Re: help with phishing email?
> first: before you call me again a fascist just because i don't agree > with your opinions backed by 10 years professional mailadmin better > don't give half thought advises! > > Am 09.12.2017 um 03:50 schrieb Colony.three: > >> Also in /etc/postfix/main.cf add to smtpd_recipient_restrictions = >> ...reject_rbl_client zen.spamhaus.org >> >> this is a completly wrong and dangerous Oh? Why didn't you say anything three days ago when another member of this listserv recommended it, Harald?
Re: help with phishing email?
> Tom Hendrikxkirjoitti 9.12.2017 kello 0.34: > > On 08-12-17 19:09, AJ Weber wrote: >> I'm trying to decide the best way to detect something like this. >> >> https://pastebin.com/hCX9MWNg >> >> Looking at the raw headers and body it's pretty easy to tell this is a >> spoof, but when it shows-up in an inbox, it looks pretty good. >> >> Something specific to Amazon (where this is purported to come from) >> would be to check if their domain is in the From and Reply-To and at >> least score that relatively high if it's not correct - but compared to >> what? Maybe if From text contains amazon/i and from-address does not >> end with amazon.com (for me in the US at least)? >> >> That feels forced. Does anyone have any suggestions to help me out on >> this fine Friday? >> > > Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO > you can easily whitelist anything from amazon based on that, and then > subtract some points for everything that has '\bAmazon\b' is the > from:name. Header. > > Kind regards, > Tom A couple of local rules saved here: Content analysis details: (8.2 points, 5.0 required) pts rule name description -- -- 2.5 L_SUOMISPAMRBL: Sender is in #suomispam blocklist [20160519 coinletters1.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [69.252.207.24 listed in list.dnswl.org] 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=contact%40email.linushonor.co.uk;ip=69.252.207.24;r=gamecock.fredriksson.dy.fi] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 T_TVD_MIME_NO_HEADERS BODY: No description available. 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4998] 1.7 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding 1.4 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) 1.0 L_FROM_NOT_REPLY From: and Reply-To: have different domains 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS signature.asc Description: Message signed with OpenPGP
Re: help with phishing email?
> Tom Hendrikxkirjoitti 9.12.2017 kello 0.34: > > On 08-12-17 19:09, AJ Weber wrote: >> I'm trying to decide the best way to detect something like this. >> >> https://pastebin.com/hCX9MWNg >> >> Looking at the raw headers and body it's pretty easy to tell this is a >> spoof, but when it shows-up in an inbox, it looks pretty good. >> >> Something specific to Amazon (where this is purported to come from) >> would be to check if their domain is in the From and Reply-To and at >> least score that relatively high if it's not correct - but compared to >> what? Maybe if From text contains amazon/i and from-address does not >> end with amazon.com (for me in the US at least)? >> >> That feels forced. Does anyone have any suggestions to help me out on >> this fine Friday? >> > > Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO > you can easily whitelist anything from amazon based on that, and then > subtract some points for everything that has '\bAmazon\b' is the > from:name. Header. > > Kind regards, > Tom A couple of local rules saved here: Content analysis details: (8.2 points, 5.0 required) pts rule name description -- -- 2.5 L_SUOMISPAMRBL: Sender is in #suomispam blocklist [20160519 coinletters1.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [69.252.207.24 listed in list.dnswl.org] 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=contact%40email.linushonor.co.uk;ip=69.252.207.24;r=gamecock.fredriksson.dy.fi] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 T_TVD_MIME_NO_HEADERS BODY: No description available. 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4998] 1.7 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding 1.4 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) 1.0 L_FROM_NOT_REPLY From: and Reply-To: have different domains 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS signature.asc Description: Message signed with OpenPGP
Re: help with phishing email?
> I'm trying to decide the best way to detect something like this. > > https://pastebin.com/hCX9MWNg > > Looking at the raw headers and body it's pretty easy to tell this is a > spoof, but when it shows-up in an inbox, it looks pretty good. > > Something specific to Amazon (where this is purported to come from) > would be to check if their domain is in the From and Reply-To and at > least score that relatively high if it's not correct - but compared to > what? Maybe if From text contains amazon/i and from-address does not > end with amazon.com (for me in the US at least)? > > That feels forced. Does anyone have any suggestions to help me out on > this fine Friday? > > Thanks, > AJ You shouldn't have even received that. Consider setting up your email as per this guide: https://arstechnica.com/information-technology/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/ After 3 months, and two major failures setting up email (not to mention shattered self-worth), this article series is what finally got me spinning. Also in /etc/postfix/main.cf add to smtpd_recipient_restrictions = ...reject_rbl_client zen.spamhaus.org,
Re: help with phishing email?
On Fri, 8 Dec 2017, John Hardin wrote: On Fri, 8 Dec 2017, AJ Weber wrote: I'm trying to decide the best way to detect something like this. https://pastebin.com/hCX9MWNg That appears to be corrupt. I downloaded it and ran it through my testbed and it wouldn't decode the body. Don't know if it was the pastbin, but the MIME headers were mangled. Fixing those (and removing the space at the beginning of the base64 lines) made it parse-able. It's clearly misleading spam, not sure where the phish is. (but then I didn't go thru their "survey"). There's a bunch of anomalous things about that message; 3 Message-ID: headers, one of which tries to look like from outlook.com 2 Reply-To: headers, one of which has a clearly bogus address:3 Received: from relay167.mysmtp.mobi (relay167.mysmtp.mobi [93.90.117.141]) lines. MIME-Version: 4.0 50 blank lines at the start of the message, borked HTML (mismatched tags, code after the closing , etc). That "http://email dot turnaroundbaby dot be" site looks new & bogus, I just tossed it in my personal RBL list. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: help with phishing email?
On Fri, 8 Dec 2017, AJ Weber wrote: I'm trying to decide the best way to detect something like this. https://pastebin.com/hCX9MWNg That appears to be corrupt. I downloaded it and ran it through my testbed and it wouldn't decode the body. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 7 days until Bill of Rights day
Re: help with phishing email?
On 08-12-17 19:09, AJ Weber wrote: > I'm trying to decide the best way to detect something like this. > > https://pastebin.com/hCX9MWNg > > Looking at the raw headers and body it's pretty easy to tell this is a > spoof, but when it shows-up in an inbox, it looks pretty good. > > Something specific to Amazon (where this is purported to come from) > would be to check if their domain is in the From and Reply-To and at > least score that relatively high if it's not correct - but compared to > what? Maybe if From text contains amazon/i and from-address does not > end with amazon.com (for me in the US at least)? > > That feels forced. Does anyone have any suggestions to help me out on > this fine Friday? > Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO you can easily whitelist anything from amazon based on that, and then subtract some points for everything that has '\bAmazon\b' is the from:name. Header. Kind regards, Tom signature.asc Description: OpenPGP digital signature
Re: help with phishing email?
AJ, i cannot see anything with sense... is the pastebin correct? -PedroD
help with phishing email?
I'm trying to decide the best way to detect something like this. https://pastebin.com/hCX9MWNg Looking at the raw headers and body it's pretty easy to tell this is a spoof, but when it shows-up in an inbox, it looks pretty good. Something specific to Amazon (where this is purported to come from) would be to check if their domain is in the From and Reply-To and at least score that relatively high if it's not correct - but compared to what? Maybe if From text contains amazon/i and from-address does not end with amazon.com (for me in the US at least)? That feels forced. Does anyone have any suggestions to help me out on this fine Friday? Thanks, AJ
Re: Mailsploit and RFC1342 and spoofed From
On 12/07/2017 06:47 PM, Kevin A. McGrail wrote: On 12/7/2017 7:02 PM, Giovanni Bechis wrote: On 12/08/17 00:59, Kevin A. McGrail wrote: On 12/7/2017 6:39 PM, Giovanni Bechis wrote: unfortunately I cannot use KAM.cf out of the box because some scores are completely wrong in my environment (working with strange tld, chinese people, medical terms that are sometimes abused, ...), so I have to download the file every now and than and "fix it". If you use a file that is named alphabetically to load after KAM.cf, you can just change scores there and it will be maintained from download to download. Unfortunately I cannot know how new added rules will affect my enviroment, there are also some idn rules that breaks my Puppet instance but that's another story. Agreed. But how would you know if they are added to sa-update natively? A very simple, short script could grep out the scores from KAM.cf, diff them from the last run and send him an email when something changes. Cron it for once every morning and viola! -- David Jones
Re: Mailsploit and RFC1342 and spoofed From
On 12/8/2017 3:25 AM, Giovanni Bechis wrote: Unfortunately I cannot know how new added rules will affect my enviroment, there are also some idn rules that breaks my Puppet instance but that's another story. Agreed. But how would you know if they are added to sa-update natively? Rules that come through sa-update do not have too much high scores, are discussed on ml and svn is my friend as a last resort. Fair enough. I don't have a solution for you.
Re: Mailsploit and RFC1342 and spoofed From
Il 8 dicembre 2017 01:47:47 CET, "Kevin A. McGrail"ha scritto: >On 12/7/2017 7:02 PM, Giovanni Bechis wrote: >> On 12/08/17 00:59, Kevin A. McGrail wrote: >>> On 12/7/2017 6:39 PM, Giovanni Bechis wrote: unfortunately I cannot use KAM.cf out of the box because some >scores are completely wrong in my environment (working with strange >tld, chinese people, medical terms that are sometimes abused, ...), so >I have to download the file every now and than and "fix it". >>> If you use a file that is named alphabetically to load after KAM.cf, >you can just change scores there and it will be maintained from >download to download. >>> >> Unfortunately I cannot know how new added rules will affect my >enviroment, >> there are also some idn rules that breaks my Puppet instance but >that's another story. >Agreed. But how would you know if they are added to sa-update >natively? Rules that come through sa-update do not have too much high scores, are discussed on ml and svn is my friend as a last resort. Giovanni