Re: Bank fraud phish

[Rupert Gallagher]

The new rule "From:name domain mismatches From:addr domain" catches the given 
spample.

Sent from ProtonMail Mobile

On Wed, Oct 25, 2017 at 6:00 PM, Alex  wrote:

> On Tue, Oct 24, 2017 at 2:49 PM, David Jones wrote: > On 10/24/2017 01:32 PM, 
> Alex wrote: >> >> Hi all, I'm wondering if someone has some ideas to handle 
> bank fraud >> phishing emails, and in particular this one: >> >> 
> https://pastebin.com/wxFtKK16 >> >> It doesn't hit bayes99 because we haven't 
> seen one before, and txrep >> subtracts points. It also doesn't hit any 
> blacklists. >> >> Ideas for blocking these, and more general advice for 
> blocking banking >> fraud/phish attacks would be appreciated. >> > > 
> Zero-hour phishing emails from Office 365 are going to be tough to block. > 
> About all you can do is add a blacklist_from *@mybenefitswallet.com entry > 
> and report it to SpamCop and ph...@office365.microsoft.com. Is the only way 
> to submit to spamcop to use their custom email address assigned to the 
> account, or is there some command-line way to do it? We're still seeing tons 
> of those "payment enclosed" emails with the short body and compromised URLs 
> that automatically download a docx. I'd like to report the spam, but really 
> would like to see the URLs blacklisted, and at the time I receive them, they 
> are not. Ideally I'd like something where I can pass an email as a filename 
> as an argument to a shell script. If submitting to spamcop by email is the 
> only way, what is the format? As an attachment? In-line? Does anyone have a 
> command-line shell script that can be used to send this email? @ena.com>

Re: Bank fraud phish

[Rupert Gallagher]

> The DMARC standard says that EITHER (only takes one) SPF must pass and
align with the envelope-from domain OR DKIM must pass and align with the
the From: header domain.

The relevant DNS R allows requiring both SPF and DKIM must pass, which is what 
we do in our own setup. When checking for SPAM we apply the same policy to 
others, regardless of their DNS.

We are very strict, above and beyond the standards. Our general policy is: 
better safe than sorry.

Sent from ProtonMail Mobile

On Wed, Oct 25, 2017 at 5:30 PM, David Jones  wrote:

> On 10/25/2017 09:39 AM, Rupert Gallagher wrote: > >>  Original 
> Message  >> Subject: Re: Bank fraud phish >> Local Time: 25 October 
> 2017 4:18 PM >> UTC Time: 25 October 2017 14:18 >> From: 
> rwmailli...@googlemail.com >> To: users@spamassassin.apache.org >> >> On Wed, 
> 25 Oct 2017 09:16:50 -0400 >> Rupert Gallagher wrote: >> >> The e-mail is 
> still flagged as SPAM here. >> >> * >> DMARC fails, because it passes DKIM, 
> but fails SPF. >> >> This is wrong in every detail. >> >> It can't fail or 
> pass DMARC because the domain welchtitles.com >> doesn't >> have a DMARC 
> record. >> >> If it did have a record it would pass DMARC because it doesn't 
> >> have an >> aligned DKIM pass, but does have an aligned SPF pass. > > We 
> run DMARC compliance tests even if the sending domain does not adopt > the 
> standard. That is not practical across the board and not wise. Spammers can 
> setup SPF and DKIM alignment plus a DMARC record to make it perfect. You may 
> decide to whitelist_auth trusted good senders or subtract points but you 
> can't add points when the opposite is true unless you have manually verified 
> the sender is a spammer and created a blacklist_from entry for that domain. 
> The DMARC standard says that EITHER (only takes one) SPF must pass and align 
> with the envelope-from domain OR DKIM must pass and align with the the From: 
> header domain. DMARC doesn't require both to pass and align but it's best 
> when it does. 
> https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ The only 
> valid way to do DMARC checks with SpamAssassin today is to run something like 
> OpenDMARC on your milter and check headers with custom local SA custom rules. 
> That is what I do. As a sender, it takes a lot of work to get DMARC passing 
> so you can't assume that every sender is ready to for DMARC checks and they 
> just forgot to setup their _dmarc TXT record. This may work locally in a 
> small environment but it won't scale out with larger environments without a 
> lot of false positives. > Concerning SPF, the domain is *now* listing 
> outlook.com as permitted > sender. The original > header includes evidence of 
> the change: > > > Received-SPF: None (protection.outlook.com: welchtitles.com 
> does not > designate permitted sender hosts) > > > -- David Jones

Re: New rule --- From:name domain mismatches From:addr domain

[Rupert Gallagher]

Empty Message

Re: Bank fraud phish

[Bill Cole]

On 25 Oct 2017, at 12:00, Alex wrote:


Is the only way to submit to spamcop to use their custom email address
assigned to the account, or is there some command-line way to do it?


For all the details of various ways to send mail from the command line, 
see the man pages for mail, mailx, and/or sendmail.


or the TL;DR answer:

   mailx -s "report spam" submit.[your SC account 
gibberish]@spam.spamcop.net < rawspam.txt


But since this is the SpamAssassin-Users list, I assume you'd rather use 
this feature of the 'spamassassin' script (as described in the 
'spamassassin-run' man page):



   -r, --report
   Report this message as manually-verified spam.  This will sub-
   mit the mail message read from STDIN to various spam-blocker
   databases.  Currently, these are the Distributed Checksum
   Clearinghouse "http://www.rhyolite.com/anti-spam/dcc/";, Pyzor
   "http://pyzor.sourceforge.net/";, Vipul's Razor
   "http://razor.sourceforge.net/";, and SpamCop "http://www.spam-
   cop.net/".

   If the message contains SpamAssassin markup, the markup will be
   stripped out automatically before submission.  The support mod-
   ules for DCC, Pyzor, and Razor must be installed for spam to be
   reported to each service.  SpamCop reports will have greater
   effect if you register and set the "spamcop_to_address" option.

   The message will also be submitted to SpamAssassin's learning
   systems; currently this is the internal Bayesian statistical-
   filtering system (the BAYES rules).  (Note that if you only
   want to perform statistical learning, and do not want to report
   mail to third-parties, you should use the "sa-learn" command
   directly instead.)


Note that if you are paranoid and have X-Original-To, Delivered-To, or 
other headers in delivered mail that expose internal address plumbing, 
you may want to pre-process the input message to remove those.

RE: MSBL Email Blocklist (EBL) SA usage query

[Kevin Miller]

Implemented it on one of my tier 2 mx hosts.  No hits so far, but I’m not sure 
if it’s working or not.  Running spamassasin –lint returns a warning:
  root@mx2:/etc/spamassassin# spamassassin --lint
  Oct 25 09:39:35.403 [15095] warn: Use of uninitialized value in regexp 
compilation at /etc/spamassassin/HashBL.pm line 52.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

From: Michael Grant [mailto:michael.gr...@gmail.com]
Sent: Sunday, October 15, 2017 2:02 AM
To: SpamAssassin Users
Subject: MSBL Email Blocklist (EBL) SA usage query

Has anyone tried out the the MSBL Email Blocklist (EBL) HashBL.pm with 
Spamassassin from msbl.org and possibly considered packaging 
this module (available from this page: http://msbl.org/ebl-implementation.html) 
with SpamAssassin (perhaps in a forthcoming release)?  rSpamD already has 
internal support for the EBL. So I believe the MSBL folks are for this sort of 
thing in general.

This plugin looks through the message (not just headers) for email addresses 
which have been identified as email drop boxes for scams like 419 advance fee 
fraud.  It then looks hashes of these addresses up in a blocklist.

I'm not affiliated with these folks.  I do however use this module in my setup 
though and find it catches a bunch of things we wouldn't have otherwise caught.

Michael Grant

Re: Bank fraud phish

[Larry Rosenman]

On Wed, Oct 25, 2017 at 11:52:17AM -0500, David Jones wrote:
> I have a script (see below) watching a "SpamCop" folder that sends it to my
> custom SpamCop address as an attachment using mutt.  All I have to do is
> drag-n-drop into that folder and the submission is automated.  I wait a
> couple of minutes for the SpamCop submission email with it's link to the
> spam report then click it to confirm the submission.
> 
> > We're still seeing tons of those "payment enclosed" emails with the
> > short body and compromised URLs that automatically download a docx.
> > I'd like to report the spam, but really would like to see the URLs
> > blacklisted, and at the time I receive them, they are not.
> > 
> 
> Spammers tend to batch these up and blast them out in waves so they can get
> maximum usage for each compromised web server.  They only get a few hours or
> so before that URL is blocked or taken down (hopefully) so again these
> zero-hour spam are going to hard to block.  We still need to report them.
> The feedback does help.
> 
> Coincidentally, I am seeing a ton of new spam today from compromised
> accounts all around the Internet.  The subjects have "from" or "to" and the
> recipients name along with a URL containing the recipients name. Many are
> abusing .webcam URLs so the bad guys must have found new exploits of webcams
> and have saved up a bunch of compromised accounts to burn through today.
> 
> > Ideally I'd like something where I can pass an email as a filename as
> > an argument to a shell script. If submitting to spamcop by email is
> > the only way, what is the format? As an attachment? In-line? Does
> > anyone have a command-line shell script that can be used to send this
> > email?
> > 
> 
> If you have access to the filesystem and cron on your mail server then you
> can run something simple like this directly on your mail server:
> 
> cd /var/vmail/vmail1/.../Maildir/.Spamcop/new
> mv * ../cur
> cd ../cur
> 
> for FILE in *; do
>   echo "Spam attached." | mutt -e 'my_hdr From:some...@example.com' -a
> "$FILE" -s "Spam Submission" -- submit.special.addr...@spam.spamcop.net
>   sleep 9
> done
> 
> I have an iRedMail Dovecot spamtrap server that stores the emails in maildir
> format where I can run this from cron every 5 minutes.  I am also able to
> release emails from my MailScanner servers to this spamtrap mailbox
> retaining the original headers.
> 
> If you don't have direct access to your server and it's a remote POP or
> IMAP, collect the spam via fetchmail or something to get it into a local
> folder then use mutt to send it as an attachment.
> 
> -- 
> David Jones

You might also be able to set up something using imapsieve to do the same thing 
as the mail gets copied to 
that folder.  I have my SpamAssassin getting trained for messages in and out of 
my spam folder. 


-- 
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106


signature.asc
Description: PGP signature

Re: Bank fraud phish

[David Jones]

On 10/25/2017 11:00 AM, Alex wrote:

On Tue, Oct 24, 2017 at 2:49 PM, David Jones  wrote:

On 10/24/2017 01:32 PM, Alex wrote:


Hi all, I'm wondering if someone has some ideas to handle bank fraud
phishing emails, and in particular this one:

https://pastebin.com/wxFtKK16

It doesn't hit bayes99 because we haven't seen one before, and txrep
subtracts points. It also doesn't hit any blacklists.

Ideas for blocking these, and more general advice for blocking banking
fraud/phish attacks would be appreciated.



Zero-hour phishing emails from Office 365 are going to be tough to block.
About all you can do is add a blacklist_from *@mybenefitswallet.com entry
and report it to SpamCop and ph...@office365.microsoft.com.


Is the only way to submit to spamcop to use their custom email address
assigned to the account, or is there some command-line way to do it?



I have a script (see below) watching a "SpamCop" folder that sends it to 
my custom SpamCop address as an attachment using mutt.  All I have to do 
is drag-n-drop into that folder and the submission is automated.  I wait 
a couple of minutes for the SpamCop submission email with it's link to 
the spam report then click it to confirm the submission.



We're still seeing tons of those "payment enclosed" emails with the
short body and compromised URLs that automatically download a docx.
I'd like to report the spam, but really would like to see the URLs
blacklisted, and at the time I receive them, they are not.



Spammers tend to batch these up and blast them out in waves so they can 
get maximum usage for each compromised web server.  They only get a few 
hours or so before that URL is blocked or taken down (hopefully) so 
again these zero-hour spam are going to hard to block.  We still need to 
report them.  The feedback does help.


Coincidentally, I am seeing a ton of new spam today from compromised 
accounts all around the Internet.  The subjects have "from" or "to" and 
the recipients name along with a URL containing the recipients name. 
Many are abusing .webcam URLs so the bad guys must have found new 
exploits of webcams and have saved up a bunch of compromised accounts to 
burn through today.



Ideally I'd like something where I can pass an email as a filename as
an argument to a shell script. If submitting to spamcop by email is
the only way, what is the format? As an attachment? In-line? Does
anyone have a command-line shell script that can be used to send this
email?



If you have access to the filesystem and cron on your mail server then 
you can run something simple like this directly on your mail server:


cd /var/vmail/vmail1/.../Maildir/.Spamcop/new
mv * ../cur
cd ../cur

for FILE in *; do
  echo "Spam attached." | mutt -e 'my_hdr From:some...@example.com' -a 
"$FILE" -s "Spam Submission" -- submit.special.addr...@spam.spamcop.net

  sleep 9
done

I have an iRedMail Dovecot spamtrap server that stores the emails in 
maildir format where I can run this from cron every 5 minutes.  I am 
also able to release emails from my MailScanner servers to this spamtrap 
mailbox retaining the original headers.


If you don't have direct access to your server and it's a remote POP or 
IMAP, collect the spam via fetchmail or something to get it into a local 
folder then use mutt to send it as an attachment.


--
David Jones

Re: Bank fraud phish

[Alex]

On Tue, Oct 24, 2017 at 2:49 PM, David Jones  wrote:
> On 10/24/2017 01:32 PM, Alex wrote:
>>
>> Hi all, I'm wondering if someone has some ideas to handle bank fraud
>> phishing emails, and in particular this one:
>>
>> https://pastebin.com/wxFtKK16
>>
>> It doesn't hit bayes99 because we haven't seen one before, and txrep
>> subtracts points. It also doesn't hit any blacklists.
>>
>> Ideas for blocking these, and more general advice for blocking banking
>> fraud/phish attacks would be appreciated.
>>
>
> Zero-hour phishing emails from Office 365 are going to be tough to block.
> About all you can do is add a blacklist_from *@mybenefitswallet.com entry
> and report it to SpamCop and ph...@office365.microsoft.com.

Is the only way to submit to spamcop to use their custom email address
assigned to the account, or is there some command-line way to do it?

We're still seeing tons of those "payment enclosed" emails with the
short body and compromised URLs that automatically download a docx.
I'd like to report the spam, but really would like to see the URLs
blacklisted, and at the time I receive them, they are not.

Ideally I'd like something where I can pass an email as a filename as
an argument to a shell script. If submitting to spamcop by email is
the only way, what is the format? As an attachment? In-line? Does
anyone have a command-line shell script that can be used to send this
email?

Re: New rule --- From:name domain mismatches From:addr domain

[Merijn van den Kroonenberg]

>
> This may not be representative but I found that the rest of of the FPs
> could have been avoided with
>
>   && (FREEMAIL_FROM || !DKIM_VALID_AU)
>
> the spam rarely hits DKIM_VALID_AU unless it's freemail.

Actually a decent portion of spam is sent with DKIM_VALID_AU, either from
spammer owned domains or from hacked servers. But you might not see them
in SA if they are blocked at MTA level with blacklists.

>
> One thing to watch out for is mismatches between unicode and punycode
> versions  of the same address.  The above rule only targets ascii
> domains in the display field for that reason.
>

Re: Bank fraud phish

[RW]

On Wed, 25 Oct 2017 10:39:54 -0400
Rupert Gallagher wrote:

> >  Original Message 
> > Subject: Re: Bank fraud phish
> > Local Time: 25 October 2017 4:18 PM
> > UTC Time: 25 October 2017 14:18
> > From: rwmailli...@googlemail.com
> > To: users@spamassassin.apache.org
> >
> > On Wed, 25 Oct 2017 09:16:50 -0400
> > Rupert Gallagher wrote:
> >  
> >> The e-mail is still flagged as SPAM here.
> >>
> >> - DMARC fails, because it passes DKIM, but fails SPF.
> >>
> >> This is wrong in every detail.
> >>
> >> It can't fail or pass DMARC because the domain welchtitles.com
> >> doesn't have a DMARC record.
> >>
> >> If it did have a record it would pass DMARC because it doesn't
> >> have an aligned DKIM pass, but does have an aligned SPF pass.  
> 
> We run DMARC compliance tests even if the sending domain does not
> adopt the standard. Concerning SPF, the domain is *now* listing
> outlook.com as permitted sender. The original header includes
> evidence of the change:
> 
> > Received-SPF: None (protection.outlook.com: welchtitles.com does
> > not designate permitted sender hosts  

But a few seconds later 

X-Spam-Status: No, score=0.29 tagged_above=-200 required=4.8
tests=[   ... SPF_PASS

Re: New rule --- From:name domain mismatches From:addr domain

[RW]

On Wed, 25 Oct 2017 09:26:37 -0400
Rupert Gallagher wrote:

> This is my rule for a case that has also been discussed in this list.
> I wrote it two weeks ago, and it works so far.
> 
> This part goes into your local.cf:
> 
> header   __F_DM1 eval:from_domains_mismatch()

I wrote something similar as an ordinary rule

headerFROM_DISPLAYS_FAKE_ADDR   From
=~ /^\s*("?)\s*([\w+.-]+\@[a-z0-9-]+(?:\.[a-z0-9-]+)+)\s*\1\s*<(?!\2>)/i

However, when I looked at my ham archive I found that it could be
improved a bit by checking the organizational domain rather than the
full RHS (this is easier to do in perl with tld support).

e.g. "f...@example.com 

and a little bit further by just comparing the first 3 letters of the
main domain label.

e.g. "f...@example.com 


This may not be representative but I found that the rest of of the FPs
could have been avoided with 

  && (FREEMAIL_FROM || !DKIM_VALID_AU)

the spam rarely hits DKIM_VALID_AU unless it's freemail.

One thing to watch out for is mismatches between unicode and punycode
versions  of the same address.  The above rule only targets ascii
domains in the display field for that reason. 

Re: Bank fraud phish

[David Jones]

On 10/25/2017 09:39 AM, Rupert Gallagher wrote:



 Original Message 
Subject: Re: Bank fraud phish
Local Time: 25 October 2017 4:18 PM
UTC Time: 25 October 2017 14:18
From: rwmailli...@googlemail.com
To: users@spamassassin.apache.org

On Wed, 25 Oct 2017 09:16:50 -0400
Rupert Gallagher wrote:

The e-mail is still flagged as SPAM here.

 *
DMARC fails, because it passes DKIM, but fails SPF.

This is wrong in every detail.

It can't fail or pass DMARC because the domain welchtitles.com
 doesn't
have a DMARC record.

If it did have a record it would pass DMARC because it doesn't
have an
aligned DKIM pass, but does have an aligned SPF pass.


We run DMARC compliance tests even if the sending domain does not adopt 
the standard.


That is not practical across the board and not wise.  Spammers can setup 
SPF and DKIM alignment plus a DMARC record to make it perfect.  You may 
decide to whitelist_auth trusted good senders or subtract points but you 
can't add points when the opposite is true unless you have manually 
verified the sender is a spammer and created a blacklist_from entry for 
that domain.


The DMARC standard says that EITHER (only takes one) SPF must pass and 
align with the envelope-from domain OR DKIM must pass and align with the 
the From: header domain.  DMARC doesn't require both to pass and align 
but it's best when it does.


https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/

The only valid way to do DMARC checks with SpamAssassin today is to run 
something like OpenDMARC on your milter and check headers with custom 
local SA custom rules.  That is what I do.


As a sender, it takes a lot of work to get DMARC passing so you can't 
assume that every sender is ready to for DMARC checks and they just 
forgot to setup their _dmarc TXT record.  This may work locally in a 
small environment but it won't scale out with larger environments 
without a lot of false positives.



Concerning SPF, the domain is *now* listing outlook.com as permitted 
sender. The original

header includes evidence of the change:

 > Received-SPF: None (protection.outlook.com: welchtitles.com does not 
designate permitted sender hosts)






--
David Jones

Re: Bank fraud phish

[Benny Pedersen]

On 25. okt. 2017 16.18.53 RW  wrote:


If it did have a record it would pass DMARC because it doesn't have an
aligned DKIM pass, but does have an aligned SPF pass.


Spf does not align om mailinglists, since DMARC Will fail om Missing dkim

Re: Bank fraud phish

[Rupert Gallagher]

>  Original Message 
> Subject: Re: Bank fraud phish
> Local Time: 25 October 2017 4:18 PM
> UTC Time: 25 October 2017 14:18
> From: rwmailli...@googlemail.com
> To: users@spamassassin.apache.org
>
> On Wed, 25 Oct 2017 09:16:50 -0400
> Rupert Gallagher wrote:
>
>> The e-mail is still flagged as SPAM here.
>>
>> - DMARC fails, because it passes DKIM, but fails SPF.
>>
>> This is wrong in every detail.
>>
>> It can't fail or pass DMARC because the domain welchtitles.com doesn't
>> have a DMARC record.
>>
>> If it did have a record it would pass DMARC because it doesn't have an
>> aligned DKIM pass, but does have an aligned SPF pass.

We run DMARC compliance tests even if the sending domain does not adopt the 
standard.
Concerning SPF, the domain is *now* listing outlook.com as permitted sender. 
The original
header includes evidence of the change:

> Received-SPF: None (protection.outlook.com: welchtitles.com does not 
> designate permitted sender hosts)

Your header "To: undisclosed-recipients:;" is RFC 822 compliant

[Rupert Gallagher]

Reading RFC 822 again, I spotted the endorsement for the case at hand. 
The named header is compliant to the standard, as quoted below. 

However, the same standard does not compel a server to accept e-mail 
sent to undisclosed recipients: we are free to reject it by local policy.


 6.2.6.  MULTIPLE MAILBOXES
        [...]
    A set of individuals may wish to receive mail as a single unit
    (i.e.,  a  distribution  list).  The  construct permits
    specification of such a list.  Recipient mailboxes are  speci-
    fied  within  the  bracketed  part (":" - ";").  A copy of the
    transmitted message is to be  sent  to  each  mailbox  listed.
    This  standard  does  not  permit  recursive  specification of
    groups within groups.

>    While a list must be named, it is not required that  the  con-
>    tents  of  the  list be included.  In this case, the 
>    serves only as an indication of group distribution  and  would
>    appear in the form:
>
>    name:;

    Some mail  services  may  provide  a  group-list  distribution
    facility,  accepting  a single mailbox reference, expanding it
    to the full distribution list, and relaying the  mail  to  the
    list's  members.   This standard provides no additional syntax
    for indicating such a  service.   Using  the    address
    alternative,  while listing one mailbox in it, can mean either
    that the mailbox reference will be expanded to a list or  that
    there is a group with one member.

A.  EXAMPLES
A.1.5.  Address Lists

   Gourmets: Pompous Person , Childs@WGBH.Boston, 
     Galloping gour...@ant.down-Under (Australian National Television), 
     Cheapie@Discount-Liquors;, 
   Cruisers:  Port@Portugal, Jones@SEA;, 
   Another@Somewhere.SomeOrg

Re: Bank fraud phish

[RW]

On Wed, 25 Oct 2017 09:16:50 -0400
Rupert Gallagher wrote:


> The e-mail is still flagged as SPAM here.
> - DMARC fails, because it passes DKIM, but fails SPF.

This is wrong in every detail.

It can't fail or pass DMARC because the domain welchtitles.com doesn't
have a DMARC record.  

If it did have a record it would pass DMARC because it doesn't have an
aligned DKIM pass, but does have an aligned SPF pass. 

Re: Bank fraud phish

[Rupert Gallagher]

>  Original Message 
> Subject: Re: Bank fraud phish
> Local Time: 25 October 2017 3:25 PM
> UTC Time: 25 October 2017 13:25
> From: h.rei...@thelounge.net
> To: users@spamassassin.apache.org, r...@protonmail.com
>
> Am 25.10.2017 um 15:20 schrieb Reindl Harald:
>
>> Am 25.10.2017 um 15:16 schrieb Rupert Gallagher:
>>
>>> MID domain does not match the FROM domain, the FROM domain does not
>>> occur among the RECEIVED domains
>>
>> WTF - both are not the slightest sign of spam
>>
>> nevermid, you are this moron changed the from name to some real name
>> because "ruga" got burned - problem is that you sound like some official
>> from protonmail
>>
>> [https://mail-archives.apache.org/mod_mbox/spamassassin-users/201702.mbox/<20170208084441.016be...@hydrogen.roaringpenguin.com>](https://mail-archives.apache.org/mod_mbox/spamassassin-users/201702.mbox/%3c20170208084441.016be...@hydrogen.roaringpenguin.com%3e)

Said the silly who flames threads based upon false assumptions.

Re: Bank fraud phish

[Rupert Gallagher]

 Original Message Subject: Re: Bank fraud phishLocal Time: 25 
October 2017 3:20 PMUTC Time: 25 October 2017 13:20From: 
h.reindl@thelounge.netTo: users@spamassassin.apache.org, r...@protonmail.com

> Am 25.10.2017 um 15:16 schrieb Rupert Gallagher:
>
>> MID domain does not match the FROM domain, the FROM domain does not
>> occur among the RECEIVED domains
>>
>> WTF - both are not the slightest sign of spam

They are minor signs of SPAM for us, and they get tiny zero-something points 
for it.

New rule --- From:name domain mismatches From:addr domain

[Rupert Gallagher]

This is my rule for a case that has also been discussed in this list.
I wrote it two weeks ago, and it works so far.

This part goes into your local.cf:

header   __F_DM1 eval:from_domains_mismatch()
header   __F_DM2 From:addr =~ /\@(exception1|exception2)(\.[^\.]+)?\.it/
meta   F_DM ( __F_DM1 && ! __F_DM2 )
describe   F_DM From:name domain mismatches From:addr domain
priority   F_DM -1
score  F_DM 5.0

This part goes into HeaderEval.pm:

$self->register_eval_rule("from_domains_mismatch");
...
sub from_domains_mismatch {
  my ($self, $pms) = @_;
  my $temp;

  $temp = $pms->get('From:addr');
  $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";

  $temp = $pms->get('From:name');
  $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain = "$1";

  dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain, 
fromAddrDomain=$fromAddrDomain");

  if ( $fromNameDomain eq "" ) {
 return 0; # all well
  } else {
 if( $fromNameDomain eq $fromAddrDomain ) {
return 0; # all well, they match
 } else {
return 1; # mismatch, possibly spam
 }
  }
}

Note that some legitimate e-mail providers, who send e-mail on behalf of their 
client, make the mistake of re-writing the From header, injecting their own 
address in it. The "exception1|exception2" above is meant to mitigate this case 
while they solve this problem.

R.G.

Re: Bank fraud phish

[Rupert Gallagher]

I checked from the w.s. instead of the phone, and this is the response.

The MID I observed from the iPhone is actually part-of a different header of 
the same e-mail. The true MID is well-formed and RFC compliant:

> Message-ID: 
> 

The e-mail is still flagged as SPAM here.
- DMARC fails, because it passes DKIM, but fails SPF.
- From:name domain mismatches From:addr domain (*)
- Two minor flags are also available and add up to the final score: the MID 
domain does not match the FROM domain, the FROM domain does not occur among the 
RECEIVED domains.

The test (*) has been discussed in this list, without solution. I wrote a rule 
two weeks ago and it proved useful a few times already, without any false 
positive or negative. I will share it in the next post.

R

Sent with [ProtonMail](https://protonmail.com) Secure Email.

>  Original Message 
> Subject: Re: Bank fraud phish
> Local Time: 25 October 2017 12:50 PM
> UTC Time: 25 October 2017 10:50
> From: mar...@clardy.eu
> To: Rupert Gallagher 
> John Hardin , SA Mailing list 
> 
>
> That isn't the Message-Id, that is the 
> X-MS-Exchange-CrossTenant-Network-Message-Id... The Message-Id is compliant.
>
> On Wed, Oct 25, 2017 at 11:43 AM, Rupert Gallagher  
> wrote:
>
>> The raw e-mail in pastebin returns a non-well-formed Message-ID. I attach a 
>> photo of what I see.
>>
>> Sent from ProtonMail Mobile
>>
>> On Tue, Oct 24, 2017 at 10:05 PM, John Hardin  wrote:
>>
>>> On Tue, 24 Oct 2017, Rupert Gallagher wrote: > Easy one. The Message-ID is 
>>> not well formed / RFC compliant. We reject such junk upfront. How so?  That 
>>> looks totally valid to me... < dot-atom-text @ dot-atom-text > The line 
>>> break between the header and the ID is unusual, but not invalid. That might 
>>> potentially be a usable spam sign.
>
> --
>  - Markus

Re: Bank fraud phish

[David Jones]

On 10/24/2017 07:41 PM, Alex wrote:

On Tue, Oct 24, 2017 at 2:49 PM, David Jones  wrote:

On 10/24/2017 01:32 PM, Alex wrote:


Hi all, I'm wondering if someone has some ideas to handle bank fraud
phishing emails, and in particular this one:

https://pastebin.com/wxFtKK16

It doesn't hit bayes99 because we haven't seen one before, and txrep
subtracts points. It also doesn't hit any blacklists.

Ideas for blocking these, and more general advice for blocking banking
fraud/phish attacks would be appreciated.



Zero-hour phishing emails from Office 365 are going to be tough to block.
About all you can do is add a blacklist_from *@mybenefitswallet.com entry
and report it to SpamCop and ph...@office365.microsoft.com.


For the most part, I agree, but the client here has also contracted
with Wombat and they managed to detect this email as "Probably Phish".
We're missing something with spamassassin.



They could have some general rules like:

/account.{1,30}locked/i
/email.{1,50}security/i

that would flag a lot of legit emails as "Probably Phish".  If they do 
this a lot then users will ignore that flag and quickly it becomes useless.


Are they modifying the subject with "Probably Phish" to tell the users? 
It's much easier to modify the subject of false positives with a very 
low score vs. what Spamassassin has to do by accurately scoring the message.


That message did have a lot of bad English and mispellings.  Too bad we 
can't introduce AI into SA somehow in a secure way locally where no 
information was sent out to the cloud.  This would be about the only 
chance to stop zero-hour spam that has been hand crafted to pass through 
most mail filters before DCC, Razor, Bayes, RBLs, DBLs, detect and react 
to it.


--
David Jones

Re: Bank fraud phish

[RW]

On Wed, 25 Oct 2017 11:50:19 +0100
Markus Clardy wrote:

> That isn't the Message-Id, that is
> the X-MS-Exchange-CrossTenant-Network-Message-Id... The Message-Id is
> compliant.
> 

As is X-MS-Exchange-CrossTenant-Network-Message-Id in the original


> On Wed, Oct 25, 2017 at 11:43 AM, Rupert Gallagher
>  wrote:
> 
> > The raw e-mail in pastebin returns a non-well-formed Message-ID. I
> > attach a photo of what I see.
> >
> > Sent from ProtonMail Mobile
> >
> >
> > On Tue, Oct 24, 2017 at 10:05 PM, John Hardin 
> > wrote:
> >
> > On Tue, 24 Oct 2017, Rupert Gallagher wrote: > Easy one. The
> > Message-ID is not well formed / RFC compliant. We reject such junk
> > upfront. How so? That looks totally valid to me... < dot-atom-text
> > @ dot-atom-text > The line break between the header and the ID is
> > unusual, but not invalid. That might potentially be a usable spam
> > sign.
> >
> >  
> 
> 

Re: Bank fraud phish

[Markus Clardy]

That isn't the Message-Id, that is
the X-MS-Exchange-CrossTenant-Network-Message-Id... The Message-Id is
compliant.

On Wed, Oct 25, 2017 at 11:43 AM, Rupert Gallagher 
wrote:

> The raw e-mail in pastebin returns a non-well-formed Message-ID. I attach
> a photo of what I see.
>
> Sent from ProtonMail Mobile
>
>
> On Tue, Oct 24, 2017 at 10:05 PM, John Hardin  wrote:
>
> On Tue, 24 Oct 2017, Rupert Gallagher wrote: > Easy one. The Message-ID is
> not well formed / RFC compliant. We reject such junk upfront. How so? That
> looks totally valid to me... < dot-atom-text @ dot-atom-text > The line
> break between the header and the ID is unusual, but not invalid. That might
> potentially be a usable spam sign.
>
>


-- 
 - Markus

Re: Bank fraud phish

[Rupert Gallagher]

The raw e-mail in pastebin returns a non-well-formed Message-ID. I attach a 
photo of what I see.

Sent from ProtonMail Mobile

On Tue, Oct 24, 2017 at 10:05 PM, John Hardin  wrote:

> On Tue, 24 Oct 2017, Rupert Gallagher wrote: > Easy one. The Message-ID is 
> not well formed / RFC compliant. We reject such junk upfront. How so?  That 
> looks totally valid to me... < dot-atom-text @ dot-atom-text > The line break 
> between the header and the ID is unusual, but not invalid. That might 
> potentially be a usable spam sign.  @gmail.com> 
> @sn1pr0601mb1616.namprd06.prod.outlook.com>

Re: Bank fraud phish

[Rupert Gallagher]

We reject all e-mails with non-compliant Message-ID.

Sent from ProtonMail Mobile

On Tue, Oct 24, 2017 at 9:59 PM, David Jones  wrote:

> On 10/24/2017 02:54 PM, Rupert Gallagher wrote: > Easy one. The Message-ID is 
> not well formed / RFC compliant. We reject > such junk upfront. > > Sent from 
> ProtonMail Mobile > Does this block all email out of Office 365 or just a 
> subset of junk? > > On Tue, Oct 24, 2017 at 8:32 PM, Alex > wrote: >> Hi all, 
> I'm wondering if someone has some ideas to handle bank fraud >> phishing 
> emails, and in particular this one: >> https://pastebin.com/wxFtKK16 It 
> doesn't hit bayes99 because we >> haven't seen one before, and txrep 
> subtracts points. It also doesn't >> hit any blacklists. Ideas for blocking 
> these, and more general advice >> for blocking banking fraud/phish attacks 
> would be appreciated. -- David Jones @gmail.com> @gmail.com>

Re: Bank fraud phish

[Pedro David Marco]

Probably it would be a good idea to have a list of potential "phishing-able" 
important companies... just as there is one for freemailers..
very greedy, i know... :-)
---Pedro




   

Re: Bank fraud phish

[Merijn van den Kroonenberg]

> Hi all, I'm wondering if someone has some ideas to handle bank fraud
> phishing emails, and in particular this one:
>
> https://pastebin.com/wxFtKK16
>
> It doesn't hit bayes99 because we haven't seen one before, and txrep
> subtracts points. It also doesn't hit any blacklists.
>
> Ideas for blocking these, and more general advice for blocking banking
> fraud/phish attacks would be appreciated.
>

You can create custom rules for each bank used by your userbase.

Basically you give penalties for the bank name being used in the From
address. And then you undo these penalties for legitimate bank mails. This
you can do by spf/dkim whitelisting them or by checking the From:addr
domain and DKIM_VALID_AU.

Or you can do something like this:

header  __BENEFIT_FROM From =~ /Benefitwallet/i
describe__BENEFIT_FROM From name includes Benefitwallet
header  __BENEFIT_PHISHING_BADFROMADDR  From:addr !~ /benefitwallet/
describe__BENEFIT_PHISHING_BADFROMADDR  The from e-mail address does
not contain benefitwallet

metaBENEFIT_PHISHING_BADFROM  (__BENEFIT_FROM &&
__BENEFIT_PHISHING_BADFROMADDR)
describeBENEFIT_PHISHING_BADFROM  Fake Benefitwallet mail
score   BENEFIT_PHISHING_BADFROM  3.5

Above rule assumes the legit domain at least has benefitwallet in it.

Basically it all depends about what you know about the bank and how unique
their name is. The more unique, the easier to give penalties to its usage.
And if you can find out from what domains the bank sends legit mail, you
can do dkim whitelisting or DKIM_VALID_AU checks in your rules.