Re: help with phishing email?

2017-12-08 Thread Colony.three 
> first: before you call me again a fascist just because i don't agree
> with your opinions backed by 10 years professional mailadmin better
> don't give half thought advises!
>
> Am 09.12.2017 um 03:50 schrieb Colony.three:
>
>> Also in /etc/postfix/main.cf add to smtpd_recipient_restrictions =
>> ...reject_rbl_client zen.spamhaus.org
>>
>> this is a completly wrong and dangerous

Oh?  Why didn't you say anything three days ago when another member of this 
listserv recommended it, Harald?

Re: help with phishing email?

2017-12-08 Thread Jari Fredriksson 


> Tom Hendrikx  kirjoitti 9.12.2017 kello 0.34:
> 
> On 08-12-17 19:09, AJ Weber wrote:
>> I'm trying to decide the best way to detect something like this.
>> 
>> https://pastebin.com/hCX9MWNg
>> 
>> Looking at the raw headers and body it's pretty easy to tell this is a
>> spoof, but when it shows-up in an inbox, it looks pretty good.
>> 
>> Something specific to Amazon (where this is purported to come from)
>> would be to check if their domain is in the From and Reply-To and at
>> least score that relatively high if it's not correct - but compared to
>> what?  Maybe if From text contains amazon/i and from-address does not
>> end with amazon.com (for me in the US at least)?
>> 
>> That feels forced.  Does anyone have any suggestions to help me out on
>> this fine Friday?
>> 
> 
> Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO
> you can easily whitelist anything from amazon based on that, and then
> subtract some points for everything that has '\bAmazon\b' is the
> from:name. Header.
> 
> Kind regards,
>   Tom

A couple of local rules saved here:

Content analysis details:   (8.2 points, 5.0 required)

pts rule name  description
 -- --
2.5 L_SUOMISPAMRBL: Sender is in #suomispam blocklist
   [20160519 coinletters1.com]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
   trust
   [69.252.207.24 listed in list.dnswl.org]
0.0 SPF_FAIL   SPF: sender does not match SPF record (fail)
[SPF failed: Please see 
http://www.openspf.org/Why?s=mfrom;id=contact%40email.linushonor.co.uk;ip=69.252.207.24;r=gamecock.fredriksson.dy.fi]
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
   domains are different
0.0 T_TVD_MIME_NO_HEADERS  BODY: No description available.
0.8 BAYES_50   BODY: Bayes spam probability is 40 to 60%
   [score: 0.4998]
1.7 MIME_BASE64_TEXT   RAW: Message text disguised using base64 encoding
1.4 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/)
1.0 L_FROM_NOT_REPLY   From: and Reply-To: have different domains
0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay lines
0.8 RDNS_NONE  Delivered to internal network by a host with no rDNS





signature.asc
Description: Message signed with OpenPGP

Re: help with phishing email?

2017-12-08 Thread Jari Fredriksson 


> Tom Hendrikx  kirjoitti 9.12.2017 kello 0.34:
> 
> On 08-12-17 19:09, AJ Weber wrote:
>> I'm trying to decide the best way to detect something like this.
>> 
>> https://pastebin.com/hCX9MWNg
>> 
>> Looking at the raw headers and body it's pretty easy to tell this is a
>> spoof, but when it shows-up in an inbox, it looks pretty good.
>> 
>> Something specific to Amazon (where this is purported to come from)
>> would be to check if their domain is in the From and Reply-To and at
>> least score that relatively high if it's not correct - but compared to
>> what?  Maybe if From text contains amazon/i and from-address does not
>> end with amazon.com (for me in the US at least)?
>> 
>> That feels forced.  Does anyone have any suggestions to help me out on
>> this fine Friday?
>> 
> 
> Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO
> you can easily whitelist anything from amazon based on that, and then
> subtract some points for everything that has '\bAmazon\b' is the
> from:name. Header.
> 
> Kind regards,
>   Tom

A couple of local rules saved here:

Content analysis details:   (8.2 points, 5.0 required)

pts rule name  description
 -- --
2.5 L_SUOMISPAMRBL: Sender is in #suomispam blocklist
   [20160519 coinletters1.com]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
   trust
   [69.252.207.24 listed in list.dnswl.org]
0.0 SPF_FAIL   SPF: sender does not match SPF record (fail)
[SPF failed: Please see 
http://www.openspf.org/Why?s=mfrom;id=contact%40email.linushonor.co.uk;ip=69.252.207.24;r=gamecock.fredriksson.dy.fi]
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
   domains are different
0.0 T_TVD_MIME_NO_HEADERS  BODY: No description available.
0.8 BAYES_50   BODY: Bayes spam probability is 40 to 60%
   [score: 0.4998]
1.7 MIME_BASE64_TEXT   RAW: Message text disguised using base64 encoding
1.4 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/)
1.0 L_FROM_NOT_REPLY   From: and Reply-To: have different domains
0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay lines
0.8 RDNS_NONE  Delivered to internal network by a host with no rDNS





signature.asc
Description: Message signed with OpenPGP

Re: help with phishing email?

2017-12-08 Thread Colony.three 
> I'm trying to decide the best way to detect something like this.
>
> https://pastebin.com/hCX9MWNg
>
> Looking at the raw headers and body it's pretty easy to tell this is a
> spoof, but when it shows-up in an inbox, it looks pretty good.
>
> Something specific to Amazon (where this is purported to come from)
> would be to check if their domain is in the From and Reply-To and at
> least score that relatively high if it's not correct - but compared to
> what?  Maybe if From text contains amazon/i and from-address does not
> end with amazon.com (for me in the US at least)?
>
> That feels forced.  Does anyone have any suggestions to help me out on
> this fine Friday?
>
> Thanks,
> AJ

You shouldn't have even received that.  Consider setting up your email as per 
this guide:  
https://arstechnica.com/information-technology/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/

After 3 months, and two major failures setting up email (not to mention 
shattered self-worth), this article series is what finally got me spinning.

Also in /etc/postfix/main.cf add to smtpd_recipient_restrictions = 
...reject_rbl_client zen.spamhaus.org,

Re: help with phishing email?

2017-12-08 Thread David B Funk 

On Fri, 8 Dec 2017, John Hardin wrote:


On Fri, 8 Dec 2017, AJ Weber wrote:


I'm trying to decide the best way to detect something like this.

https://pastebin.com/hCX9MWNg


That appears to be corrupt. I downloaded it and ran it through my testbed and 
it wouldn't decode the body.


Don't know if it was the pastbin, but the MIME headers were mangled.
Fixing those (and removing the space at the beginning of the base64 lines) made 
it parse-able.


It's clearly misleading spam, not sure where the phish is. (but then I didn't go 
thru their "survey").


There's a bunch of anomalous things about that message;

 3 Message-ID: headers, one of which tries to look like from outlook.com
 2 Reply-To: headers, one of which has a clearly bogus address: 
 3 Received: from relay167.mysmtp.mobi (relay167.mysmtp.mobi [93.90.117.141])
lines.

 MIME-Version: 4.0

50 blank lines at the start of the message, borked HTML (mismatched  
tags, code after the closing , etc).


That "http://email dot turnaroundbaby dot be" site looks new & bogus, I just 
tossed it in my personal RBL list.


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: help with phishing email?

2017-12-08 Thread John Hardin 

On Fri, 8 Dec 2017, AJ Weber wrote:


I'm trying to decide the best way to detect something like this.

https://pastebin.com/hCX9MWNg


That appears to be corrupt. I downloaded it and ran it through my testbed 
and it wouldn't decode the body.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The question of whether people should be allowed to harm themselves
  is simple. They *must*.   -- Charles Murray
---
 7 days until Bill of Rights day

Re: help with phishing email?

2017-12-08 Thread Tom Hendrikx 
On 08-12-17 19:09, AJ Weber wrote:
> I'm trying to decide the best way to detect something like this.
> 
> https://pastebin.com/hCX9MWNg
> 
> Looking at the raw headers and body it's pretty easy to tell this is a
> spoof, but when it shows-up in an inbox, it looks pretty good.
> 
> Something specific to Amazon (where this is purported to come from)
> would be to check if their domain is in the From and Reply-To and at
> least score that relatively high if it's not correct - but compared to
> what?  Maybe if From text contains amazon/i and from-address does not
> end with amazon.com (for me in the US at least)?
> 
> That feels forced.  Does anyone have any suggestions to help me out on
> this fine Friday?
> 

Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO
you can easily whitelist anything from amazon based on that, and then
subtract some points for everything that has '\bAmazon\b' is the
from:name. Header.

Kind regards,
Tom




signature.asc
Description: OpenPGP digital signature

Re: help with phishing email?

2017-12-08 Thread Pedro David Marco 
AJ,
i cannot see anything with sense... is the pastebin correct? 
-PedroD

help with phishing email?

2017-12-08 Thread AJ Weber 

I'm trying to decide the best way to detect something like this.

https://pastebin.com/hCX9MWNg

Looking at the raw headers and body it's pretty easy to tell this is a 
spoof, but when it shows-up in an inbox, it looks pretty good.


Something specific to Amazon (where this is purported to come from) 
would be to check if their domain is in the From and Reply-To and at 
least score that relatively high if it's not correct - but compared to 
what?  Maybe if From text contains amazon/i and from-address does not 
end with amazon.com (for me in the US at least)?


That feels forced.  Does anyone have any suggestions to help me out on 
this fine Friday?


Thanks,

AJ

Re: Mailsploit and RFC1342 and spoofed From

2017-12-08 Thread David Jones 

On 12/07/2017 06:47 PM, Kevin A. McGrail wrote:

On 12/7/2017 7:02 PM, Giovanni Bechis wrote:

On 12/08/17 00:59, Kevin A. McGrail wrote:

On 12/7/2017 6:39 PM, Giovanni Bechis wrote:
unfortunately I cannot use KAM.cf out of the box because some scores 
are completely wrong in my environment (working with strange tld, 
chinese people, medical terms that are sometimes abused, ...), so I 
have to download the file every now and than and "fix it".
If you use a file that is named alphabetically to load after KAM.cf, 
you can just change scores there and it will be maintained from 
download to download.


Unfortunately I cannot know how new added rules will affect my 
enviroment,
there are also some idn rules that breaks my Puppet instance but 
that's another story.

Agreed.  But how would you know if they are added to sa-update natively?



A very simple, short script could grep out the scores from KAM.cf, diff 
them from the last run and send him an email when something changes. 
Cron it for once every morning and viola!


--
David Jones

Re: Mailsploit and RFC1342 and spoofed From

2017-12-08 Thread Kevin A. McGrail 

On 12/8/2017 3:25 AM, Giovanni Bechis wrote:

Unfortunately I cannot know how new added rules will affect my

enviroment,

there are also some idn rules that breaks my Puppet instance but

that's another story.
Agreed.  But how would you know if they are added to sa-update
natively?

Rules that come through sa-update do not have too much high scores, are 
discussed on ml and svn is my friend as a last resort.


Fair enough.  I don't have a solution for you.

Re: Mailsploit and RFC1342 and spoofed From

2017-12-08 Thread Giovanni Bechis 
Il 8 dicembre 2017 01:47:47 CET, "Kevin A. McGrail"  
ha scritto:
>On 12/7/2017 7:02 PM, Giovanni Bechis wrote:
>> On 12/08/17 00:59, Kevin A. McGrail wrote:
>>> On 12/7/2017 6:39 PM, Giovanni Bechis wrote:
 unfortunately I cannot use KAM.cf out of the box because some
>scores are completely wrong in my environment (working with strange
>tld, chinese people, medical terms that are sometimes abused, ...), so
>I have to download the file every now and than and "fix it".
>>> If you use a file that is named alphabetically to load after KAM.cf,
>you can just change scores there and it will be maintained from
>download to download.
>>>
>> Unfortunately I cannot know how new added rules will affect my
>enviroment,
>> there are also some idn rules that breaks my Puppet instance but
>that's another story.
>Agreed.  But how would you know if they are added to sa-update
>natively?

Rules that come through sa-update do not have too much high scores, are 
discussed on ml and svn is my friend as a last resort.
   Giovanni