Re: sharepoint phish routed through sharepointonline/outlook
Alex skrev den 2023-01-15 20:47: Hi, X-Spam-Status: No, score=1.102 tagged_above=-200 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01, FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1, LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01, LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1, RELAYCOUNTRY_US=0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166] autolearn=disabled I'm reporting it to spamcop and training bayes, but does anyone have any other ideas? Is this just someone using their sharepoint account to send a phish? Perhaps account takeover? https://pastebin.com/2CJ3SLf2 Content analysis details: (3.1 points, 5.0 required) pts rule name description -- -- 0.7 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=no-reply%40sharepointonline.com;ip=199.199.178.197;r=localhost.junc.eu] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 ARC_VALID Message has a valid ARC signature 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid 0.0 ARC_SIGNED Message has a ARC signature 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 2.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy 0.1 DMARC_REJECT DMARC reject policy it gets neutral score since its maillist of some kind imho ? reject it by dkim valid, one of the signers is valid, if not just arc, if only arc is then do setup AuthRes plugin in spamassassin 4.x.x i dont know how, but i belive spammers die slowly in 2023
sharepoint phish routed through sharepointonline/outlook
Hi, X-Spam-Status: No, score=1.102 tagged_above=-200 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01, FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1, LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01, LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1, RELAYCOUNTRY_US=0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166] autolearn=disabled I'm reporting it to spamcop and training bayes, but does anyone have any other ideas? Is this just someone using their sharepoint account to send a phish? Perhaps account takeover? https://pastebin.com/2CJ3SLf2
Re: sorbs blocklist spamassassin.apache.org
On 1/15/2023 10:20 AM, Benny Pedersen wrote: https://multirbl.valli.org/lookup/95.216.194.37.html but who cares ? On 15.01.23 10:53, Kevin A. McGrail wrote: No one, likely cares. I don't think that machine sends email. I get my mail from this list via that machine: Jan 15 16:20:51 fantomas postfix/smtpd[672]: A31B2A012C: client=mxout1-he-de.apache.org[95.216.194.37] Jan 15 16:20:51 fantomas postfix/cleanup[677]: A31B2A012C: message-id= Jan 15 16:20:52 fantomas postfix/qmgr[3230]: A31B2A012C: from=, size=4133, nrcpt=1 (queue active) luckily it's listed in dnswl.org: Jan 15 16:20:44 fantomas postfix/dnsblog[666]: addr 95.216.194.37 listed by domain list.dnswl.org as 127.0.4.2 however, I use safe.dnsbl.sorbs.net and it's not included there. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are
Re: sorbs blocklist spamassassin.apache.org
Kevin A. McGrail skrev den 2023-01-15 17:47: That's the mail infrastructure run by infrastructure at Apache not by the projects. See https://infra.apache.org/ i can't confirm infra only The mailing lists at Apache are run by Infra not the project. If you are having delivery issues, see that website and make sure you open a ticket there. Discussing it here is unlikely to get any resolution. good X-Spam-Status: No, score=-8.8 required=5.0 tests=AWL,DMARC_MISSING, KAM_DMARC_STATUS,MAILING_LIST_MULTI,NICE_REPLY_A,RCVD_IN_DNSWL_HI, RCVD_IN_HOSTKARMA_W,RCVD_IN_MSPIKE_H2,RELAYCOUNTRY_GREY,SPF_HELO_PASS, SPF_PASS,USER_IN_DEF_SPF_WL shortcircuit=no autolearn=ham autolearn_force=no version=4.0.0 X-Spam-AWL: AWL=-0.1 MEAN=-6.1 COUNT=8.0 PRESCORE=-6.2 X-Spam-Relay-Country: US US DE US X-Spam-ASN: AS14618 3.224.0.0/12 i did not say i have problems not using sorbs
Re: sorbs blocklist spamassassin.apache.org
That's the mail infrastructure run by infrastructure at Apache not by the projects. See https://infra.apache.org/ i can't confirm infra only The mailing lists at Apache are run by Infra not the project. If you are having delivery issues, see that website and make sure you open a ticket there. Discussing it here is unlikely to get any resolution. Regards, KAM
Re: sorbs blocklist spamassassin.apache.org
Kevin A. McGrail skrev den 2023-01-15 16:56: On 1/15/2023 10:53 AM, Kevin A. McGrail wrote: On 1/15/2023 10:20 AM, Benny Pedersen wrote: https://multirbl.valli.org/lookup/95.216.194.37.html but who cares ? No one, likely cares. I don't think that machine sends email. Checking more thoroughtly SpamAssassin.apache.org is on 151.101.2.132 That IP is mxout1-he-de.apache.org. That's the mail infrastructure run by infrastructure at Apache not by the projects. See https://infra.apache.org/ i can't confirm infra only 324 skynet.nemocnice-vs.cz 2023-01-14 00:09:02 | -- 1 junc.eu 95.216.194.37 nonefailfail local_policy( arc=fail ) | -- 1 junc.eu 3.227.148.255 nonefailfail local_policy( arc=fail ) i have used Mail::DMARC before spamassassin supported it
Re: sorbs blocklist spamassassin.apache.org
Kevin A. McGrail skrev den 2023-01-15 16:53: On 1/15/2023 10:20 AM, Benny Pedersen wrote: https://multirbl.valli.org/lookup/95.216.194.37.html but who cares ? No one, likely cares. I don't think that machine sends email. or none are using sorbs https://www.dnswl.org/s/?s=3084 i gave that ip from my Mail::DMARC logs reporting, with did dkim fail, spf fail that normaly not being dkim fail unless apache org do use spamassassing 4 now :)
Re: sorbs blocklist spamassassin.apache.org
On 1/15/2023 10:53 AM, Kevin A. McGrail wrote: On 1/15/2023 10:20 AM, Benny Pedersen wrote: https://multirbl.valli.org/lookup/95.216.194.37.html but who cares ? No one, likely cares. I don't think that machine sends email. Checking more thoroughtly SpamAssassin.apache.org is on 151.101.2.132 That IP is mxout1-he-de.apache.org. That's the mail infrastructure run by infrastructure at Apache not by the projects. See https://infra.apache.org/ Regards, KAM -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
RE: sorbs blocklist spamassassin.apache.org
> > https://multirbl.valli.org/lookup/95.216.194.37.html > > but who cares ? What is the problem? I am even surprised that there are so many green listings. I have even configured that hosts with a reverse xxx.your-server.de are not allowed to connect.
Re: sorbs blocklist spamassassin.apache.org
On 1/15/2023 10:20 AM, Benny Pedersen wrote: https://multirbl.valli.org/lookup/95.216.194.37.html but who cares ? No one, likely cares. I don't think that machine sends email. -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
sorbs blocklist spamassassin.apache.org
https://multirbl.valli.org/lookup/95.216.194.37.html but who cares ?
