Re: sharepoint phish routed through sharepointonline/outlook

2023-01-15 Thread Benny Pedersen

Alex skrev den 2023-01-15 20:47:

Hi,

X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
 FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
 LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01,
 LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
 RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1,
RELAYCOUNTRY_US=0.01,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166]
autolearn=disabled

I'm reporting it to spamcop and training bayes, but does anyone have
any other ideas?

Is this just someone using their sharepoint account to send a phish?
Perhaps account takeover?

https://pastebin.com/2CJ3SLf2




Content analysis details:   (3.1 points, 5.0 required)

 pts rule name  description
 -- 
--

 0.7 SPF_FAIL   SPF: sender does not match SPF record (fail)
[SPF failed: Please see 
http://www.openspf.org/Why?s=mfrom;id=no-reply%40sharepointonline.com;ip=199.199.178.197;r=localhost.junc.eu]

 0.0 SPF_HELO_NONE  SPF: HELO does not publish an SPF Record
 0.0 ARC_VALID  Message has a valid ARC signature
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily valid

 0.0 ARC_SIGNED Message has a ARC signature
 0.1 DKIM_INVALID   DKIM or DK signature exists, but is not 
valid
 0.0 KAM_DMARC_STATUS   Test Rule for DKIM or SPF Failure with 
Strict

Alignment
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 2.0 KAM_DMARC_REJECT   DKIM has Failed or SPF has failed on the 
message and

 the domain has a DMARC reject policy
 0.1 DMARC_REJECT   DMARC reject policy


it gets neutral score since its maillist of some kind imho ?

reject it by dkim valid, one of the signers is valid, if not just arc, 
if only arc is then do setup AuthRes plugin in spamassassin 4.x.x


i dont know how, but i belive spammers die slowly in 2023




sharepoint phish routed through sharepointonline/outlook

2023-01-15 Thread Alex
Hi,

X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
 FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
 LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01,
 LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
 RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1, RELAYCOUNTRY_US=0.01,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166] autolearn=disabled

I'm reporting it to spamcop and training bayes, but does anyone have any
other ideas?

Is this just someone using their sharepoint account to send a phish?
Perhaps account takeover?

https://pastebin.com/2CJ3SLf2


Re: sorbs blocklist spamassassin.apache.org

2023-01-15 Thread Matus UHLAR - fantomas

On 1/15/2023 10:20 AM, Benny Pedersen wrote:

https://multirbl.valli.org/lookup/95.216.194.37.html

but who cares ?


On 15.01.23 10:53, Kevin A. McGrail wrote:

No one, likely cares.  I don't think that machine sends email.


I get my mail from this list via that machine:

Jan 15 16:20:51 fantomas postfix/smtpd[672]: A31B2A012C: 
client=mxout1-he-de.apache.org[95.216.194.37]
Jan 15 16:20:51 fantomas postfix/cleanup[677]: A31B2A012C: 
message-id=
Jan 15 16:20:52 fantomas postfix/qmgr[3230]: A31B2A012C: 
from=, 
size=4133, nrcpt=1 (queue active)

luckily it's listed in dnswl.org:

Jan 15 16:20:44 fantomas postfix/dnsblog[666]: addr 95.216.194.37 listed by 
domain list.dnswl.org as 127.0.4.2

however, I use safe.dnsbl.sorbs.net and it's not included there.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are


Re: sorbs blocklist spamassassin.apache.org

2023-01-15 Thread Benny Pedersen

Kevin A. McGrail skrev den 2023-01-15 17:47:

That's the mail infrastructure run by infrastructure at Apache not by
the projects.  See https://infra.apache.org/


i can't confirm infra only


The mailing lists at Apache are run by Infra not the project.  If you
are having delivery issues, see that website and make sure you open a
ticket there.  Discussing it here is unlikely to get any resolution.


good

X-Spam-Status: No, score=-8.8 required=5.0 tests=AWL,DMARC_MISSING,
KAM_DMARC_STATUS,MAILING_LIST_MULTI,NICE_REPLY_A,RCVD_IN_DNSWL_HI,
RCVD_IN_HOSTKARMA_W,RCVD_IN_MSPIKE_H2,RELAYCOUNTRY_GREY,SPF_HELO_PASS,
SPF_PASS,USER_IN_DEF_SPF_WL shortcircuit=no autolearn=ham
autolearn_force=no version=4.0.0
X-Spam-AWL: AWL=-0.1 MEAN=-6.1 COUNT=8.0 PRESCORE=-6.2
X-Spam-Relay-Country: US US DE US
X-Spam-ASN: AS14618 3.224.0.0/12

i did not say i have problems not using sorbs




Re: sorbs blocklist spamassassin.apache.org

2023-01-15 Thread Kevin A. McGrail




That's the mail infrastructure run by infrastructure at Apache not by
the projects.  See https://infra.apache.org/


i can't confirm infra only 


The mailing lists at Apache are run by Infra not the project.  If you 
are having delivery issues, see that website and make sure you open a 
ticket there.  Discussing it here is unlikely to get any resolution.


Regards,

KAM



Re: sorbs blocklist spamassassin.apache.org

2023-01-15 Thread Benny Pedersen

Kevin A. McGrail skrev den 2023-01-15 16:56:

On 1/15/2023 10:53 AM, Kevin A. McGrail wrote:

On 1/15/2023 10:20 AM, Benny Pedersen wrote:

https://multirbl.valli.org/lookup/95.216.194.37.html

but who cares ?

No one, likely cares.  I don't think that machine sends email.


Checking more thoroughtly SpamAssassin.apache.org is on 151.101.2.132

That IP is mxout1-he-de.apache.org.

That's the mail infrastructure run by infrastructure at Apache not by
the projects.  See https://infra.apache.org/


i can't confirm infra only

324  skynet.nemocnice-vs.cz  2023-01-14 00:09:02
  | --   1  junc.eu   95.216.194.37  
nonefailfail  local_policy( arc=fail )
  | --   1  junc.eu   3.227.148.255  
nonefailfail  local_policy( arc=fail )


i have used Mail::DMARC before spamassassin supported it


Re: sorbs blocklist spamassassin.apache.org

2023-01-15 Thread Benny Pedersen

Kevin A. McGrail skrev den 2023-01-15 16:53:

On 1/15/2023 10:20 AM, Benny Pedersen wrote:

https://multirbl.valli.org/lookup/95.216.194.37.html

but who cares ?

No one, likely cares.  I don't think that machine sends email.


or none are using sorbs

https://www.dnswl.org/s/?s=3084

i gave that ip from my Mail::DMARC logs reporting, with did dkim fail, 
spf fail that normaly not being dkim fail unless apache org do use 
spamassassing 4 now :)






Re: sorbs blocklist spamassassin.apache.org

2023-01-15 Thread Kevin A. McGrail

On 1/15/2023 10:53 AM, Kevin A. McGrail wrote:

On 1/15/2023 10:20 AM, Benny Pedersen wrote:

https://multirbl.valli.org/lookup/95.216.194.37.html

but who cares ?

No one, likely cares.  I don't think that machine sends email.


Checking more thoroughtly SpamAssassin.apache.org is on 151.101.2.132

That IP is mxout1-he-de.apache.org.

That's the mail infrastructure run by infrastructure at Apache not by 
the projects.  See https://infra.apache.org/


Regards,

KAM

--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171



RE: sorbs blocklist spamassassin.apache.org

2023-01-15 Thread Marc
> 
> https://multirbl.valli.org/lookup/95.216.194.37.html
> 
> but who cares ?

What is the problem? I am even surprised that there are so many green listings. 
I have even configured that hosts with a reverse xxx.your-server.de are not 
allowed to connect.



Re: sorbs blocklist spamassassin.apache.org

2023-01-15 Thread Kevin A. McGrail

On 1/15/2023 10:20 AM, Benny Pedersen wrote:

https://multirbl.valli.org/lookup/95.216.194.37.html

but who cares ?

No one, likely cares.  I don't think that machine sends email.

--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171



sorbs blocklist spamassassin.apache.org

2023-01-15 Thread Benny Pedersen

https://multirbl.valli.org/lookup/95.216.194.37.html

but who cares ?