -END PGP SIGNATURE-
Re: Catching well directed spear phishing messages
David Jones wrote on 29/06/16 12:46 AM: > This is pure social engineering that can't be stopped by technology. The AP > dept has to have proper safeguards and out of band validation (i.e. phone > call to the "Recognized Name"). No, technology can help. The IT department sets up the mail client that the CEO uses when out of the office so that it sends mail using the company mail server with SSL/TLS and user authentication. Or it uses the company's ISP's mail server. Or send domain mail using GMail for business. There are a number of choices that are as easy for the CEO to use as any personal email method is, but will restrict email sent from the company domain to being sent through one of a known set of mail servers. Then the company's receiving mail server blocks any mail that pretends to be from a company domain sender address that was not sent through one of the known valid mail servers. That can be a local SpamAssassin rule or something run even earlier in the process. You are right that social engineering can't be stopped by technology. The company should have procedures in place that provide the flexibility that CEO seems to need but will still prevent the fraud even in the face of successful social engineering. But there is no reason the mail setup has to allow spoofed headers From the company domain. Sidney
Re: Catching well directed spear phishing messages
On Tue, 28 Jun 2016 15:52:10 +0300 Jari Fredriksson wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > David Jones kirjoitti 28.6.2016 15:46: > > One of my customers has been hit by at least one of these emails > > even with good RBLs in use and properly trained Bayes. The emails > > themselves are perfectly formed and score very low. They use an > > envelope-from of their own domain to pass all SPF checks but they > > use a visible From: of "Recognized Name > >". Even DMARC checks would pass for the > > otherdomain.com. The issue is the finance person sees the > > "Recognized Name" and doesn't look closely at the otherdomain.com. > > This is pure social engineering that can't be stopped by > > technology. The AP dept has to have proper safeguards and out of > > band validation (i.e. phone call to the "Recognized Name"). > I just refuse the believe that the technology has to trust to the > From:.*xxx in the smtp payload and not reject this at once. Does the > customer use some dmarc-implementation in their mail chain at all? There's actually nothing to link it to the recipient's domain. The envelope address and header from domain are whatever the sender wants to use. It's all down to the displayed first name and surname which is all most email clients display. Almost all the phishes I've received in the last few years have done this - except that they have something like "paypal support" rather than an individual's name.
Re: Catching well directed spear phishing messages
Am 28.06.2016 um 14:52 schrieb Jari Fredriksson: I just refuse the believe that the technology has to trust to the From:.*xxx in the smtp payload and not reject this at once. Does the customer use some dmarc-implementation in their mail chain at all? well, when none of your users are supposed to use maling lists like this you can reject with http://www.postfix.org/header_checks.5.html and a simple regex-rule that depends on a sane setup where your MX server is *never* used to handle internal email by have a dedicated inbound and a dedicated submission server signature.asc Description: OpenPGP digital signature
Re: Catching well directed spear phishing messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Jones kirjoitti 28.6.2016 15:46: >> From: Sidney Markowitz>> Sent: Tuesday, June 28, 2016 3:15 AM >> To: Ram; users@spamassassin.apache.org >> Subject: Re: Catching well directed spear phishing messages > >> Ram wrote on 28/06/16 7:19 PM: >>> >>> >>> On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote: Hai! I dont understand why they would match your spf record either. Are they sended out by a IP adres you 'approved' ?? >>> SPF does not fail , because they use a different envelope address.. >>> which may pass SPF >>> The end recipient does not check the envelope anyway > >> You should have local SpamAssassin rules that do check the envelope sender. >> This is about official company mail from the company domain. You can require >> that all employees use mail clients that are properly configured by the >> company IT to send all official company mail. SpamAssassin can be configured >> with local rules that stop anything that has a company domain header sender >> address that does not also have a matching envelope sender address and passes >> SPF. There is no reason to allow the CEO to send company mail without using a >> proper mail server that appears on the SPF record. > >> The end recipient can't be expected to check all the headers, but >> SpamAssassin >> can do that before the end recipient receives the mail. > >> Sidney > > One of my customers has been hit by at least one of these emails even with > good RBLs in use and properly trained Bayes. The emails themselves are > perfectly formed and score very low. They use an envelope-from of their > own domain to pass all SPF checks but they use a visible From: of > "Recognized Name ". Even DMARC checks > would pass for the otherdomain.com. The issue is the finance person sees > the "Recognized Name" and doesn't look closely at the otherdomain.com. > This is pure social engineering that can't be stopped by technology. The AP > dept has to have proper safeguards and out of band validation (i.e. phone > call to the "Recognized Name"). > > In my instance, the finance person was told to wire thousands of dollars > and the bad guy changed the banking information twice and the person > still wasn't suspicious enough to stop and validate the request. The real > problem is this is a very common practice for high-level people to request > wire transfers for legitimate projects while out on the road so the AP dept > lets down their guard. I just refuse the believe that the technology has to trust to the From:.*xxx in the smtp payload and not reject this at once. Does the customer use some dmarc-implementation in their mail chain at all? - -- Jari Fredriksson Bitwell Oy +358 400 779 440 ja...@bitwell.biz https://www.bitwell.biz - cost effective hosting and security for ecommerce -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAldycvsACgkQKL4IzOyjSrZFcQCgo28pdB9piIMlt9lktMpTnxgw 9IEAnibpGKGmR2geqgpQ2IpMGwqb+7aA =kBlj -END PGP SIGNATURE-
Re: Catching well directed spear phishing messages
>From: Sidney Markowitz>Sent: Tuesday, June 28, 2016 3:15 AM >To: Ram; users@spamassassin.apache.org >Subject: Re: Catching well directed spear phishing messages >Ram wrote on 28/06/16 7:19 PM: >> >> >> On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote: >>> Hai! >>> >>> I dont understand why they would match your spf record either. Are they >>> sended out by a IP adres you 'approved' ?? >> SPF does not fail , because they use a different envelope address.. >> which may pass SPF >> The end recipient does not check the envelope anyway >You should have local SpamAssassin rules that do check the envelope sender. >This is about official company mail from the company domain. You can require >that all employees use mail clients that are properly configured by the >company IT to send all official company mail. SpamAssassin can be configured >with local rules that stop anything that has a company domain header sender >address that does not also have a matching envelope sender address and passes >SPF. There is no reason to allow the CEO to send company mail without using a >proper mail server that appears on the SPF record. >The end recipient can't be expected to check all the headers, but SpamAssassin >can do that before the end recipient receives the mail. > Sidney One of my customers has been hit by at least one of these emails even with good RBLs in use and properly trained Bayes. The emails themselves are perfectly formed and score very low. They use an envelope-from of their own domain to pass all SPF checks but they use a visible From: of "Recognized Name ". Even DMARC checks would pass for the otherdomain.com. The issue is the finance person sees the "Recognized Name" and doesn't look closely at the otherdomain.com. This is pure social engineering that can't be stopped by technology. The AP dept has to have proper safeguards and out of band validation (i.e. phone call to the "Recognized Name"). In my instance, the finance person was told to wire thousands of dollars and the bad guy changed the banking information twice and the person still wasn't suspicious enough to stop and validate the request. The real problem is this is a very common practice for high-level people to request wire transfers for legitimate projects while out on the road so the AP dept lets down their guard.
Re: Catching well directed spear phishing messages
Ram wrote on 28/06/16 7:19 PM: > > > On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote: >> Hai! >> >> I dont understand why they would match your spf record either. Are they >> sended out by a IP adres you 'approved' ?? > SPF does not fail , because they use a different envelope address.. > which may pass SPF > The end recipient does not check the envelope anyway You should have local SpamAssassin rules that do check the envelope sender. This is about official company mail from the company domain. You can require that all employees use mail clients that are properly configured by the company IT to send all official company mail. SpamAssassin can be configured with local rules that stop anything that has a company domain header sender address that does not also have a matching envelope sender address and passes SPF. There is no reason to allow the CEO to send company mail without using a proper mail server that appears on the SPF record. The end recipient can't be expected to check all the headers, but SpamAssassin can do that before the end recipient receives the mail. Sidney
Re: Catching well directed spear phishing messages
On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote: Hai! I dont understand why they would match your spf record either. Are they sended out by a IP adres you 'approved' ?? SPF does not fail , because they use a different envelope address.. which may pass SPF The end recipient does not check the envelope anyway Thanks, Raymond Dijkxhoorn Op 28 jun. 2016 om 03:27 heeft jdeberthet volgende geschreven: On Mon, 27 Jun 2016 18:41:04 +0530 Ram wrote: I am seeing messages that appear to come from the MD or the CEO of the company to the accounts department asking people to transfer money to some fake account These messages were initially few and I ignored. But now this has become a problem. I know these are not spam messages so catching them will be out of scope for a spam filter. These messages have different envelope ids so SPF checks always pass. The header from is properly formatted exactly how it will be in a normal mail What measures do you take for such spear phishing Thanks Ram You're not using the proper tools. you cannot expect spamassassin to magically prevent all such messages. Just because spamassassin or any other filter passes such a message does not mean it is valid. To use spamassassin and filters to block such messages gives a false sense of security and leads to false assumptions of authenticity. Your company must enforce strict AP controls to prevent payouts based on such messages and the controls must apply to everyone, including the CEO. Those are the proper tools. Given that these messages are appearing more frequently, it may be that some have already been successful. I suggest you consider an AP audit to ensure that this is not the case
Re: Catching well directed spear phishing messages
Hai! I dont understand why they would match your spf record either. Are they sended out by a IP adres you 'approved' ?? Thanks, Raymond Dijkxhoorn > Op 28 jun. 2016 om 03:27 heeft jdeberthet volgende > geschreven: > > On Mon, 27 Jun 2016 18:41:04 +0530 > Ram wrote: > >> I am seeing messages that appear to come from the MD or the CEO of >> the company to the accounts department asking people to transfer >> money to some fake account >> >> These messages were initially few and I ignored. But now this has >> become a problem. >> I know these are not spam messages so catching them will be out of >> scope for a spam filter. >> >> These messages have different envelope ids so SPF checks always pass. >> The header from is properly formatted exactly how it will be in a >> normal mail >> >> What measures do you take for such spear phishing >> >> Thanks >> Ram > > You're not using the proper tools. you cannot expect spamassassin to > magically prevent all such messages. Just because spamassassin or any > other filter passes such a message does not mean it is valid. To use > spamassassin and filters to block such messages gives a false sense > of security and leads to false assumptions of authenticity. Your company > must enforce strict AP controls to prevent payouts based on such > messages and the controls must apply to everyone, including the CEO. Those > are the proper tools. > > Given that these messages are appearing more frequently, it may be that > some have already been successful. I suggest you consider an AP audit > to ensure that this is not the case >