Re: Mail::SpamAssassin::Plugin::Phishing PhishStats[.]info domain expired

[giovanni]

On 6/23/24 10:26 PM, Larry Nedry via users wrote:

On 7/21/23 9:10 AM, Giovanni Bechis wrote:

Hi,
phishstats[.]info domain has recently moved to a parking domain, if you are using 
Mail::SpamAssassin::Plugin::Phishing plugin with data downloaded from PhishStats[.]info 
it would be better to comment "phishing_phishstats_feed" configuration line.
If PhishStats[.]info will not find a new home I am going to remove the relevant 
code from the plugin.

 Regards
  Giovanni


Did you remove the relevant code for PhishStats?


Yes, I've removed the code; now PhishStats is back and code has been restored 
after 4.0.1 release.
 Giovanni



OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Mail::SpamAssassin::Plugin::Phishing PhishStats[.]info domain expired

[Larry Nedry via users]

On 7/21/23 9:10 AM, Giovanni Bechis wrote:

Hi,
phishstats[.]info domain has recently moved to a parking domain, if 
you are using Mail::SpamAssassin::Plugin::Phishing plugin with data 
downloaded from PhishStats[.]info it would be better to comment 
"phishing_phishstats_feed" configuration line.
If PhishStats[.]info will not find a new home I am going to remove the 
relevant code from the plugin.


 Regards
  Giovanni


Did you remove the relevant code for PhishStats?

Regards,
Larry

Re: Getting phishing from sender in 60_welcomelist_auth.cf

[Bill Cole]

On 2023-10-12 at 10:24:11 UTC-0400 (Thu, 12 Oct 2023 10:24:11 -0400)
Ricky Boone 
is rumored to have said:


Thank you.  It was my mistake initially, as I was under the impression
that submitting unsolicited samples wasn't preferred, and was just
intending to raise awareness for others in case they see anything
similar.


Often one of us who has access to robust mail streams can find adequate 
evidence on our own. In this case the volume seems to have been rather 
low.




Attached is evidence with redactions.  Again, my apologies if the
original email came across as it may have, and also for the delay in
reporting (I was alerted to this yesterday afternoon).


No problem. Your analysis of the issue as a compromised SendGrid account 
appears to be right, which breaks the basis for having them in the 
default welcomelist.


Change committed:

# svn diff -r r1910021:r1912921 60_welcomelist_auth.cf
Index: 60_welcomelist_auth.cf
===
--- 60_welcomelist_auth.cf  (revision 1910021)
+++ 60_welcomelist_auth.cf  (revision 1912921)
@@ -546,7 +546,6 @@
 def_welcomelist_auth *@*.directgeneral.com
 def_welcomelist_auth *@*.subaru.com
 def_welcomelist_auth *@*.aexp.com
-def_welcomelist_auth *@*.usssa.com
 def_welcomelist_auth *@*.bestwesternrewards.com
 def_welcomelist_auth *@*.email-weightwatchers.com
 def_welcomelist_auth *@*.email-allstate.com
@@ -1523,7 +1522,6 @@
 def_whitelist_auth *@*.directgeneral.com
 def_whitelist_auth *@*.subaru.com
 def_whitelist_auth *@*.aexp.com
-def_whitelist_auth *@*.usssa.com
 def_whitelist_auth *@*.bestwesternrewards.com
 def_whitelist_auth *@*.email-weightwatchers.com
 def_whitelist_auth *@*.email-allstate.com





On Thu, Oct 12, 2023 at 8:48 AM Bill Cole
 wrote:


On 2023-10-11 at 22:02:22 UTC-0400 (Wed, 11 Oct 2023 22:02:22 -0400)
Ricky Boone 
is rumored to have said:


My apologies.

The samples that I have contain email addresses that I am not at
liberty to share without redacting.  If it's okay that there are
certain strings that are removed, I should be able to make them
available.  Is there a preferred method for getting this to you?


Attached to a message here or to a bug report in the SA project
Bugzilla: https://bz.apache.org/SpamAssassin/

Ideally, just redact the local part of user addresses. Nothing else 
is
really sensitive in spam, and facts like domains and IP addresses 
help

validate spam analysis. For example, we wouldn't want to de-list a
domain which appears to be forged into spam.

The point of having a minimally-redacted message as an openly visible
example for removing a def_welcomelist entry is to make sure that we
aren't open to being used for mischief and can justify the removal 
later

if asked to. The bar for removal is very low (being listed is a
privilege, not a right) but it can't be simply 'someone said...'





On Wed, Oct 11, 2023 at 9:25 PM Bill Cole
 wrote:


On 2023-10-11 at 16:45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15 
-0400)

Ricky Boone 
is rumored to have said:

Just a heads up, it appears that usssa[.]com has had their 
SendGrid

email sending account popped, and a bad actor has been sending
phishing emails from it.  The domain is defined in
60_welcomelist_auth.cf with 
def_welcomelist_auth/def_whitelist_auth

entries with *@*.usssa.com.


If anyone has a shareable sample spam to substantiate this, that
would
be helpful.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Getting phishing from sender in 60_welcomelist_auth.cf

[Ricky Boone]

Thank you.  It was my mistake initially, as I was under the impression
that submitting unsolicited samples wasn't preferred, and was just
intending to raise awareness for others in case they see anything
similar.

Attached is evidence with redactions.  Again, my apologies if the
original email came across as it may have, and also for the delay in
reporting (I was alerted to this yesterday afternoon).

On Thu, Oct 12, 2023 at 8:48 AM Bill Cole
 wrote:
>
> On 2023-10-11 at 22:02:22 UTC-0400 (Wed, 11 Oct 2023 22:02:22 -0400)
> Ricky Boone 
> is rumored to have said:
>
> > My apologies.
> >
> > The samples that I have contain email addresses that I am not at
> > liberty to share without redacting.  If it's okay that there are
> > certain strings that are removed, I should be able to make them
> > available.  Is there a preferred method for getting this to you?
>
> Attached to a message here or to a bug report in the SA project
> Bugzilla: https://bz.apache.org/SpamAssassin/
>
> Ideally, just redact the local part of user addresses. Nothing else is
> really sensitive in spam, and facts like domains and IP addresses help
> validate spam analysis. For example, we wouldn't want to de-list a
> domain which appears to be forged into spam.
>
> The point of having a minimally-redacted message as an openly visible
> example for removing a def_welcomelist entry is to make sure that we
> aren't open to being used for mischief and can justify the removal later
> if asked to. The bar for removal is very low (being listed is a
> privilege, not a right) but it can't be simply 'someone said...'
>
>
>
>
> > On Wed, Oct 11, 2023 at 9:25 PM Bill Cole
> >  wrote:
> >>
> >> On 2023-10-11 at 16:45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15 -0400)
> >> Ricky Boone 
> >> is rumored to have said:
> >>
> >>> Just a heads up, it appears that usssa[.]com has had their SendGrid
> >>> email sending account popped, and a bad actor has been sending
> >>> phishing emails from it.  The domain is defined in
> >>> 60_welcomelist_auth.cf with def_welcomelist_auth/def_whitelist_auth
> >>> entries with *@*.usssa.com.
> >>
> >> If anyone has a shareable sample spam to substantiate this, that
> >> would
> >> be helpful.
> >>
> >> --
> >> Bill Cole
> >> b...@scconsult.com or billc...@apache.org
> >> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> >> Not Currently Available For Hire
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire


CAB49205794B.A2B3F
Description: Binary data

Re: Getting phishing from sender in 60_welcomelist_auth.cf

[Bill Cole]

On 2023-10-11 at 22:02:22 UTC-0400 (Wed, 11 Oct 2023 22:02:22 -0400)
Ricky Boone 
is rumored to have said:


My apologies.

The samples that I have contain email addresses that I am not at
liberty to share without redacting.  If it's okay that there are
certain strings that are removed, I should be able to make them
available.  Is there a preferred method for getting this to you?


Attached to a message here or to a bug report in the SA project 
Bugzilla: https://bz.apache.org/SpamAssassin/


Ideally, just redact the local part of user addresses. Nothing else is 
really sensitive in spam, and facts like domains and IP addresses help 
validate spam analysis. For example, we wouldn't want to de-list a 
domain which appears to be forged into spam.


The point of having a minimally-redacted message as an openly visible 
example for removing a def_welcomelist entry is to make sure that we 
aren't open to being used for mischief and can justify the removal later 
if asked to. The bar for removal is very low (being listed is a 
privilege, not a right) but it can't be simply 'someone said...'






On Wed, Oct 11, 2023 at 9:25 PM Bill Cole
 wrote:


On 2023-10-11 at 16:45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15 -0400)
Ricky Boone 
is rumored to have said:


Just a heads up, it appears that usssa[.]com has had their SendGrid
email sending account popped, and a bad actor has been sending
phishing emails from it.  The domain is defined in
60_welcomelist_auth.cf with def_welcomelist_auth/def_whitelist_auth
entries with *@*.usssa.com.


If anyone has a shareable sample spam to substantiate this, that 
would

be helpful.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Getting phishing from sender in 60_welcomelist_auth.cf

[Ricky Boone]

My apologies.

The samples that I have contain email addresses that I am not at
liberty to share without redacting.  If it's okay that there are
certain strings that are removed, I should be able to make them
available.  Is there a preferred method for getting this to you?

On Wed, Oct 11, 2023 at 9:25 PM Bill Cole
 wrote:
>
> On 2023-10-11 at 16:45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15 -0400)
> Ricky Boone 
> is rumored to have said:
>
> > Just a heads up, it appears that usssa[.]com has had their SendGrid
> > email sending account popped, and a bad actor has been sending
> > phishing emails from it.  The domain is defined in
> > 60_welcomelist_auth.cf with def_welcomelist_auth/def_whitelist_auth
> > entries with *@*.usssa.com.
>
> If anyone has a shareable sample spam to substantiate this, that would
> be helpful.
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire

Re: Getting phishing from sender in 60_welcomelist_auth.cf

[Bill Cole]

On 2023-10-11 at 16:45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15 -0400)
Ricky Boone 
is rumored to have said:


Just a heads up, it appears that usssa[.]com has had their SendGrid
email sending account popped, and a bad actor has been sending
phishing emails from it.  The domain is defined in
60_welcomelist_auth.cf with def_welcomelist_auth/def_whitelist_auth
entries with *@*.usssa.com.


If anyone has a shareable sample spam to substantiate this, that would 
be helpful.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Getting phishing from sender in 60_welcomelist_auth.cf

[Ricky Boone]

Just a heads up, it appears that usssa[.]com has had their SendGrid
email sending account popped, and a bad actor has been sending
phishing emails from it.  The domain is defined in
60_welcomelist_auth.cf with def_welcomelist_auth/def_whitelist_auth
entries with *@*.usssa.com.

Re: (Re-)emergence of UTF based obfuscation in phishing/spam

[Ricky Boone]

Typo, I meant to say I was on SA 3.4.6.

On Wed, Aug 30, 2023, 3:22 PM Ricky Boone  wrote:

> Something I noticed on a set of emails that were reported to me.
>
> I have custom rules to look out for certain names in From:name.  The
> messages should have been caught by them, however upon inspection the
> name was UTF-8 encoded, and included a character that doesn't seem to
> render, but interferes with the regex I used.  Specifically, the bad
> actor included a RIGHT-TO-LEFT mark (U+200F, or \xe2\x80\x8f)
> effectively as a null-space character.  The body of the message was
> also flooded with LEFT-TO-RIGHT (U+200E, or \xe2\x80\x8e) and ZERO
> WIDTH NO-BREAK SPACE (U+FEFF, or \xef\xbb\xbf) characters randomly
> placed within the body and within words to interfere with other rules.
> When debugging the message, it doesn't appear that the characters are
> normalized, so from SA's perspective it seems like all of these
> characters have to be accounted for with any rules.
>
> To add, I'm currently on SA 3.6.x.  It looks like 4.0 improves UTF-8
> handling, but I'm not sure if it would address the behavior I see
> (though happy to be wrong... albeit not able to update immediately).
>
> I'm trying to see if ReplaceTags might be useful, and found an older
> discussion in this list on the matter related to the trouble with
> UTF-8.  I checked to see if there were any existing tags that would
> account for null-space/zero-width space-like characters, but didn't
> see any.  I have no issues working on creating a tag, but wanted to
> gauge the community to see what their thoughts were while I started
> down that path.
>

(Re-)emergence of UTF based obfuscation in phishing/spam

[Ricky Boone]

Something I noticed on a set of emails that were reported to me.

I have custom rules to look out for certain names in From:name.  The
messages should have been caught by them, however upon inspection the
name was UTF-8 encoded, and included a character that doesn't seem to
render, but interferes with the regex I used.  Specifically, the bad
actor included a RIGHT-TO-LEFT mark (U+200F, or \xe2\x80\x8f)
effectively as a null-space character.  The body of the message was
also flooded with LEFT-TO-RIGHT (U+200E, or \xe2\x80\x8e) and ZERO
WIDTH NO-BREAK SPACE (U+FEFF, or \xef\xbb\xbf) characters randomly
placed within the body and within words to interfere with other rules.
When debugging the message, it doesn't appear that the characters are
normalized, so from SA's perspective it seems like all of these
characters have to be accounted for with any rules.

To add, I'm currently on SA 3.6.x.  It looks like 4.0 improves UTF-8
handling, but I'm not sure if it would address the behavior I see
(though happy to be wrong... albeit not able to update immediately).

I'm trying to see if ReplaceTags might be useful, and found an older
discussion in this list on the matter related to the trouble with
UTF-8.  I checked to see if there were any existing tags that would
account for null-space/zero-width space-like characters, but didn't
see any.  I have no issues working on creating a tag, but wanted to
gauge the community to see what their thoughts were while I started
down that path.

Mail::SpamAssassin::Plugin::Phishing PhishStats[.]info domain expired

[Giovanni Bechis]

Hi,
phishstats[.]info domain has recently moved to a parking domain, if you are using 
Mail::SpamAssassin::Plugin::Phishing plugin with data downloaded from PhishStats[.]info 
it would be better to comment "phishing_phishstats_feed" configuration line.
If PhishStats[.]info will not find a new home I am going to remove the relevant 
code from the plugin.

 Regards
  Giovanni


OpenPGP_signature
Description: OpenPGP digital signature

Re: Phishing from domain present in USER_IN_DEF_SPF_WL

[Bill Cole]

On 2023-05-23 at 12:08:10 UTC-0400 (Tue, 23 May 2023 18:08:10 +0200)
Thierry 
is rumored to have said:

> Hi,
>
> we just received phishing spams (Postfinance) from zendesk.com
>
> This domain is present in 60_welcomelist_auth.cf for the rule 
> USER_IN_DEF_SPF_WL
>
> Can you remove this domain (temporarily or permanently) next update ?

Yes. I've also seen evidence of what looks like cross-tenant phishing from 
ZenDesk.


shiny:rules root# svn diff
Index: 60_welcomelist_auth.cf
===
--- 60_welcomelist_auth.cf  (revision 1910020)
+++ 60_welcomelist_auth.cf  (working copy)
@@ -439,7 +439,6 @@
 def_welcomelist_auth *@*.trulia.com
 def_welcomelist_auth *@*.rentalcars.com
 def_welcomelist_auth *@recommendedjobs.com
-def_welcomelist_auth *@*.zendesk.com
 def_welcomelist_auth *@*.advocareemail.com
 def_welcomelist_auth *@*.plenti.com
 def_welcomelist_auth *@*.amolatina.com
@@ -1417,7 +1416,6 @@
 def_whitelist_auth *@*.trulia.com
 def_whitelist_auth *@*.rentalcars.com
 def_whitelist_auth *@recommendedjobs.com
-def_whitelist_auth *@*.zendesk.com
 def_whitelist_auth *@*.advocareemail.com
 def_whitelist_auth *@*.plenti.com
 def_whitelist_auth *@*.amolatina.com
shiny:rules root# svn commit -m "Phish reported on user list from/via ZenDesk"
Authentication realm: <https://svn.apache.org:443> ASF Committers
Password for 'billcole': ***

Sending60_welcomelist_auth.cf
Transmitting file data .done
Committing transaction...
Committed revision 1910021.




>
> Received: from outbyoip4.pod19.use1.zdsys.com (outbyoip4.pod19.use1.zdsys.com 
> [192.161.149.4])
>      (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 
> verify=NO)
>      for ; Tue, 23 May 2023 17:26:00 +0200
> Authentication-Results: dmarc=none (p=none dis=none) 
> header.from=atlys.zendesk.com
> Authentication-Results: spf=pass smtp.mailfrom=atlys.zendesk.com
> Authentication-Results:
>      dkim=pass (2048-bit key) header.d=zendesk.com header.i=@zendesk.com 
> header.b="Se7nuDiy"
> Received: from zendesk.com (unknown [10.219.24.95])
>      by outbyoip4.pod19.use1.zdsys.com (Postfix) with ESMTP id x
>      for ; Tue, 23 May 2023 15:25:58 + (UTC)
> Date: Tue, 23 May 2023 15:25:58 +
> From: "Роstfinаnсе (GmbH)" 
> Reply-To: "Роstfinаnсе (GmbH)" 
> To: x 
> Message-ID: <6x2430xxx_sp...@zendesk.com>
> In-Reply-To: <6x2430xxx...@zendesk.com>
> *Subject: Wichtig: Aktualisieren Sie Ihr**
> **Роstfinаnсе-Konto*
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="--==_mimepart_646cdb0667952_4c4a9c38871";
> charset=utf-8
> Content-Transfer-Encoding: 7bit
> X-Delivery-Context: automatic-answer-1689173234243234
> Auto-Submitted: auto-generated
> X-Auto-Response-Suppress: All
> X-Mailer: Zendesk Mailer
> X-Zendesk-From-Account-Id: 83f40dd
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zendesk.com;
> q=dns/txt; s=zendesk2; t=168488;
> bh=hZXuEvY/OemVRfx2BSZkm7AF9OUMlXdBZZugXDZhHF0=;
>
> ...
>
>
> Thierry


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Phishing from domain present in USER_IN_DEF_SPF_WL

[Thierry]

Hi,

we just received phishing spams (Postfinance) from zendesk.com

This domain is present in 60_welcomelist_auth.cf for the rule 
USER_IN_DEF_SPF_WL


Can you remove this domain (temporarily or permanently) next update ?

Received: from outbyoip4.pod19.use1.zdsys.com 
(outbyoip4.pod19.use1.zdsys.com [192.161.149.4])
     (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 
verify=NO)

     for ; Tue, 23 May 2023 17:26:00 +0200
Authentication-Results: dmarc=none (p=none dis=none) 
header.from=atlys.zendesk.com

Authentication-Results: spf=pass smtp.mailfrom=atlys.zendesk.com
Authentication-Results:
     dkim=pass (2048-bit key) header.d=zendesk.com 
header.i=@zendesk.com header.b="Se7nuDiy"

Received: from zendesk.com (unknown [10.219.24.95])
     by outbyoip4.pod19.use1.zdsys.com (Postfix) with ESMTP id x
     for ; Tue, 23 May 2023 15:25:58 + (UTC)
Date: Tue, 23 May 2023 15:25:58 +
From: "Роstfinаnсе (GmbH)" 
Reply-To: "Роstfinаnсе (GmbH)" 
To: x 
Message-ID: <6x2430xxx_sp...@zendesk.com>
In-Reply-To: <6x2430xxx...@zendesk.com>
*Subject: Wichtig: Aktualisieren Sie Ihr**
**Роstfinаnсе-Konto*
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_646cdb0667952_4c4a9c38871";
charset=utf-8
Content-Transfer-Encoding: 7bit
X-Delivery-Context: automatic-answer-1689173234243234
Auto-Submitted: auto-generated
X-Auto-Response-Suppress: All
X-Mailer: Zendesk Mailer
X-Zendesk-From-Account-Id: 83f40dd
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zendesk.com;
q=dns/txt; s=zendesk2; t=168488;
bh=hZXuEvY/OemVRfx2BSZkm7AF9OUMlXdBZZugXDZhHF0=;

...


Thierry

Re: Dropbox invoice phishing

[jason hirsh]

Technically you pommel m
> On Mar 20, 2023, at 5:34 PM, Mark London  wrote:
> 
> Dropbox now has an invoice feature, that allows you to create a customized 
> invoice.  So what this person did was to create an invoice that looks like 
> it’s coming from PayPal.   Except for the fact that the From address shows it 
> is coming from Dropbox.  
> 
> Months ago I saw a similar problem with fake invoices coming from PayPal.  
> 
> I hate Spammers.
> 
>> On Mar 20, 2023, at 2:58 PM, Greg Troxel  wrote:
>> 
>> A quick grep shows:
>> 
>> 4.00/updates_spamassassin_org/60_welcomelist_auth.cf:def_welcomelist_auth
>>  *@*.dropbox.com
>> 
>> so the code is operating as designed.
>> 
>> It seems that either dropbox is compromised, or dropbox is allowing
>> user-generated content to go out under their domain.   Either way it
>> seems they should be removed from USER_IN_DEF_SPF_WL, unless this is a
>> blip and they fix it right away.
>> 
>> Have you written to ab...@dropbox.com, and what did they say?
>> 
> 

Dropbox invoice phishing

[Mark London]

Dropbox now has an invoice feature, that allows you to create a customized 
invoice.  So what this person did was to create an invoice that looks like it’s 
coming from PayPal.   Except for the fact that the From address shows it is 
coming from Dropbox.  

Months ago I saw a similar problem with fake invoices coming from PayPal.  

I hate Spammers.

> On Mar 20, 2023, at 2:58 PM, Greg Troxel  wrote:
> 
> A quick grep shows:
> 
>  
> 4.00/updates_spamassassin_org/60_welcomelist_auth.cf:def_welcomelist_auth 
> *@*.dropbox.com
> 
> so the code is operating as designed.
> 
> It seems that either dropbox is compromised, or dropbox is allowing
> user-generated content to go out under their domain.   Either way it
> seems they should be removed from USER_IN_DEF_SPF_WL, unless this is a
> blip and they fix it right away.
> 
> Have you written to ab...@dropbox.com, and what did they say?
> 

Re: May I get to 0 phishing?

[Matus UHLAR - fantomas]

On 21.02.23 19:51, hg user wrote:

I was wondering if it is possible to reach the goal of 0 phishing.

With 2 layers of paid protection, and a third layer realized with
spamassassin with a lot of hand made rules, I'm able to catch a lot of spam
and if some reaches the mailboxes, no problem.

But when phishing is able to reach the mailboxes, it is more dangerous, and
I'd like to bring it to a minimum.

I'd like to know if you, despite all the barriers, still, although rarely,
have phishing go through, and how do you handle the situation.


treat phishing like spam, but with higher priority.
If you notice phishing, take action immediately.

otherwise, just standard measures - report to razor, pyzor, DCC, train as 
spam.


And keep a copy for possible future training.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.

Re: adobe phishing?

[Greg Troxel]

Kris Deugau  writes:

> Greg Troxel wrote:
>> One of my users got mail that really looks like a phish. They are
>> unaware of having an adobe account.   It is DKIM signed, but looks a bit
>> spammy in terms of the content (low-quality HTML markup, missing
>> text/plain content).
>
> ... How much otherwise legitimate mail have you inspected recently?
>
> Grotty HTML and missing text/plain is here to stay.  :(

I realize that, but it's still icky.

It just seemed like 'obvious phish' from context so I thought I'd ask.

Sounds like it's as legit as Adobe is :-)

Re: adobe phishing?

[Erik de Castro Lopo]

Kris Deugau wrote:

> The decoded Subject: might provide more of a hint to whatever 
> Adobe-borged software the user actually had an account for.

Subject decodes to: "Important information about your Adobe account"

Erik
-- 
--
Erik de Castro Lopo
http://www.mega-nerd.com/

Re: adobe phishing?

[Kris Deugau]

Greg Troxel wrote:

One of my users got mail that really looks like a phish. They are
unaware of having an adobe account.   It is DKIM signed, but looks a bit
spammy in terms of the content (low-quality HTML markup, missing
text/plain content).


... How much otherwise legitimate mail have you inspected recently?

Grotty HTML and missing text/plain is here to stay.  :(


Is anyone else seeing this?

Opinions on if it's real, if adobe is compromised, or ?


Looks legit to me, notwithstanding whatever your user recalls.  It's an 
Adobe IP (doublechecked WHOIS, but the fcRDNS is pretty solid evidence), 
it passed DKIM, and there's no funny business with the From:/envelope. 
They've pointlessly encoded the Subject: but that seems to be a Thing 
because Reasons, and IME not any particular indication of anything.


The decoded Subject: might provide more of a hint to whatever 
Adobe-borged software the user actually had an account for.


-kgd

adobe phishing?

[Greg Troxel]

One of my users got mail that really looks like a phish. They are
unaware of having an adobe account.   It is DKIM signed, but looks a bit
spammy in terms of the content (low-quality HTML markup, missing
text/plain content).

Is anyone else seeing this?

Opinions on if it's real, if adobe is compromised, or ?



Return-Path: 
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on mail.example.com
X-Spam-Level:
X-Spam-Status: No, score=-7.3 required=1.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,HTML_IMAGE_RATIO_08,
HTML_MESSAGE,MAILING_LIST_MULTI,RCVD_IN_HOSTKARMA_W,
RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_SAFE,SPF_HELO_NONE,
SPF_PASS,TXREP shortcircuit=no autolearn=disabled version=4.0.0
X-Original-To: u...@example.com
Delivered-To: u...@mail.example.com
Received: from r42.mail.adobe.com (r42.mail.adobe.com [192.243.226.42])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.example.com (Postfix) with ESMTPS id E7096410756
for ; Wed, 22 Feb 2023 11:05:08 -0500 (EST)
Authentication-Results: mail.example.com;
dkim=pass (1024-bit key) header.d=mail.adobe.com 
header.i=@mail.adobe.com header.b=EtgaivIv
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.adobe.com;
s=neolane; t=1677081908;
bh=IfJX78+kf+++BGIgmI6NTSU3ZUI1dzDwNJ5pRlW6Y+w=;
h=From:Subject:Date:To:MIME-Version:Message-ID:List-Unsubscribe:
 Content-Type;
b=EtgaivIvUiNOiiVI5kpGQONOWfcAOQvbfpJrGiR0xQQvORkDfj5uVp6LH3JftKL1+
 E/DIsY896w9NajMG7AOHNBrDnN6+BpBx+J0OOWy62EcdYBntSnDiifQmat0CH0p7Xg
 Ozw4G3a2zZc/nJ+QRBK75/Zgg2Nyg9rF+y23gufI=
X-MSFBL: XsGvftOJ+4LnDyzV1Q3igtbyPwQxb/rf8JNpMfEpA0E=|eyJyIjoibWV0QGxleG9
ydC5jb20iLCJnIjoibWlkLnJlYWN0aXZhdGlvbl8xZDBlNjMxMS02Zjk4LTRjNWI
tOGIwZS04ZGY4MGQ1Yjc3MzkiLCJiIjoiYXdzX2Fkb2JlaW50X3Byb2Q2X21pZC5
yZWFjdGl2YXRpb25fbW9tZW50dW0xOV9tdGEwMDJfMTkyLjI0My4yMjYuNDIiLCJ
yY3B0X21ldGEiOnsgImluIjogImFkb2JlaW5fbWlkX3Byb2Q2IiwgInIiOiAibWV
0QGxleG9ydC5jb20iLCAibSI6ICItMTcyMjM2MjU0IiwgImQiOiAiNjI5NTEzOTM
iLCAiaSI6ICIiIH19
Received: from [10.139.37.161] ([10.139.37.161:12939] helo=r42.mail.adobe.com)
by momentum19.or1.cpt.adobe.net (envelope-from )
(ecelerity 4.2.38.62370 r(:)) with ESMTP
id 97/FA-14171-43D36F36; Wed, 22 Feb 2023 08:05:08 -0800
From: "Adobe" 
Subject: =?utf-8?B?SW1wb3J0YW50IGluZm9ybWF0aW9uIGFib3V0IHlvdXIgQWRvYg==?=
 =?utf-8?B?ZSBhY2NvdW50?=
Date: Wed, 22 Feb 2023 08:05:07 -0800
To: 
Reply-To: "Adobe" 
MIME-Version: 1.0
X-mailer: nlserver, Build 6.7.0
Message-ID: 
List-Unsubscribe: List-Unsubscribe: 
X-CSA-Complaints: whitelist-complai...@eco.de
List-Id: <-1193003540.neolane.client.com>
Precedence: bulk
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Content-Type: multipart/alternative;
charset="windows-1252";
boundary="=_NextPart_166_5CA8CB4B.5CA8CB4B"


[SNIP]

Dear Adobe customer,
We've noticed you have not logged in to your Adobe account in more =
than a year. In keeping with our policies, we are contacting you to let you=
 know your Adobe ID will expire 90 days from now. If you take no action wit=
hin the next 90 days, your https://t-info.mail.adobe.com/r/=3Fid=
=[RANDOM_BASE64_SUFF]" target=3D"_blank" style=3D"color:#505050; text-dec=
oration:underline;">Adobe ID will no longer be valid, you will no longe=
r have access to content you may have stored on our servers and this accoun=
t will be closed.
Your Adobe ID is: 
 
If you would like to maintain your Adobe ID listed above, you can l=
og in now to keep it active.

Re: May I get to 0 phishing?

[Benny Pedersen]

Rob McEwen skrev den 2023-02-21 23:17:

I dug a little deeper on this. I'm pretty sure that FROM_PAYPAL_SPOOF
is triggered at least in part by __NOT_SPOOFED being set to "false" -
and DKIM failing does (or can) cause __NOT_SPOOFED to be false - and
so in this case a failed DKIM validation, that most likely worked when
the message was originally sent - is what's now causing this chain
reaction. It's highly doubtful that this rule would have hit at the
time the message was received.


grep -r FROM_PAYPAL_SPOOF /path-to-spamassassin-rules-dir/

why not report it to dnswl.org ?, or other low hanging fruts ?

i am not impressive on people that makes spamassassin rules cant use 
grep


back to my own problem on not getting any paypal emails :)

Re: May I get to 0 phishing?

[Rob McEwen]

I dug a little deeper on this. I'm pretty sure that FROM_PAYPAL_SPOOF is 
triggered at least in part by __NOT_SPOOFED being set to "false" - and 
DKIM failing does (or can) cause __NOT_SPOOFED to be false - and so in 
this case a failed DKIM validation, that most likely worked when the 
message was originally sent - is what's now causing this chain reaction. 
It's highly doubtful that this rule would have hit at the time the 
message was received.

--Rob McEwen, invaluement



-- Original Message --

From "Rob McEwen" 

To users@spamassassin.apache.org
Date 2/21/2023 4:53:27 PM
Subject Re: May I get to 0 phishing?


Benny,

There are a few holes in your theory/assertions:

(1) I know for a fact that this came from PayPal's official transactional servers, in 
PayPal's IP space. And while the sender (PayPal's customer) was a "bad actor", 
this wasn't PayPal's actual email server getting hacked. Instead, it was PayPal's 
deliberate notification they sent on purpose, with all the proper authentication that 
normally is sent in ALL legit PayPal emails.

(2) I'm about 99.9% certain that all the validations that fail now - passed 
when it was originally sent/received. It's actually common for such large 
senders to expire DKIM record validation either quickly (to make spoofing 
harder!) and/or to manually expire it when they find fraud in recently-sent 
spams. One or the other, or both, likely happened here. I'm very confident that 
some (probably all!) of the validation failures that caused some portion of 
your bad scoring - weren't there if SA had been run against this soon after it 
was sent.

(3) I'm using SA 4.x, and a few minutes ago, I ran this against SA, and I ran a legit PayPal 
notification from this SAME IP address, that was sent today - both against SA. 
"FROM_PAYPAL_SPOOF" never had a hit on either one - but I also have RBLs and URI-lists 
set to not run in my SA, since I'm doing all that elsewhere - so maybe that disabled 
FROM_PAYPAL_SPOOF in my system? Or maybe FROM_PAYPAL_SPOOF isn't in SA4? Nevertheless, if this rule 
is so great and definitive, why is it only scoring 1.2 points? 1.2 points suggests that it might 
not be 100% immune to false positives! And if your argument is so great, why was your overall SA 
score ONLY 1.2 points? Do you really think that everyone using SA should "know" to 
magically block all messages that ONLY score 1.3 points, but have a hit on this rule? Should other 
SA users have this magical insight about other such SA rules?

I think you destroyed your own argument, with your own evidence. And you seem 
to be overlooking the fact that these are sent from PayPal servers that also 
send a MASSIVE amount of legit and transactional emails, including from this 
actual same IP. For example, in the past 24 hours, my small-ish mail hosting 
system has 6 legit not-spam PayPal notifications sent from this SAME ip address 
- all 6 of those were legit.

Rob McEwen, invaluement



-- Original Message --
From "Benny Pedersen" 
To users@spamassassin.apache.org
Date 2/21/2023 4:03:31 PM
Subject Re: May I get to 0 phishing?


Rob McEwen skrev den 2023-02-21 20:37:


https://pastebin.com/v80qMF99


Content preview:  Invoice from Apple. com (0005) xxx...@example.com, here are
   your invoice details Hello, xxx...@example.com Here's your invoice

Content analysis details:   (1.2 points, 5.0 required)

 pts rule name  description
 -- --
-0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
[173.0.84.227 listed in wl.mailspike.net]
 1.8 DKIM_ADSP_DISCARD  No valid author signature, domain signs all mail
and suggests discarding the rest
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily 
valid
 0.1 DKIM_INVALID   DKIM or DK signature exists, but is not valid
-2.3 RCVD_IN_DNSWL_MED  RBL: Sender listed at https://www.dnswl.org/,
medium trust
[173.0.84.227 listed in list.dnswl.org]
-2.0 RCVD_IN_HOSTKARMA_WRBL: Sender listed in HOSTKARMA-WHITE
[173.0.84.227 listed in hostkarma.junkemailfiltercom]
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.4 KAM_REALLYHUGEIMGSRC   RAW: Spam with image tags with ridiculously huge
 http urls
 0.0 MIME_QP_LONG_LINE  RAW: Quoted-printable line longer than 76 chars
 0.0 LONG_IMG_URI   Image URI with very long path component - web bug?
 1.0 MSGID_NOFQDN2  Message-ID without a fully-qualified domain name
 0.5 LONGLINE   Line length exceeds 998 character limit, RFC 5322
 1.2 FROM_PAYPAL_SPO

Re: May I get to 0 phishing?

[Rob McEwen]

Benny,

There are a few holes in your theory/assertions:

(1) I know for a fact that this came from PayPal's official 
transactional servers, in PayPal's IP space. And while the sender 
(PayPal's customer) was a "bad actor", this wasn't PayPal's actual email 
server getting hacked. Instead, it was PayPal's deliberate notification 
they sent on purpose, with all the proper authentication that normally 
is sent in ALL legit PayPal emails.


(2) I'm about 99.9% certain that all the validations that fail now - 
passed when it was originally sent/received. It's actually common for 
such large senders to expire DKIM record validation either quickly (to 
make spoofing harder!) and/or to manually expire it when they find fraud 
in recently-sent spams. One or the other, or both, likely happened here. 
I'm very confident that some (probably all!) of the validation failures 
that caused some portion of your bad scoring - weren't there if SA had 
been run against this soon after it was sent.


(3) I'm using SA 4.x, and a few minutes ago, I ran this against SA, and 
I ran a legit PayPal notification from this SAME IP address, that was 
sent today - both against SA. "FROM_PAYPAL_SPOOF" never had a hit on 
either one - but I also have RBLs and URI-lists set to not run in my SA, 
since I'm doing all that elsewhere - so maybe that disabled 
FROM_PAYPAL_SPOOF in my system? Or maybe FROM_PAYPAL_SPOOF isn't in SA4? 
Nevertheless, if this rule is so great and definitive, why is it only 
scoring 1.2 points? 1.2 points suggests that it might not be 100% immune 
to false positives! And if your argument is so great, why was your 
overall SA score ONLY 1.2 points? Do you really think that everyone 
using SA should "know" to magically block all messages that ONLY score 
1.3 points, but have a hit on this rule? Should other SA users have this 
magical insight about other such SA rules?


I think you destroyed your own argument, with your own evidence. And you 
seem to be overlooking the fact that these are sent from PayPal servers 
that also send a MASSIVE amount of legit and transactional emails, 
including from this actual same IP. For example, in the past 24 hours, 
my small-ish mail hosting system has 6 legit not-spam PayPal 
notifications sent from this SAME ip address - all 6 of those were 
legit.


Rob McEwen, invaluement



-- Original Message --

From "Benny Pedersen" 

To users@spamassassin.apache.org
Date 2/21/2023 4:03:31 PM
Subject Re: May I get to 0 phishing?


Rob McEwen skrev den 2023-02-21 20:37:


https://pastebin.com/v80qMF99


Content preview:  Invoice from Apple. com (0005) xxx...@example.com, here are
   your invoice details Hello, xxx...@example.com Here's your invoice

Content analysis details:   (1.2 points, 5.0 required)

 pts rule name  description
 -- --
-0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
[173.0.84.227 listed in wl.mailspike.net]
 1.8 DKIM_ADSP_DISCARD  No valid author signature, domain signs all mail
and suggests discarding the rest
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily 
valid
 0.1 DKIM_INVALID   DKIM or DK signature exists, but is not valid
-2.3 RCVD_IN_DNSWL_MED  RBL: Sender listed at https://www.dnswl.org/,
medium trust
[173.0.84.227 listed in list.dnswl.org]
-2.0 RCVD_IN_HOSTKARMA_WRBL: Sender listed in HOSTKARMA-WHITE
[173.0.84.227 listed in hostkarma.junkemailfilter.com]
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.4 KAM_REALLYHUGEIMGSRC   RAW: Spam with image tags with ridiculously huge
 http urls
 0.0 MIME_QP_LONG_LINE  RAW: Quoted-printable line longer than 76 chars
 0.0 LONG_IMG_URI   Image URI with very long path component - web bug?
 1.0 MSGID_NOFQDN2  Message-ID without a fully-qualified domain name
 0.5 LONGLINE   Line length exceeds 998 character limit, RFC 5322
 1.2 FROM_PAYPAL_SPOOF  From PayPal domain but matches SPOOFED
 0.2 KAM_HUGEIMGSRC Message contains many image tags with huge http urls
 0.1 DMARC_REJECT   DMARC reject policy
 0.0 LOTS_OF_MONEY  Huge... sums of money
 0.0 T_REMOTE_IMAGE Message contains an external image

dont know more, but dnswl ? ;)

DMARC_REJECT && FROM_PAYPAL_SPOOF why accept it ?

Re: May I get to 0 phishing?

[Benny Pedersen]

Rob McEwen skrev den 2023-02-21 20:37:


https://pastebin.com/v80qMF99


Content preview:  Invoice from Apple. com (0005) xxx...@example.com, 
here are

   your invoice details Hello, xxx...@example.com Here's your invoice

Content analysis details:   (1.2 points, 5.0 required)

 pts rule name  description
 -- 
--

-0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
[173.0.84.227 listed in wl.mailspike.net]
 1.8 DKIM_ADSP_DISCARD  No valid author signature, domain signs all 
mail

and suggests discarding the rest
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily valid
 0.1 DKIM_INVALID   DKIM or DK signature exists, but is not 
valid
-2.3 RCVD_IN_DNSWL_MED  RBL: Sender listed at 
https://www.dnswl.org/,

medium trust
[173.0.84.227 listed in list.dnswl.org]
-2.0 RCVD_IN_HOSTKARMA_WRBL: Sender listed in HOSTKARMA-WHITE
[173.0.84.227 listed in 
hostkarma.junkemailfilter.com]

 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.4 KAM_REALLYHUGEIMGSRC   RAW: Spam with image tags with ridiculously 
huge

 http urls
 0.0 MIME_QP_LONG_LINE  RAW: Quoted-printable line longer than 76 
chars
 0.0 LONG_IMG_URI   Image URI with very long path component - 
web bug?
 1.0 MSGID_NOFQDN2  Message-ID without a fully-qualified domain 
name
 0.5 LONGLINE   Line length exceeds 998 character limit, RFC 
5322

 1.2 FROM_PAYPAL_SPOOF  From PayPal domain but matches SPOOFED
 0.2 KAM_HUGEIMGSRC Message contains many image tags with huge 
http urls

 0.1 DMARC_REJECT   DMARC reject policy
 0.0 LOTS_OF_MONEY  Huge... sums of money
 0.0 T_REMOTE_IMAGE Message contains an external image

dont know more, but dnswl ? ;)

DMARC_REJECT && FROM_PAYPAL_SPOOF why accept it ?

Re: May I get to 0 phishing?

[Rob McEwen]

Nope. That was a phishing spam, just maybe not the TYPE of phishing spam 
you're used to seeing? Calling it a fraud doesn't make it not a phish. 
When is a phishing spam ever NOT fraud? So what's the deciding factor? 
The fact that this claimed to be Apple sending an invoice via PayPal - 
and tried to trick the end user into thinking that they were the real 
Apple - except it wasn't really Apple - it was a criminal masquerading 
as Apple, trying to trick the recipient into paying this via thinking 
that this was the real Apple. THAT is the deciding factor that makes 
this a phish as well as a fraud.


(PayPal should have done better customer vetting on the front end!)

Rob McEwen, invaluement


-- Original Message --

From "hg user" 

To "Rob McEwen" 
Cc users@spamassassin.apache.org
Date 2/21/2023 3:10:35 PM
Subject Re: May I get to 0 phishing?

I think this is not a phishing, more a fraud: it seems a real invoice 
for something you didn't buy.


I'm glad to hear from experts that it's impossible to have 0 phishing, 
that I'm not missing the "silver bullet" or the magic token.


I may perhaps implement ESP plugin, and subscribe to DQS, or add a OCR 
plugin for those very annoying "pay the fine" scams. Really dubious 
about enabling razor and pyzor for italian language.


Unfortunately my spamassassin, version 3.4.5, is embedded into Zimbra, 
and it makes me really afraid of adding plugins...


Suggestions are always welcome

On Tue, Feb 21, 2023 at 8:37 PM Rob McEwen  wrote:

What Bill Cole said! Agreed. For example, here's an almost impossible
phish to block (at least, without blocking legitimate PayPal
transactional emails!). This is a PayPal phishing spam, sent from
PayPal's own server! It was sent by PayPal. I only changed the 
intended
recipient address (to protect the innocent), and changed the "=" at 
the

end of lines MIME-formatting to regular lines, for better readability
when looking through the email body for links. Otherwise, not altered.

https://pastebin.com/v80qMF99

However - there are always very helpful improvements that can be made
for minimizing the number of phish that get into the inbox. It's a
constant battle!

Rob McEwen, invaluement

-- Original Message --
From "Bill Cole" 
To users@spamassassin.apache.org
Date 2/21/2023 2:11:02 PM
Subject Re: May I get to 0 phishing?

>On 2023-02-21 at 13:51:09 UTC-0500 (Tue, 21 Feb 2023 19:51:09 +0100)
>hg user 
>is rumored to have said:
>
>>I was wondering if it is possible to reach the goal of 0 phishing.
>
>Nope. There are people who find it profitable and they will continue 
to find ways to trick all the usable programmatic mechanisms deployed 
to stop it.

>
>>With 2 layers of paid protection, and a third layer realized with
>>spamassassin with a lot of hand made rules, I'm able to catch a lot 
of spam

>>and if some reaches the mailboxes, no problem.
>>
>>But when phishing is able to reach the mailboxes, it is more 
dangerous, and

>>I'd like to bring it to a minimum.
>>
>>I'd like to know if you, despite all the barriers, still, although 
rarely,

>>have phishing go through, and how do you handle the situation.
>
>Eternal vigilance and user education.
>
>The world is an imperfect place.
>
>
>-- Bill Cole
>b...@scconsult.com or billc...@apache.org
>(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
>Not Currently Available For Hire

Re: May I get to 0 phishing?

[hg user]

I think this is not a phishing, more a fraud: it seems a real invoice for
something you didn't buy.

I'm glad to hear from experts that it's impossible to have 0 phishing, that
I'm not missing the "silver bullet" or the magic token.

I may perhaps implement ESP plugin, and subscribe to DQS, or add a OCR
plugin for those very annoying "pay the fine" scams. Really dubious about
enabling razor and pyzor for italian language.

Unfortunately my spamassassin, version 3.4.5, is embedded into Zimbra, and
it makes me really afraid of adding plugins...

Suggestions are always welcome

On Tue, Feb 21, 2023 at 8:37 PM Rob McEwen  wrote:

> What Bill Cole said! Agreed. For example, here's an almost impossible
> phish to block (at least, without blocking legitimate PayPal
> transactional emails!). This is a PayPal phishing spam, sent from
> PayPal's own server! It was sent by PayPal. I only changed the intended
> recipient address (to protect the innocent), and changed the "=" at the
> end of lines MIME-formatting to regular lines, for better readability
> when looking through the email body for links. Otherwise, not altered.
>
> https://pastebin.com/v80qMF99
>
> However - there are always very helpful improvements that can be made
> for minimizing the number of phish that get into the inbox. It's a
> constant battle!
>
> Rob McEwen, invaluement
>
> -- Original Message ------
> From "Bill Cole" 
> To users@spamassassin.apache.org
> Date 2/21/2023 2:11:02 PM
> Subject Re: May I get to 0 phishing?
>
> >On 2023-02-21 at 13:51:09 UTC-0500 (Tue, 21 Feb 2023 19:51:09 +0100)
> >hg user 
> >is rumored to have said:
> >
> >>I was wondering if it is possible to reach the goal of 0 phishing.
> >
> >Nope. There are people who find it profitable and they will continue to
> find ways to trick all the usable programmatic mechanisms deployed to stop
> it.
> >
> >>With 2 layers of paid protection, and a third layer realized with
> >>spamassassin with a lot of hand made rules, I'm able to catch a lot of
> spam
> >>and if some reaches the mailboxes, no problem.
> >>
> >>But when phishing is able to reach the mailboxes, it is more dangerous,
> and
> >>I'd like to bring it to a minimum.
> >>
> >>I'd like to know if you, despite all the barriers, still, although
> rarely,
> >>have phishing go through, and how do you handle the situation.
> >
> >Eternal vigilance and user education.
> >
> >The world is an imperfect place.
> >
> >
> >-- Bill Cole
> >b...@scconsult.com or billc...@apache.org
> >(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> >Not Currently Available For Hire
>

Re: May I get to 0 phishing?

[Rob McEwen]

What Bill Cole said! Agreed. For example, here's an almost impossible 
phish to block (at least, without blocking legitimate PayPal 
transactional emails!). This is a PayPal phishing spam, sent from 
PayPal's own server! It was sent by PayPal. I only changed the intended 
recipient address (to protect the innocent), and changed the "=" at the 
end of lines MIME-formatting to regular lines, for better readability 
when looking through the email body for links. Otherwise, not altered.


https://pastebin.com/v80qMF99

However - there are always very helpful improvements that can be made 
for minimizing the number of phish that get into the inbox. It's a 
constant battle!


Rob McEwen, invaluement

-- Original Message --

From "Bill Cole" 

To users@spamassassin.apache.org
Date 2/21/2023 2:11:02 PM
Subject Re: May I get to 0 phishing?


On 2023-02-21 at 13:51:09 UTC-0500 (Tue, 21 Feb 2023 19:51:09 +0100)
hg user 
is rumored to have said:


I was wondering if it is possible to reach the goal of 0 phishing.


Nope. There are people who find it profitable and they will continue to find 
ways to trick all the usable programmatic mechanisms deployed to stop it.


With 2 layers of paid protection, and a third layer realized with
spamassassin with a lot of hand made rules, I'm able to catch a lot of spam
and if some reaches the mailboxes, no problem.

But when phishing is able to reach the mailboxes, it is more dangerous, and
I'd like to bring it to a minimum.

I'd like to know if you, despite all the barriers, still, although rarely,
have phishing go through, and how do you handle the situation.


Eternal vigilance and user education.

The world is an imperfect place.


-- Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: May I get to 0 phishing?

[Bill Cole]

On 2023-02-21 at 13:51:09 UTC-0500 (Tue, 21 Feb 2023 19:51:09 +0100)
hg user 
is rumored to have said:


I was wondering if it is possible to reach the goal of 0 phishing.


Nope. There are people who find it profitable and they will continue to 
find ways to trick all the usable programmatic mechanisms deployed to 
stop it.



With 2 layers of paid protection, and a third layer realized with
spamassassin with a lot of hand made rules, I'm able to catch a lot of 
spam

and if some reaches the mailboxes, no problem.

But when phishing is able to reach the mailboxes, it is more 
dangerous, and

I'd like to bring it to a minimum.

I'd like to know if you, despite all the barriers, still, although 
rarely,

have phishing go through, and how do you handle the situation.


Eternal vigilance and user education.

The world is an imperfect place.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

May I get to 0 phishing?

[hg user]

I was wondering if it is possible to reach the goal of 0 phishing.

With 2 layers of paid protection, and a third layer realized with
spamassassin with a lot of hand made rules, I'm able to catch a lot of spam
and if some reaches the mailboxes, no problem.

But when phishing is able to reach the mailboxes, it is more dangerous, and
I'd like to bring it to a minimum.

I'd like to know if you, despite all the barriers, still, although rarely,
have phishing go through, and how do you handle the situation.

Thank you

Re: How is this phishing attack called?

[Jared Hall]

On 2/15/2023 2:50 PM, hg user wrote:

And how to intercept?

From time to time we receive a message that is a reply-to to an old 
message, sometimes after months, with just several lines added at the 
top inviting to open a url or attachment.


Has this kind of phishing a name?


QakBot and Emotet malware bots all do this.  They've been battered, but 
they're still around.  Deceptively clever.



How can I prevent it or at least flag it for review?


For some starters: Keep AntiVirus scanning software updated.  Use the 
OpenPhish and PhishTank URL lists.  Use URI RBL's.




Thank you


-- Jared Hall

How is this phishing attack called?

[hg user]

And how to intercept?

>From time to time we receive a message that is a reply-to to an old
message, sometimes after months, with just several lines added at the top
inviting to open a url or attachment.

Has this kind of phishing a name?
How can I prevent it or at least flag it for review?

Thank you

gbhackers.com: Hackers Using New Obfuscation Mechanisms to Evade Detection Of Phishing Campaign

[Brent Clark]

Good day Guys

Something I came across, and thought I would share / forward

https://gbhackers.com/hackers-using-new-obfuscation-mechanisms-to-evade-detection-of-phishing-campaign/

Hope this helps.

Regards
Brent

Re: Email Phishing and Zloader: Redux

[Jared Hall]

1) Kenneth:  Uncomment the line in v343.  Rules in the present KAM.cf 
are thusly:


ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro

  # increase number of mime parts checked

  olemacro_num_mime 10

  if (version >= 3.0040005)

    body KAM_OLEMACRO eval:check_olemacro()

    describe KAM_OLEMACRO Attachment has an Office Macro

    score    KAM_OLEMACRO 7.5

    body KAM_OLEMACRO_MALICE eval:check_olemacro_malice()

    describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro

    score    KAM_OLEMACRO_MALICE 10.0

    body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()

    describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted

    score    KAM_OLEMACRO_ENCRYPTED 3.0

    #This may cause more CPU usage

    olemacro_extended_scan 1

    body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()

    describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed

    score    KAM_OLEMACRO_RENAME 0.5

    meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )

    describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook

    score    GB_OLEMACRO_REN_VIR 10

  endif

  body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()

  describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in 
a zip

  score    KAM_OLEMACRO_ZIP_PW 1.0

  body KAM_OLEMACRO_CSV eval:check_olemacro_csv()

  describe KAM_OLEMACRO_CSV Macro in csv file

  score    KAM_OLEMACRO_CSV 5.0

  #meta KAM_OLEMACRO_ZIP_PW_NOMID  ( KAM_OLEMACRO_ZIP_PW && MISSING_MID )

  #describe KAM_OLEMACRO_ZIP_PW_NOMID  OLE macro sent by a bot / ratware

  #score    KAM_OLEMACRO_ZIP_PW_NOMID  5.0

  meta KAM_OLEMACRO_ZIP_BOT    ( KAM_OLEMACRO_ZIP_PW && ( MISSING_MID || 
PDS_FROMNAME_SPOOFED_EMAIL ) )

  describe KAM_OLEMACRO_ZIP_BOT    OLE macro sent by a bot / ratware

  score    KAM_OLEMACRO_ZIP_BOT    5.0

endif


Yes, there does seems to be one "endif" too many but  I don't think it 
matters much with this type of a plugin.


Thanks for the information from hornetsecurity.  It's the most 
comprehensive write-up on Zloader that I've seen.


I did do some testing with Word and MHTML.  A Word document when sent 
out is assigned Content-Type: application/msword and 
Content-Transfer-Encoding: base64.  A MHTML file is sent out with 
Content-Type: text/html and Content-Transfer-Encoding: quoted-printable 
(w/ my document anyway).


I'm curious as to what HornetSecurity saw in their E-mail MIME header.  
It DOES make a difference, at least regarding plugin scanning.  But a 
.doc file is a .doc file as far as Word is concerned.


I put forth a query to them.  I'll let you know if they respond.

-- Jared Hall






I simpy uncommented it in /etc/spamassassin/v343.pre:

# OLEVBMacro - Detects both OLE macros and VB code inside Office 
documents

loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro

the KAM.cf takes care of the rest.

Re: Email Phishing and Zloader: Such a Disappointment

[Matus UHLAR - fantomas]

--On Sunday, July 11, 2021 4:55 PM -0400 "Kevin A. McGrail" 
 wrote:



We use the olevbmacro detection added to SA.  I would guess that's
blocking the payload.I would guess that's blocking the payload.


On 11.07.21 13:35, Kenneth Porter wrote:
I see the plugin in the distribution but it doesn't appear to be 
loaded by default and the rules in the plugin's man page don't appear 
in the downloaded rules. So I guess I need to create a custom cf file.


I simpy uncommented it in /etc/spamassassin/v343.pre:

# OLEVBMacro - Detects both OLE macros and VB code inside Office documents
loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro

the KAM.cf takes care of the rest.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.

Re: Email Phishing and Zloader: Such a Disappointment

[Matus UHLAR - fantomas]

On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and 
an application/x-mso file. Which (in addition to the text/xml 
files) are used by Microsoft Word to load the embedded Word 
document."


Would the presence of all three of those MIME types be a 
scorable indicator?



On Sun, 11 Jul 2021, Kevin A. McGrail wrote:
If you can get me a spample, I'm sure I can tell you but in 
general we block macros so that's all that's needed.  Likely the 
OLEVBMacro plugin and KAM ruleset is blocking all of these already 
if you have the plugin enabled.



On 12/07/2021 07:40, Dave Funk wrote:
Aren't there already rules and heuristics in ClamAV for detecting 
VBmacros in office docs?


I've got two copies of ClamAV running, one used as a blocking direct 
milter with default rules and another one feeding into the SA 
"clamav.pm" plugin with extra rules and heuristics/algorithms 
enabled.


On 12.07.21 08:51, Dominic Raferd wrote:
I quarantine emails that are caught by ClamAV with 'ScanOLE2 true' and 
'AlertOLE2Macros true'; these are then checked by command-line tool 
mraptor (part of olevba) to see if the macros are truly malicious.


I will try the OLEVBMacro plugin alongside, thanks for the heads up.


note that standard SA rules don't contain any rule using the OLEVBMacro
functions, but the KAM.cf do.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.

Re: Email Phishing and Zloader: Such a Disappointment

[Pedro David Marco]

 
   >On Monday, July 12, 2021, 04:01:03 AM GMT+2, Kevin A. McGrail 
 wrote:  
>If you can get me a spample, I'm sure I can tell you but in general we 
>block macros so that's all that's needed.  Likely the OLEVBMacro plugin 
>and KAM ruleset is blocking all of these already if you have the plugin 
>enabled.


The inital email has not a macro... they use an old MS feature where a document 
marks itself as "incomplete" andtells MS Office App where to download the  
missing part, that contains the payload.
To my knowledge (very limited) only zipped versions of MS files can use that 
feature. Within them, there are 2 data structures to checkif you want to find 
prizes...
-Pedro.

  

Re: Email Phishing and Zloader: Such a Disappointment

[Dominic Raferd]

On 12/07/2021 07:40, Dave Funk wrote:

On Sun, 11 Jul 2021, Kevin A. McGrail wrote:


On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and an 
application/x-mso file. Which (in addition to the text/xml files) 
are used by Microsoft Word to load the embedded Word document."


Would the presence of all three of those MIME types be a scorable 
indicator?


If you can get me a spample, I'm sure I can tell you but in general 
we block macros so that's all that's needed.  Likely the OLEVBMacro 
plugin and KAM ruleset is blocking all of these already if you have 
the plugin enabled.


Aren't there already rules and heuristics in ClamAV for detecting 
VBmacros in office docs?


I've got two copies of ClamAV running, one used as a blocking direct 
milter with default rules and another one feeding into the SA 
"clamav.pm" plugin with extra rules and heuristics/algorithms enabled.


I quarantine emails that are caught by ClamAV with 'ScanOLE2 true' and 
'AlertOLE2Macros true'; these are then checked by command-line tool 
mraptor (part of olevba) to see if the macros are truly malicious.


I will try the OLEVBMacro plugin alongside, thanks for the heads up.

Re: Email Phishing and Zloader: Such a Disappointment

[Dave Funk]

On Sun, 11 Jul 2021, Kevin A. McGrail wrote:


On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and an 
application/x-mso file. Which (in addition to the text/xml files) are used 
by Microsoft Word to load the embedded Word document."


Would the presence of all three of those MIME types be a scorable 
indicator?


If you can get me a spample, I'm sure I can tell you but in general we block 
macros so that's all that's needed.  Likely the OLEVBMacro plugin and KAM 
ruleset is blocking all of these already if you have the plugin enabled.


Regards,

KAM


Aren't there already rules and heuristics in ClamAV for detecting VBmacros in 
office docs?


I've got two copies of ClamAV running, one used as a blocking direct milter with 
default rules and another one feeding into the SA "clamav.pm" plugin with extra 
rules and heuristics/algorithms enabled.




--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Email Phishing and Zloader: Such a Disappointment

[Kevin A. McGrail]

On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and an 
application/x-mso file. Which (in addition to the text/xml files) are 
used by Microsoft Word to load the embedded Word document."


Would the presence of all three of those MIME types be a scorable 
indicator?


If you can get me a spample, I'm sure I can tell you but in general we 
block macros so that's all that's needed.  Likely the OLEVBMacro plugin 
and KAM ruleset is blocking all of these already if you have the plugin 
enabled.


Regards,

KAM

--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

Re: Email Phishing and Zloader: Such a Disappointment

[Kevin A. McGrail]

It's in the KAM ruleset if that helps.  Search "ifplugin 
Mail::SpamAssassin::Plugin::OLEVBMacro" and you'll see the set of rules 
we use.  Add the plugin to an appropriate pre file to activate it.


On 7/11/2021 4:35 PM, Kenneth Porter wrote:
I see the plugin in the distribution but it doesn't appear to be 
loaded by default and the rules in the plugin's man page don't appear 
in the downloaded rules. So I guess I need to create a custom cf file.


--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

Re: Email Phishing and Zloader: Such a Disappointment

[John Hardin]

On Sun, 11 Jul 2021, Kenneth Porter wrote:

--On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall  
wrote:



The Word document (without macros) loads an external encrypted Excel file


It has macros. It tricks the user into enabling and running them by telling 
him to enable the document for editing and enabling "content" (ie. macros). 
Hiding macros from the user in this way (calling them "content") is a 
terrible piece of UI.



Both articles conclude with the statement "We suggest it is safe to
enable them (macros) only when the document received is from a trusted
source".  I really don't understand that comment since the entire unique
nature of the exploit is to disable the macro warnings entirely. 


A forged From line means the average Joe will assume the source is trusted.

Another nice analysis, I think with better details, showing how this evades 
the usual scanners:




The Word document is assembled from MIME fragments so there's no extension to 
block.



"The other parts contain an application/vnd.ms-officetheme and an 
application/x-mso file. Which (in addition to the text/xml files) are used 
by Microsoft Word to load the embedded Word document."


Would the presence of all three of those MIME types be a scorable 
indicator?



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  What the hell is an "Aluminum Falcon"??-- Emperor Palpatine
---
 9 days until the 52nd anniversary of Apollo 11 landing on the Moon

Re: Email Phishing and Zloader: Such a Disappointment

[Kenneth Porter]

--On Sunday, July 11, 2021 4:55 PM -0400 "Kevin A. McGrail" 
 wrote:



We use the olevbmacro detection added to SA.  I would guess that's
blocking the payload.I would guess that's blocking the payload.


I see the plugin in the distribution but it doesn't appear to be loaded by 
default and the rules in the plugin's man page don't appear in the 
downloaded rules. So I guess I need to create a custom cf file.

Re: Email Phishing and Zloader: Such a Disappointment

[Kevin A. McGrail]

We use the olevbmacro detection added to SA.  I would guess that's blocking
the payload.I would guess that's blocking the payload.

On Sun, Jul 11, 2021, 15:00 Kenneth Porter  wrote:

> --On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall 
> wrote:
>
> > The Word document (without macros) loads an external encrypted Excel file
>
> It has macros. It tricks the user into enabling and running them by
> telling
> him to enable the document for editing and enabling "content" (ie.
> macros).
> Hiding macros from the user in this way (calling them "content") is a
> terrible piece of UI.
>
> > Both articles conclude with the statement "We suggest it is safe to
> > enable them (macros) only when the document received is from a trusted
> > source".  I really don't understand that comment since the entire unique
> > nature of the exploit is to disable the macro warnings entirely.
>
> A forged From line means the average Joe will assume the source is trusted.
>
> Another nice analysis, I think with better details, showing how this
> evades
> the usual scanners:
>
> <
> https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/
> >
>
> The Word document is assembled from MIME fragments so there's no extension
> to block.
>
>

Re: Email Phishing and Zloader: Such a Disappointment

[Kenneth Porter]

--On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall  
wrote:



The Word document (without macros) loads an external encrypted Excel file


It has macros. It tricks the user into enabling and running them by telling 
him to enable the document for editing and enabling "content" (ie. macros). 
Hiding macros from the user in this way (calling them "content") is a 
terrible piece of UI.



Both articles conclude with the statement "We suggest it is safe to
enable them (macros) only when the document received is from a trusted
source".  I really don't understand that comment since the entire unique
nature of the exploit is to disable the macro warnings entirely. 


A forged From line means the average Joe will assume the source is trusted.

Another nice analysis, I think with better details, showing how this evades 
the usual scanners:




The Word document is assembled from MIME fragments so there's no extension 
to block.

Email Phishing and Zloader: Such a Disappointment

[Jared Hall]

Reference: My reply to KAM's post: "Looking for a sample of the 
Microsoft zero day print nightmare"



To continue my rant about the disconnect with the Security community, 
this ThreatPost article pops up on my Google feed "Microsoft Office 
Users Warned on New Malware-Protection Bypass".  I think not. A typical 
Microsoft Office user is "Joe Average", and good ol' Joe can't tell a 
ThreatPost from a Fencepost.  But five paragraphs down, this caught my 
eye: "The initial attack vector is inbox-based phishing messages with 
Word document attachments that contain no malicious code."  Now we're 
talking.  Golly, maybe I can help!  So, I read on...


Just a whole lot of uselessness for a Mail Admin:  Unknown file 
attachment name, Unknown From Name/Email Address, Unknown IP address, 
Unknown message Sugject, Unknown message strings, etc.  You can read the 
post here: 
https://threatpost.com/microsoft-office-malware-protection-bypass/167652/


ThreatPost is the media arm of McAfee (mostly), and within the article 
is a link to an article by a couple of McAfee researchers, found here: 
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/


The article goes to great lengths to explain that the observed 
infections are mostly in the US and Canada.  The Word document (without 
macros) loads an external encrypted Excel file and through the power of 
DDE, writes VBA macros into the Excel file, and then disables Macro 
Warnings in the computer's registry.  The coup de grâce is the download 
and execution of ZLoader.  Then its game over for "Joe Average".


Of course, there's a lot of excitement over the technical wizardry 
therein; Word document analysis, VBA Code analysis, Excel Cell 
Structures, and the like.  But again, it is totally useless for Mail 
Admins, who ultimately are in the best position to mitigate the 
widespread distribution of this infection.  Great researchers they may 
be, but useful communicators they are NOT.


Both articles conclude with the statement "We suggest it is safe to 
enable them (macros) only when the document received is from a trusted 
source".  I really don't understand that comment since the entire unique 
nature of the exploit is to disable the macro warnings entirely.  It 
sure sounds like Emotet 2.0 in the making.  So Anti-Virus/Malware 
companies will hype up their products, Phishing companies create new 
courses, and Firewall companies start blocking "11.php and 22.php's" and 
all kinds of "heavenlygems".  Everybody wants to sell a cure, but 
mitigation be damned.


Maybe some 400-pound anti-spam nut in New Jersey would've stopped the 
whole thing.  We'll never know.  We anti-spam folks are forced to sit on 
the bench, waiting for another billion dollars in damages.



$0.02,

-- Jared Hall

Re: Using spamassassin to thwart sharepoint phishing attacks

[John Hardin]

On Mon, 12 Apr 2021, jwmi...@gmail.com wrote:


John Hardin writes:
> From: John Hardin 
> Date: Mon, 12 Apr 2021 07:29:03 -0700 (PDT)
>
> On Sun, 11 Apr 2021, Loren Wilton wrote:
>
> >>  3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
> >> [score: 1.]
> >>  0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
> >> [score: 1.]
> >
> > I have
> > 5.0 BAYES_99   BODY: Bayes spam probability is 99 to 100%
> >   [score: 1.]
> > 0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
> >   [score: 1.]
> >
> > I suggest raising BAYES_99 to at least 5.
>
> It'd be better to instead boost BAYES_999 to Poison Pill status, as the
> confidence is higher.

Increasing the score for BAYES_99 and BAYES_999 is a fine idea as long
as bayes is accurately trained and well maintained with sufficient
email and any mistakes corrected.  People with that sort of trained
bayes tend to know it.  Doing a general suggestion to increase the
BAYES scores seems rather misguided.


I'm suggesting that *only* BAYES_999 should be increased. I agree that you 
should only do so if your Bayes training is reliable (i.e. *not* 
end-user-driven without review).



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  What the hell is an "Aluminum Falcon"??-- Emperor Palpatine
---
 Tomorrow: Thomas Jefferson's 278th Birthday

Re: Using spamassassin to thwart sharepoint phishing attacks

[jwmincy]

John Hardin writes:
 > From: John Hardin 
 > Date: Mon, 12 Apr 2021 07:29:03 -0700 (PDT)
 > 
 > On Sun, 11 Apr 2021, Loren Wilton wrote:
 > 
 > >>  3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
 > >> [score: 1.]
 > >>  0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
 > >> [score: 1.]
 > >
 > > I have 
 > > 5.0 BAYES_99   BODY: Bayes spam probability is 99 to 100%
 > >   [score: 1.]
 > > 0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
 > >   [score: 1.]
 > >
 > > I suggest raising BAYES_99 to at least 5.
 > 
 > It'd be better to instead boost BAYES_999 to Poison Pill status, as the 
 > confidence is higher.

Increasing the score for BAYES_99 and BAYES_999 is a fine idea as long
as bayes is accurately trained and well maintained with sufficient
email and any mistakes corrected.  People with that sort of trained
bayes tend to know it.  Doing a general suggestion to increase the
BAYES scores seems rather misguided.

-jeff

Re: Using spamassassin to thwart sharepoint phishing attacks

[Benny Pedersen]

On 2021-04-12 16:29, John Hardin wrote:

On Sun, 11 Apr 2021, Loren Wilton wrote:

 3.5 BAYES_99   BODY: Bayes spam probability is 99 to 
100%

[score: 1.]
 0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to 
100%

[score: 1.]


I have 5.0 BAYES_99   BODY: Bayes spam probability is 99 
to 100%

  [score: 1.]
0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 
100%

  [score: 1.]

I suggest raising BAYES_99 to at least 5.


It'd be better to instead boost BAYES_999 to Poison Pill status, as
the confidence is higher.


score BAYES_999 10
with BAYES_99 it gives over 12.1 with is minimal for bayes learning as 
spam


default rule

no ham have ever hitted this

Re: Using spamassassin to thwart sharepoint phishing attacks

[John Hardin]

On Sun, 11 Apr 2021, Loren Wilton wrote:


 3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
[score: 1.]
 0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
[score: 1.]


I have 
5.0 BAYES_99   BODY: Bayes spam probability is 99 to 100%

  [score: 1.]
0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
  [score: 1.]

I suggest raising BAYES_99 to at least 5.


It'd be better to instead boost BAYES_999 to Poison Pill status, as the 
confidence is higher.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The Constitution is a written instrument. As such its meaning does
  not alter. That which it meant when adopted, it means now.
-- U.S. Supreme Court
   SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
---
 Tomorrow: Thomas Jefferson's 278th Birthday

Re: Using spamassassin to thwart sharepoint phishing attacks

[Matus UHLAR - fantomas]

However, in 50_scores.cf, this line is commented out:

#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5

Maybe that's the problem?


no, there are other SORBS lists used:

score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2
#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
score RCVD_IN_SORBS_WEB  0 1.5 0 1.5
score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3


have you set up own caching, non-forwarding DNS server?


On 12.04.21 09:12, Steve Dondley wrote:

Yes. And my SA scores have improved about 100% since I did this.


great.
Now, do you have razor, pyzor and dcc installed and their equivalent SA modules
enabled?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)

Re: Using spamassassin to thwart sharepoint phishing attacks

[Steve Dondley]

However, in 50_scores.cf, this line is commented out:

#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5

Maybe that's the problem?


no, there are other SORBS lists used:

score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2
#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
score RCVD_IN_SORBS_WEB  0 1.5 0 1.5
score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3


have you set up own caching, non-forwarding DNS server?


Yes. And my SA scores have improved about 100% since I did this.

Re: Using spamassassin to thwart sharepoint phishing attacks

[Matus UHLAR - fantomas]

sorbs dnsbl missing, have you denied sorbs.net results ?, or is
spamassassin not testing sorbs.net anymore ?


On 11.04.21 18:22, Steve Dondley wrote:
Best I can tell, my SA config should be testing for sorbs. I've got 
this line in /etc/spamassassin/v3220.pre:


loadplugin Mail::SpamAssassin::Plugin::DNSEval

And in /usr/share/spamassassin/20_dnsbl_test.cf, I've got:

ifplugin Mail::SpamAssassin::Plugin::DNSEval

I see a bunch of SORBS rules in there.

However, in 50_scores.cf, this line is commented out:

#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5

Maybe that's the problem?


no, there are other SORBS lists used:

score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2
#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
score RCVD_IN_SORBS_WEB  0 1.5 0 1.5
score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3


have you set up own caching, non-forwarding DNS server?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.

Re: Using spamassassin to thwart sharepoint phishing attacks

[Kevin A. McGrail]

If you have spamples for sharepoint phishes that evade kam ruleset, shoot
me an email off-list to discuss getting me the spamples.

On Sun, Apr 11, 2021, 16:43 Steve Dondley  wrote:

> On 2021-04-11 04:19 PM, Benny Pedersen wrote:
> > On 2021-04-11 22:09, Steve Dondley wrote:
> >
> >> Content analysis details:   (4.4 points, 5.0 required)
> >>
> >>  pts rule name  description
> >>  --
> >> --
> >>  3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
> >> [score: 1.]
> >>  0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to
> >> 100%
> >> [score: 1.]
> >> -0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
> >> [52.100.189.222 listed in
> >> wl.mailspike.net]
> >> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> >> https://www.dnswl.org/,
> >>  no trust
> >> [52.100.189.222 listed in list.dnswl.org]
> >> -0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
> >> -0.0 SPF_PASS   SPF: sender matches SPF record
> >>  0.5 SUBJ_ALL_CAPS  Subject is all capitals
> >>  0.0 HTML_MESSAGE   BODY: HTML included in message
> >>  0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME
> >> parts
> >> -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> >> signature
> >>  0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not
> >> necessarily
> >> valid
> >> -0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature
> >> from
> >> author's domain
> >> -0.1 DKIM_VALID_EF  Message has a valid DKIM or DK signature
> >> from
> >> envelope-from domain
> >>  0.0 UPPERCASE_50_75message body is 50-75% uppercase
> >
> > i see its as a local problem
> >
> > http://multirbl.valli.org/lookup/52.100.189.222.html
> >
> > do you use KAM.cf channel ?
>
> OK, I added KAM.cf to my config. It has now pushed it over 5.0, barely:
>
> Content analysis details:   (5.1 points, 5.0 required)
>
>   pts rule name  description
>  --
> --
> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> https://www.dnswl.org/,
>   no trust
>  [52.100.189.222 listed in list.dnswl.org]
>   3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
>  [score: 1.]
>   0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
>  [score: 1.]
> -0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
>  [52.100.189.222 listed in wl.mailspike.net]
> -0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
>   0.5 SUBJ_ALL_CAPS  Subject is all capitals
> -0.0 SPF_PASS   SPF: sender matches SPF record
>   0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>   0.0 HTML_MESSAGE   BODY: HTML included in message
> -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> signature
> -0.1 DKIM_VALID_EF  Message has a valid DKIM or DK signature
> from
>  envelope-from domain
> -0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature
> from
>  author's domain
>   0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not
> necessarily
>  valid
>   0.0 UPPERCASE_50_75message body is 50-75% uppercase
>   0.2 KAM_MANYTO Email has more than one To Header or more
> than 25
>  recipients
>   0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current
> years
>   0.0 KAM_SHORT  Use of a URL Shortener for very short URL
>

Re: Using spamassassin to thwart sharepoint phishing attacks

[Loren Wilton]

 3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
[score: 1.]
 0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
[score: 1.]


I have 


5.0 BAYES_99   BODY: Bayes spam probability is 99 to 100%
   [score: 1.]
0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
   [score: 1.]

I suggest raising BAYES_99 to at least 5.

   Loren

Re: Using spamassassin to thwart sharepoint phishing attacks

[Steve Dondley]

sorbs dnsbl missing, have you denied sorbs.net results ?, or is
spamassassin not testing sorbs.net anymore ?


Best I can tell, my SA config should be testing for sorbs. I've got this 
line in /etc/spamassassin/v3220.pre:


loadplugin Mail::SpamAssassin::Plugin::DNSEval

And in /usr/share/spamassassin/20_dnsbl_test.cf, I've got:

ifplugin Mail::SpamAssassin::Plugin::DNSEval

I see a bunch of SORBS rules in there.

However, in 50_scores.cf, this line is commented out:

#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5

Maybe that's the problem?

Re: Using spamassassin to thwart sharepoint phishing attacks

[Steve Dondley]

Also, I've heard of sorbs over the years but I'm not sure exactly what
it is. Is this the same block list run by Cisco?


OK, I was getting SORBS confused with SenderBase Reputation Score 
(SBRS). That's the one run by Cisco, I believe.


I actually have an account on the SORBS website that I set up long ago.

Re: Using spamassassin to thwart sharepoint phishing attacks

[Steve Dondley]

sorbs dnsbl missing, have you denied sorbs.net results ?, or is
spamassassin not testing sorbs.net anymore ?


How would I check if it's turned on? I tried grepping in 
/etc/spamassassin on "sorb" (case insensitive) and found nothing. So I 
guess it's not in my default config.


I see many mentions of "SORBS" in /usr/share/spamassassin, however. I'm 
guessing I may not have a needed SA plugin enabled. I'll try to figure 
out how to do it.


Also, I've heard of sorbs over the years but I'm not sure exactly what 
it is. Is this the same block list run by Cisco?

Re: Using spamassassin to thwart sharepoint phishing attacks

[Benny Pedersen]

On 2021-04-11 22:43, Steve Dondley wrote:

On 2021-04-11 04:19 PM, Benny Pedersen wrote:

On 2021-04-11 22:09, Steve Dondley wrote:


Content analysis details:   (4.4 points, 5.0 required)

 pts rule name  description
 -- 
--
 3.5 BAYES_99   BODY: Bayes spam probability is 99 to 
100%

[score: 1.]
 0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to 
100%

[score: 1.]
-0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
[52.100.189.222 listed in 
wl.mailspike.net]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at 
https://www.dnswl.org/,

 no trust
[52.100.189.222 listed in list.dnswl.org]
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
-0.0 SPF_PASS   SPF: sender matches SPF record
 0.5 SUBJ_ALL_CAPS  Subject is all capitals
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME 
parts
-0.1 DKIM_VALID Message has at least one valid DKIM or DK 
signature
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily

valid
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature 
from

author's domain
-0.1 DKIM_VALID_EF  Message has a valid DKIM or DK signature 
from

envelope-from domain
 0.0 UPPERCASE_50_75message body is 50-75% uppercase


i see its as a local problem

http://multirbl.valli.org/lookup/52.100.189.222.html

do you use KAM.cf channel ?


OK, I added KAM.cf to my config. It has now pushed it over 5.0, barely:

Content analysis details:   (5.1 points, 5.0 required)

 pts rule name  description
 -- 
--
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at 
https://www.dnswl.org/,

 no trust
[52.100.189.222 listed in list.dnswl.org]
 3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
[score: 1.]
 0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to 
100%

[score: 1.]
-0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
[52.100.189.222 listed in wl.mailspike.net]
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
 0.5 SUBJ_ALL_CAPS  Subject is all capitals
-0.0 SPF_PASS   SPF: sender matches SPF record
 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.0 HTML_MESSAGE   BODY: HTML included in message
-0.1 DKIM_VALID Message has at least one valid DKIM or DK 
signature
-0.1 DKIM_VALID_EF  Message has a valid DKIM or DK signature 
from

envelope-from domain
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature 
from

author's domain
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily

valid
 0.0 UPPERCASE_50_75message body is 50-75% uppercase
 0.2 KAM_MANYTO Email has more than one To Header or more 
than 25

recipients
 0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current 
years

 0.0 KAM_SHORT  Use of a URL Shortener for very short URL


sorbs dnsbl missing, have you denied sorbs.net results ?, or is 
spamassassin not testing sorbs.net anymore ?


anyway, you can add more scores to the rule names or create local meta 
rules to add more scores on the results


just use BAYES_999 in the meta with && rulenames

or simple add more weight to BAYES_999

lets say it scored 15 on that rule name :)

i cant garenti that it have no downside on doing it YMMV

Re: Using spamassassin to thwart sharepoint phishing attacks

[Steve Dondley]

On 2021-04-11 04:19 PM, Benny Pedersen wrote:

On 2021-04-11 22:09, Steve Dondley wrote:


Content analysis details:   (4.4 points, 5.0 required)

 pts rule name  description
 -- 
--

 3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
[score: 1.]
 0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to 
100%

[score: 1.]
-0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
[52.100.189.222 listed in 
wl.mailspike.net]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at 
https://www.dnswl.org/,

 no trust
[52.100.189.222 listed in list.dnswl.org]
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
-0.0 SPF_PASS   SPF: sender matches SPF record
 0.5 SUBJ_ALL_CAPS  Subject is all capitals
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME 
parts
-0.1 DKIM_VALID Message has at least one valid DKIM or DK 
signature
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily

valid
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature 
from

author's domain
-0.1 DKIM_VALID_EF  Message has a valid DKIM or DK signature 
from

envelope-from domain
 0.0 UPPERCASE_50_75message body is 50-75% uppercase


i see its as a local problem

http://multirbl.valli.org/lookup/52.100.189.222.html

do you use KAM.cf channel ?


OK, I added KAM.cf to my config. It has now pushed it over 5.0, barely:

Content analysis details:   (5.1 points, 5.0 required)

 pts rule name  description
 -- 
--
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at 
https://www.dnswl.org/,

 no trust
[52.100.189.222 listed in list.dnswl.org]
 3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
[score: 1.]
 0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
[score: 1.]
-0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
[52.100.189.222 listed in wl.mailspike.net]
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
 0.5 SUBJ_ALL_CAPS  Subject is all capitals
-0.0 SPF_PASS   SPF: sender matches SPF record
 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.0 HTML_MESSAGE   BODY: HTML included in message
-0.1 DKIM_VALID Message has at least one valid DKIM or DK 
signature
-0.1 DKIM_VALID_EF  Message has a valid DKIM or DK signature 
from

envelope-from domain
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature 
from

author's domain
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily

valid
 0.0 UPPERCASE_50_75message body is 50-75% uppercase
 0.2 KAM_MANYTO Email has more than one To Header or more 
than 25

recipients
 0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current 
years

 0.0 KAM_SHORT  Use of a URL Shortener for very short URL

Re: Using spamassassin to thwart sharepoint phishing attacks

[Benny Pedersen]

On 2021-04-11 22:09, Steve Dondley wrote:


Content analysis details:   (4.4 points, 5.0 required)

 pts rule name  description
 -- 
--

 3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
[score: 1.]
 0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to 
100%

[score: 1.]
-0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
[52.100.189.222 listed in wl.mailspike.net]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at 
https://www.dnswl.org/,

 no trust
[52.100.189.222 listed in list.dnswl.org]
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
-0.0 SPF_PASS   SPF: sender matches SPF record
 0.5 SUBJ_ALL_CAPS  Subject is all capitals
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
-0.1 DKIM_VALID Message has at least one valid DKIM or DK 
signature
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily

valid
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature 
from

author's domain
-0.1 DKIM_VALID_EF  Message has a valid DKIM or DK signature 
from

envelope-from domain
 0.0 UPPERCASE_50_75message body is 50-75% uppercase


i see its as a local problem

http://multirbl.valli.org/lookup/52.100.189.222.html

do you use KAM.cf channel ?

Using spamassassin to thwart sharepoint phishing attacks

[Steve Dondley]

I've received about a dozen phishing attack emails from Microsoft's 
sharepoint service within the last couple of weeks. Only one of them was 
identified by SA as spam. After running the emails through sa-learn, 
they still only score a 4 to 4.5. But I could see that it would be easy 
for these emails to get classified as false positives and/or false 
negatives.


Has anyone developed a good way to identify these sharepoint phishing 
attacks without any false positives?


I'm leaning towards figuring out how I might inject some kind of 
prominent warning into the message to remind people not to click links 
they don't trust. That's not an ideal solution, but perhaps it is the 
best way to help protect users. I'm interested to hear what other 
options might be available.


Here is how SA scored one of the emails:

4.4/5.0
Spam detection software, running on the system "email.dondley.com",
has NOT identified this incoming email as spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Doris Feaster shared a file with you STRIP BANG THE 
ONLINE
   REAL & MOST POPULAR 100% TRUSTED NETWORK STRIPBANG GIVING FREE ELITE 
MEMBERSHIP

   AND 5000CR=$750 WINNER 2021 YOUR WINNING CODE - ( STBNG5000CR )

Content analysis details:   (4.4 points, 5.0 required)

 pts rule name  description
 -- 
--

 3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
[score: 1.]
 0.5 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
[score: 1.]
-0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
[52.100.189.222 listed in wl.mailspike.net]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at 
https://www.dnswl.org/,

 no trust
[52.100.189.222 listed in list.dnswl.org]
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
-0.0 SPF_PASS   SPF: sender matches SPF record
 0.5 SUBJ_ALL_CAPS  Subject is all capitals
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
-0.1 DKIM_VALID Message has at least one valid DKIM or DK 
signature
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily

valid
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature 
from

author's domain
-0.1 DKIM_VALID_EF  Message has a valid DKIM or DK signature 
from

envelope-from domain
 0.0 UPPERCASE_50_75message body is 50-75% uppercase

Re: Phishing campaign using email address to personalize URL

[John Hardin]

On Tue, 23 Feb 2021, Ricky Boone wrote:


Seeing an interesting phishing campaign that appears to be
personalizing components of the message and URL endpoints to
potentially get around blacklists and other filters.  Unfortunately I
can't share the exact example publicly without effectively recreating
the email, but here's a summary of what I'm finding.

* Victim email address domain without TLD in the From and Subject
headers (i.e., if victim domain was widgetltd.com, "Widgetltd" would
be used)
* Message contains a link with the local-part of the victim's email
address as a subdomain (i.e, if victim's email address was
"jane@widgetltd.com", the attacker host would appear as
"jane.doe.badactordomain.xyz"), as well as the full version of the
victim's email address base64 encoded as a query string value (using
the previous example,
http://jane.doe.badactordomain.xyz/?amFuZS5kb2VAd2lkZ2V0bHRkLmNvbQ==/0
)


That shouldn't be too hard to write rules for. Again, whether or not there 
are any examples in the masscheck corpora control whether or not the rule 
will be scored and published (unless we manually push it).



Potentially interesting, but not necessary distinctive:

* Examples I'm seeing have nearly blank message, and an HTML
attachment with a JavaScript window.location.href redirect related to
the attacker URL.


Another spam sign.


* Attacker is leveraging SendGrid


What sender ID? (the numeric and punctuation part of the envelope from 
address)


Are you using the abusive sendgrid user plugin or my download-based rule 
generator?



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Maxim XI: Everything is air-droppable at least once.
---
 269 days since the first private commercial manned orbital mission (SpaceX)

Re: Phishing campaign using email address to personalize URL

[Benny Pedersen]

On 2021-02-23 20:51, Ricky Boone wrote:


* Examples I'm seeing have nearly blank message, and an HTML
attachment with a JavaScript window.location.href redirect related to
the attacker URL.
* Attacker is leveraging SendGrid


i have local clamav signature to catch html attachment

inspiration from foxhole signatures, this is very simple to block

Phishing campaign using email address to personalize URL

[Ricky Boone]

Seeing an interesting phishing campaign that appears to be
personalizing components of the message and URL endpoints to
potentially get around blacklists and other filters.  Unfortunately I
can't share the exact example publicly without effectively recreating
the email, but here's a summary of what I'm finding.

* Victim email address domain without TLD in the From and Subject
headers (i.e., if victim domain was widgetltd.com, "Widgetltd" would
be used)
* Message contains a link with the local-part of the victim's email
address as a subdomain (i.e, if victim's email address was
"jane@widgetltd.com", the attacker host would appear as
"jane.doe.badactordomain.xyz"), as well as the full version of the
victim's email address base64 encoded as a query string value (using
the previous example,
http://jane.doe.badactordomain.xyz/?amFuZS5kb2VAd2lkZ2V0bHRkLmNvbQ==/0
)

Potentially interesting, but not necessary distinctive:

* Examples I'm seeing have nearly blank message, and an HTML
attachment with a JavaScript window.location.href redirect related to
the attacker URL.
* Attacker is leveraging SendGrid

Re: Homoglyph spam/phishing targeting popular brands

[Ricky Boone]

On Sun, Feb 14, 2021 at 4:45 PM John Hardin  wrote:
>
> I've added FUZZY rules for amazon, apple, microsoft, facebook, paypal and
> norton to my sandbox, they are likely going to be fairly commonB.

Looks like the FUZZY_PAYPAL rule may need word boundaries added to the
regex.  I'm seeing it catch phrases like "pay pai", but with full
context the phrase may be "...back pay paid out in...".

Other than that, the rules are looking good.  I've taken some of the
examples and started new rules for other phishing words/phrases I'm
seeing getting through (obfuscated versions of Validation,
Verification, etc.).  Thank you again for the suggestions, and for
your help with this.

Re: Phishing campaign using nested Google redirect

[John Hardin]

On Fri, 19 Feb 2021, Giovanni Bechis wrote:


On 2/19/21 1:09 AM, John Hardin wrote:

On Thu, 18 Feb 2021, Giovanni Bechis wrote:


On 2/18/21 6:37 PM, Ricky Boone wrote:

Just wanted to forward an example of an interesting URL obfuscation
tactic observed yesterday.

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g


I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam 
as well.
If you can send me a spample I could tweak it a bit more.


We may need to coordinate a little here - there's also a google.com/url redir 
rule in my sandbox, and they may be overlapping.


I proposed a shared sandbox for that reason when we developed bitcoin rules 
(and we had similar problems with overlapping rules).


Perhaps it's time we pursued that. :)

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The promise of nuclear power: electricity too cheap to meter
  The reality of nuclear power: FUD too cheap to meter
---
 3 days until George Washington's 289th Birthday

Re: Phishing campaign using nested Google redirect

[RW]

On Thu, 18 Feb 2021 16:08:01 -0800 (PST)
John Hardin wrote:

 
> In our case it's best to upload an entire email (all headers intact
> and with as little obfuscation as possible) to something like
> Pastebin, then post the URL to that here so it can be downloaded.
...
> For just URLs, though, examples could just be pasted into the body of
> your post (as you did) or in a .txt attachment.

I'd still suggest uploading them to pastebin. Other spam filters may
already have better handling for those URLs.

Re: Phishing campaign using nested Google redirect

[Giovanni Bechis]

On 2/19/21 1:09 AM, John Hardin wrote:
> On Thu, 18 Feb 2021, Giovanni Bechis wrote:
> 
>> On 2/18/21 6:37 PM, Ricky Boone wrote:
>>> Just wanted to forward an example of an interesting URL obfuscation
>>> tactic observed yesterday.
>>>
>>> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
>>
>> I just committed a new variation of GB_GOOGLE_OBFUR that should match this 
>> spam as well.
>> If you can send me a spample I could tweak it a bit more.
> 
> We may need to coordinate a little here - there's also a google.com/url redir 
> rule in my sandbox, and they may be overlapping.
> 
I proposed a shared sandbox for that reason when we developed bitcoin rules 
(and we had similar problems with overlapping rules).

 Giovanni
 




OpenPGP_signature
Description: OpenPGP digital signature

Re: Phishing campaign using nested Google redirect

[Ricky Boone]

On Thu, Feb 18, 2021 at 7:08 PM John Hardin  wrote:
>
> In our case it's best to upload an entire email (all headers intact and
> with as little obfuscation as possible) to something like Pastebin, then
> post the URL to that here so it can be downloaded. This keeps the spample
> from being modified during transit in ways that could impede analysis and
> rule development and testing.
>
> For just URLs, though, examples could just be pasted into the body of your
> post (as you did) or in a .txt attachment.

Gotcha, thanks. Hopefully the copies I put up on GitLab are still
useful for testing any rules; I didn't see any issues when I ran SA
against the redacted copies. Since they included real addresses,
names, etc., I have to redact certain elements due to my company's
policies.

Re: Phishing campaign using nested Google redirect

[John Hardin]

On Thu, 18 Feb 2021, Giovanni Bechis wrote:


On 2/18/21 6:37 PM, Ricky Boone wrote:

Just wanted to forward an example of an interesting URL obfuscation
tactic observed yesterday.

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g


I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam 
as well.
If you can send me a spample I could tweak it a bit more.


We may need to coordinate a little here - there's also a google.com/url 
redir rule in my sandbox, and they may be overlapping.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 Today: Perseverence lands on Mars

Re: Phishing campaign using nested Google redirect

[John Hardin]

On Thu, 18 Feb 2021, Ricky Boone wrote:


Nice.  I've copied scrubbed versions of what I've seen so far here:
https://gitlab.com/-/snippets/2079108 (I can never remember if it is
appropriate to include attachments to mailing lists like this).


In our case it's best to upload an entire email (all headers intact and 
with as little obfuscation as possible) to something like Pastebin, then 
post the URL to that here so it can be downloaded. This keeps the spample 
from being modified during transit in ways that could impede analysis and 
rule development and testing.


For just URLs, though, examples could just be pasted into the body of your 
post (as you did) or in a .txt attachment.




--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 Today: Perseverence lands on Mars

Re: Phishing campaign using nested Google redirect

[Ricky Boone]

Nice.  I've copied scrubbed versions of what I've seen so far here:
https://gitlab.com/-/snippets/2079108 (I can never remember if it is
appropriate to include attachments to mailing lists like this).

On Thu, Feb 18, 2021 at 1:13 PM Giovanni Bechis  wrote:
>
> On 2/18/21 6:37 PM, Ricky Boone wrote:
> > Just wanted to forward an example of an interesting URL obfuscation
> > tactic observed yesterday.
> >
> > https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
> >
> > Google then spits back a response with the redirect target in both
> > JavaScript and non-JavaScript forms (meta refresh tag):
> >
> > https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&sa=D&sntz=1&usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g
> >
> > Slightly different response behavior this time, but ultimately
> > redirects the victim to the malicious destination.  The effective
> > destination in this case has been taken down, but I'll avoid putting
> > the full link.
> >
> > Unfortunately, there didn't seem to be any rules that would help catch
> > this.  I have a couple thoughts on some that I would need to test, but
> > wanted to share to the community.
> >
> I just committed a new variation of GB_GOOGLE_OBFUR that should match this 
> spam as well.
> If you can send me a spample I could tweak it a bit more.
>
>  Giovanni
>

Re: Phishing campaign using nested Google redirect

[Giovanni Bechis]

On 2/18/21 6:37 PM, Ricky Boone wrote:
> Just wanted to forward an example of an interesting URL obfuscation
> tactic observed yesterday.
> 
> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
> 
> Google then spits back a response with the redirect target in both
> JavaScript and non-JavaScript forms (meta refresh tag):
> 
> https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&sa=D&sntz=1&usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g
> 
> Slightly different response behavior this time, but ultimately
> redirects the victim to the malicious destination.  The effective
> destination in this case has been taken down, but I'll avoid putting
> the full link.
> 
> Unfortunately, there didn't seem to be any rules that would help catch
> this.  I have a couple thoughts on some that I would need to test, but
> wanted to share to the community.
> 
I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam 
as well.
If you can send me a spample I could tweak it a bit more.

 Giovanni



OpenPGP_signature
Description: OpenPGP digital signature

Phishing campaign using nested Google redirect

[Ricky Boone]

Just wanted to forward an example of an interesting URL obfuscation
tactic observed yesterday.

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g

Google then spits back a response with the redirect target in both
JavaScript and non-JavaScript forms (meta refresh tag):

https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&sa=D&sntz=1&usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g

Slightly different response behavior this time, but ultimately
redirects the victim to the malicious destination.  The effective
destination in this case has been taken down, but I'll avoid putting
the full link.

Unfortunately, there didn't seem to be any rules that would help catch
this.  I have a couple thoughts on some that I would need to test, but
wanted to share to the community.

Re: Homoglyph spam/phishing targeting popular brands

[RW]

On Wed, 17 Feb 2021 10:23:13 -0500
Jared Hall wrote:

> On 2/16/2021 2:06 PM, RW wrote:

> > I don't think there's much, if anything, in that module that
> > benefits from being in perl.  
> Counts and amounts; even variable arithmetic amounts based on counts.
> Everything else is just a regex.


You can do that with meta rules, which support arithmetic and comparison
operators.  You can count regex hits with the  "multiple" flag and an
optional "maxhits=...".


> > Also the "adaptive scoring" seems like a bad idea to me. The scores
> > are hard-coded fractions of one of the three thresholds. The choice
> > of which threshold is used is also hard-coded per rule. The only
> > sense in which it's adaptive is that it opposes an admin adjusting
> > how aggressive the filtering should be.  
> Yes, perhaps.  But armed with a rule, a score, and a baseline
> reference like  {chaos_tag},  


I'm not sure what you mean by "armed with...a score", most of the rules
are scored like this:

  $score = 0.33 * $pms->{conf}->{chaos_tag};

governed by a single global tunable and various hard-coded multipliers.


> Downloading ANYBODY's rules is a risk, since one
> does not know the context in which the rules were developed.  


Which is why the scores need to be overridden on a per rule basis. Some
rules translate to another system much better than others. For example
rules about emojis developed in a corporate environment may not work as
well on student mail. 

The chief problem with your scoring is that it overrides scores in
the local configuration where score overrides would normally go.

Re: Homoglyph spam/phishing targeting popular brands

[Jared Hall]

On 2/16/2021 2:06 PM, RW wrote:

That's not a bad idea, but if anyone is interested I'd suggest copying
the character matching regexes into ordinary rules. Or better still into
template tags, so that they can be reused in multiple rules.

Agreed, RW.  Most of the stuff in there originated from rules to start with.
I do discuss it in the project's Wiki.  If one person's "kruft"  is 
someone else's

gain, that's fine with me.

It was the intent of this module to be useful enough for the Noob, yet
interesting enough for the Pros.  In your case, the latter.

I don't think there's much, if anything, in that module that benefits
from being in perl.

Counts and amounts; even variable arithmetic amounts based on counts.
Everything else is just a regex.


Also the "adaptive scoring" seems like a bad idea to me. The scores are
hard-coded fractions of one of the three thresholds. The choice of
which threshold is used is also hard-coded per rule. The only sense in
which it's adaptive is that it opposes an admin adjusting how
aggressive the filtering should be.
Yes, perhaps.  But armed with a rule, a score, and a baseline reference 
like

{chaos_tag}, I can deliver scoring with the EXACT weighting that the author
intended.  Downloading ANYBODY's rules is a risk, since one does not
know the context in which the rules were developed.  That's a Day 1 bitch
of mine to the SA Adminisphere.  'nuff said.

Also of interest to me are Time-Of-Day/Day-Of-Week scoring.
They only come out at night.

This is an ACTIVE project.  In the project's Discussion forums, I do outline
a development roadmap (To Do) and also a peek at what's coming up.

This includes incorporating TAG-ONLY modes.

Re: Homoglyph spam/phishing targeting popular brands

[Ricky Boone]

Yep, so far so good.  Thank you again for the pointers and creating
the rules so quickly.

On Tue, Feb 16, 2021 at 9:06 PM John Hardin  wrote:
>
> On Tue, 16 Feb 2021, Ricky Boone wrote:
>
> > On Mon, Feb 15, 2021 at 12:16 AM John Hardin  wrote:
> >>
> >> OK, I added FUZZY_OVERSTOCK as well, we'll see what happens.
> >>
> >> If they don't perform well in masscheck you can always grab them out of my
> >> sandbox for your local rules.
> >>
> >> Masscheck results:
> >>
> >>https://ruleqa.spamassassin.org/?rule=%2FFUZZY_
> >
> > Nice, thanks!
> >
> > I see the test rules got picked up with sa-update, and they all work
> > against the samples I have.  It does appear that T_FUZZY_APPLE is
> > catching some FP's.  Word boundaries might need to be added, as words
> > like "happiest" get caught by it.
>
> Yep, I've addressed that, take a look at the latest masscheck results.
>
>
> --
>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
>   jhar...@impsec.org pgpk -a jhar...@impsec.org
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>Are you a mildly tech-literate politico horrified by the level of
>ignorance demonstrated by lawmakers gearing up to regulate online
>technology they don't even begin to grasp? Cool. Now you have a
>tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
> ---
>   6 days until George Washington's 289th Birthday

Re: Homoglyph spam/phishing targeting popular brands

[John Hardin]

On Tue, 16 Feb 2021, Ricky Boone wrote:


On Mon, Feb 15, 2021 at 12:16 AM John Hardin  wrote:


OK, I added FUZZY_OVERSTOCK as well, we'll see what happens.

If they don't perform well in masscheck you can always grab them out of my
sandbox for your local rules.

Masscheck results:

   https://ruleqa.spamassassin.org/?rule=%2FFUZZY_


Nice, thanks!

I see the test rules got picked up with sa-update, and they all work
against the samples I have.  It does appear that T_FUZZY_APPLE is
catching some FP's.  Word boundaries might need to be added, as words
like "happiest" get caught by it.


Yep, I've addressed that, take a look at the latest masscheck results.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 6 days until George Washington's 289th Birthday

Re: Homoglyph spam/phishing targeting popular brands

[Ricky Boone]

On Mon, Feb 15, 2021 at 12:16 AM John Hardin  wrote:
>
> OK, I added FUZZY_OVERSTOCK as well, we'll see what happens.
>
> If they don't perform well in masscheck you can always grab them out of my
> sandbox for your local rules.
>
> Masscheck results:
>
>https://ruleqa.spamassassin.org/?rule=%2FFUZZY_

Nice, thanks!

I see the test rules got picked up with sa-update, and they all work
against the samples I have.  It does appear that T_FUZZY_APPLE is
catching some FP's.  Word boundaries might need to be added, as words
like "happiest" get caught by it.

Re: Homoglyph spam/phishing targeting popular brands

[RW]

On Mon, 15 Feb 2021 23:58:17 -0500
Jared Hall wrote:


> 
> The CHAOS module *may* do what you want.  ...  It also has 
> detection for multiple Unicode Character Sets.

That's not a bad idea, but if anyone is interested I'd suggest copying
the character matching regexes into ordinary rules. Or better still into
template tags, so that they can be reused in multiple rules.

I don't think there's much, if anything, in that module that benefits
from being in perl. 

Also the "adaptive scoring" seems like a bad idea to me. The scores are
hard-coded fractions of one of the three thresholds. The choice of
which threshold is used is also hard-coded per rule. The only sense in
which it's adaptive is that it opposes an admin adjusting how
aggressive the filtering should be. 

Re: Homoglyph spam/phishing targeting popular brands

[Jared Hall]

On 2/14/2021 9:58 PM, Ricky Boone wrote:

On Sun, Feb 14, 2021 at 4:45 PM John Hardin  wrote:

On Sun, 14 Feb 2021, Ricky Boone wrote:


What are the community's thoughts on handling spam/phishing that utilize
homoglyphs to obfuscate the brands they're targeting?  Are there any
plugins that are in development that might assist with catching these?

Take a look at the definition of the FUZZY rules.

There's no general plugin for this currently. That would be a bit
difficult to do on-the-fly without getting (potentially lots of) FPs on
non-English words.

At the moment it's:

1) notice that some word is being obfuscated
2) add a FUZZY rule for that word
3) tune it for FPs (may hit legitimate words in non-English, exclude them)

Good to know.  I'll check out the FUZZY rules for possible rules in the future.


The problem is such obfuscations may not be common enough in the masscheck
corpora for the rules to be promoted, scored and published.

Understood.  There may be better rules that could be built with
additional context other than just the individual words/phrases.  If
there is interest in the original messages, I can make sanitized
versions available.


For example, here are some phrases that I've been monitoring from reported
messages:

* that Âmåzon has received
* Äpple Watch
* Ãρρle iPad
* Aρρle iPad
* PäyPäl Credit
* PαyPαl Credit
* Spãce Gray
* to Over Støck Inc on
* subscribed for Nõrtõn Yearly
* subscribed for Nõrtøn Yearly
* the Nõrtõn Freedom Protection

Existing rules (mainline SpamAssassin channel, KAM, etc.) don't seem to
flag much, if anything substantial, on the messages I've seen with this
behavior.  I've trained bayes on each, and created a custom set of rules to
try to catch various patterns used in the messages.

I've added FUZZY rules for amazon, apple, microsoft, facebook, paypal and
norton to my sandbox, they are likely going to be fairly commonB.

How often do you see (over)stock and space obfuscated?

So far, 4 times and once, respectively, the latter in context was
describing a version of an Apple iPad, so full product names must have
been used for the input to whatever homoglyph generating process the
spammers were using.


Ricky,

The CHAOS module *may* do what you want.  It has a lot of Unicode 
support, especially for Unicode "Look alike" characters.  It also has 
detection for multiple Unicode Character Sets.


Frankly, in my experience, legitimate Email Subject and From names stay 
within their character sets.  Chinese use Chinese characters; Greeks, 
Greek; Arabs, Arabic, and so on.  As for body rules, that's a little 
more complex; a lot of moving parts there, from the SA and PERL versions 
to the RE2C compiler.   On occasion even I have to crank out a 
mathematical symbol or two or plunk in an emoji.


telecom2k3/CHAOS: PERL plugin module for SpamAssassin (github.com) 
<https://github.com/telecom2k3/CHAOS>


<https://github.com/telecom2k3/CHAOS>-- Jared

Re: Homoglyph spam/phishing targeting popular brands

[John Hardin]

On Sun, 14 Feb 2021, Ricky Boone wrote:


On Sun, Feb 14, 2021 at 4:45 PM John Hardin  wrote:


How often do you see (over)stock and space obfuscated?


So far, 4 times and once, respectively


OK, I added FUZZY_OVERSTOCK as well, we'll see what happens.

If they don't perform well in masscheck you can always grab them out of my 
sandbox for your local rules.


Masscheck results:

  https://ruleqa.spamassassin.org/?rule=%2FFUZZY_



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Precision mis-clicks since 1994!
---
 8 days until George Washington's 289th Birthday

Re: Homoglyph spam/phishing targeting popular brands

[Ricky Boone]

On Sun, Feb 14, 2021 at 4:45 PM John Hardin  wrote:
>
> On Sun, 14 Feb 2021, Ricky Boone wrote:
>
> > What are the community's thoughts on handling spam/phishing that utilize
> > homoglyphs to obfuscate the brands they're targeting?  Are there any
> > plugins that are in development that might assist with catching these?
>
> Take a look at the definition of the FUZZY rules.
>
> There's no general plugin for this currently. That would be a bit
> difficult to do on-the-fly without getting (potentially lots of) FPs on
> non-English words.
>
> At the moment it's:
>
> 1) notice that some word is being obfuscated
> 2) add a FUZZY rule for that word
> 3) tune it for FPs (may hit legitimate words in non-English, exclude them)

Good to know.  I'll check out the FUZZY rules for possible rules in the future.

> The problem is such obfuscations may not be common enough in the masscheck
> corpora for the rules to be promoted, scored and published.

Understood.  There may be better rules that could be built with
additional context other than just the individual words/phrases.  If
there is interest in the original messages, I can make sanitized
versions available.

> > For example, here are some phrases that I've been monitoring from reported
> > messages:
> >
> > * that Âmåzon has received
> > * Äpple Watch
> > * Ãρρle iPad
> > * Aρρle iPad
> > * PäyPäl Credit
> > * PαyPαl Credit
> > * Spãce Gray
> > * to Over Støck Inc on
> > * subscribed for Nõrtõn Yearly
> > * subscribed for Nõrtøn Yearly
> > * the Nõrtõn Freedom Protection
> >
> > Existing rules (mainline SpamAssassin channel, KAM, etc.) don't seem to
> > flag much, if anything substantial, on the messages I've seen with this
> > behavior.  I've trained bayes on each, and created a custom set of rules to
> > try to catch various patterns used in the messages.
>
> I've added FUZZY rules for amazon, apple, microsoft, facebook, paypal and
> norton to my sandbox, they are likely going to be fairly commonB.
>
> How often do you see (over)stock and space obfuscated?

So far, 4 times and once, respectively, the latter in context was
describing a version of an Apple iPad, so full product names must have
been used for the input to whatever homoglyph generating process the
spammers were using.

Re: Homoglyph spam/phishing targeting popular brands

[John Hardin]

On Sun, 14 Feb 2021, Ricky Boone wrote:


What are the community's thoughts on handling spam/phishing that utilize
homoglyphs to obfuscate the brands they're targeting?  Are there any
plugins that are in development that might assist with catching these?


Take a look at the definition of the FUZZY rules.

There's no general plugin for this currently. That would be a bit 
difficult to do on-the-fly without getting (potentially lots of) FPs on 
non-English words.


At the moment it's:

1) notice that some word is being obfuscated
2) add a FUZZY rule for that word
3) tune it for FPs (may hit legitimate words in non-English, exclude them)

The problem is such obfuscations may not be common enough in the masscheck 
corpora for the rules to be promoted, scored and published.




For example, here are some phrases that I've been monitoring from reported
messages:

* that Âmåzon has received
* Äpple Watch
* Ãρρle iPad
* Aρρle iPad
* PäyPäl Credit
* PαyPαl Credit
* Spãce Gray
* to Over Støck Inc on
* subscribed for Nõrtõn Yearly
* subscribed for Nõrtøn Yearly
* the Nõrtõn Freedom Protection

Existing rules (mainline SpamAssassin channel, KAM, etc.) don't seem to
flag much, if anything substantial, on the messages I've seen with this
behavior.  I've trained bayes on each, and created a custom set of rules to
try to catch various patterns used in the messages.


I've added FUZZY rules for amazon, apple, microsoft, facebook, paypal and 
norton to my sandbox, they are likely going to be fairly commonB.


How often do you see (over)stock and space obfuscated?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  At $8 billion per year, the TSA is the most expensive
  theatrical production in history.  -- David Burge @iowahawkblog
---
 8 days until George Washington's 289th Birthday

Homoglyph spam/phishing targeting popular brands

[Ricky Boone]

What are the community's thoughts on handling spam/phishing that utilize
homoglyphs to obfuscate the brands they're targeting?  Are there any
plugins that are in development that might assist with catching these?

For example, here are some phrases that I've been monitoring from reported
messages:

* that Âmåzon has received
* Äpple Watch
* Ãρρle iPad
* Aρρle iPad
* PäyPäl Credit
* PαyPαl Credit
* Spãce Gray
* to Over Støck Inc on
* subscribed for Nõrtõn Yearly
* subscribed for Nõrtøn Yearly
* the Nõrtõn Freedom Protection

Existing rules (mainline SpamAssassin channel, KAM, etc.) don't seem to
flag much, if anything substantial, on the messages I've seen with this
behavior.  I've trained bayes on each, and created a custom set of rules to
try to catch various patterns used in the messages.

Re: netflix phishing emails forwarded via sendgrid

[Benny Pedersen]

On 2021-02-11 14:56, John Hardin wrote:

On Thu, 11 Feb 2021, Benny Pedersen wrote:


On 2021-02-11 12:46, Giovanni Bechis wrote:


With the updated Esp plugin[¹] just committed to trunk you could use
Sendgrid files downloaded from Invaluement as well as local generated
files.


this files do work if sendgrid did not allow non sendgrid.net envelope 
senders :(


Try the script generator I posted, it isn't domain-specific.


good and tested now, it works

if Invaluement want data to add i would like to share my local id file 
now

Re: netflix phishing emails forwarded via sendgrid

[John Hardin]

On Thu, 11 Feb 2021, Benny Pedersen wrote:


On 2021-02-11 12:46, Giovanni Bechis wrote:


With the updated Esp plugin[¹] just committed to trunk you could use
Sendgrid files downloaded from Invaluement as well as local generated
files.


this files do work if sendgrid did not allow non sendgrid.net envelope 
senders :(


Try the script generator I posted, it isn't domain-specific.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 Tomorrow: Abraham Lincoln's and Charles Darwin's 212th Birthdays

Re: netflix phishing emails forwarded via sendgrid

[John Hardin]

On Thu, 11 Feb 2021, Giovanni Bechis wrote:


On 2/9/21 10:03 PM, Benny Pedersen wrote:

On 2021-02-02 03:25, Kevin A. McGrail wrote:

Since it's already hitting 8.9, why do more?


got one more today

http://multirbl.valli.org/lookup/167.89.112.86.html

envelope sender is not sendgrid.net

spamurls to the phishing is sendgrid redir to hide all detalts of spam domain

why is so many uribl not blocking phish attemps better ?


With the updated Esp plugin[¹] just committed to trunk you could use Sendgrid 
files downloaded from Invaluement as well as local generated files.
Local files can be generated by looking at the Return-path of the offending 
email.
Return-Path: 
In this case "1234" is the id you are interested in.


I have a script that generates a static rule based on sendgrid sender ids 
in local corpora + the invaluement download if (for some reason) you don't 
want to / can't use the plugin.


  https://www.impsec.org/~jhardin/antispam/make_sendgrid_rule.sh


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 Tomorrow: Abraham Lincoln's and Charles Darwin's 212th Birthdays

Re: netflix phishing emails forwarded via sendgrid

[Benny Pedersen]

On 2021-02-11 12:46, Giovanni Bechis wrote:


With the updated Esp plugin[¹] just committed to trunk you could use
Sendgrid files downloaded from Invaluement as well as local generated
files.


this files do work if sendgrid did not allow non sendgrid.net envelope 
senders :(


KAM_SENDGRID_REDIR is best defence now, local scored at 10 here

fun can continue as long sendgrid is major whitelisted :(


Local files can be generated by looking at the Return-path of the
offending email.



Return-Path: 
In this case "1234" is the id you are interested in.


good to know if building local blacklists


[¹] https://github.com/bigio/spamassassin-esp/releases/tag/esp-v1.2


there is lint error in line 249

Re: netflix phishing emails forwarded via sendgrid

[Giovanni Bechis]

On 2/9/21 10:03 PM, Benny Pedersen wrote:
> On 2021-02-02 03:25, Kevin A. McGrail wrote:
>> Since it's already hitting 8.9, why do more?
> 
> got one more today
> 
> http://multirbl.valli.org/lookup/167.89.112.86.html
> 
> envelope sender is not sendgrid.net
> 
> spamurls to the phishing is sendgrid redir to hide all detalts of spam domain
> 
> why is so many uribl not blocking phish attemps better ?
> 
With the updated Esp plugin[¹] just committed to trunk you could use Sendgrid 
files downloaded from Invaluement as well as local generated files.
Local files can be generated by looking at the Return-path of the offending 
email.
Return-Path: 
In this case "1234" is the id you are interested in.

  Giovanni

[¹] https://github.com/bigio/spamassassin-esp/releases/tag/esp-v1.2

Re: netflix phishing emails forwarded via sendgrid

[Giovanni Bechis]

On Tue, Feb 09, 2021 at 10:03:57PM +0100, Benny Pedersen wrote:
> On 2021-02-02 03:25, Kevin A. McGrail wrote:
> > Since it's already hitting 8.9, why do more?
> 
> got one more today
> 
> http://multirbl.valli.org/lookup/167.89.112.86.html
> 
> envelope sender is not sendgrid.net
> 
> spamurls to the phishing is sendgrid redir to hide all detalts of spam 
> domain
> 
> why is so many uribl not blocking phish attemps better ?
> 
> i can send sample on request to pmc members
Please send me spamples, I will take a look at them.

 Giovanni


signature.asc
Description: PGP signature

Re: netflix phishing emails forwarded via sendgrid

[Benny Pedersen]

On 2021-02-02 03:25, Kevin A. McGrail wrote:

Since it's already hitting 8.9, why do more?


got one more today

http://multirbl.valli.org/lookup/167.89.112.86.html

envelope sender is not sendgrid.net

spamurls to the phishing is sendgrid redir to hide all detalts of spam 
domain


why is so many uribl not blocking phish attemps better ?

i can send sample on request to pmc members

Re: netflix phishing emails forwarded via sendgrid

[Anne P. Mitchell, Esq.]

Does anyone have a copy of the netflix phishing that they could forward to me 
at amitch...@isipp.com, including the body of it?

TIA!

Anne

> On Feb 2, 2021, at 1:04 AM, Benny Pedersen  wrote:
> 
> On 2021-02-02 03:25, Kevin A. McGrail wrote:
>> Since it's already hitting 8.9, why do more?
> 
> too much phishing in winter half year to my taste
> 
> i just google report urls now, and still add to phishtank, hopefully phishers 
> get a real life
> 
> you can safely add 1.5 more to KAM_SENDGRID, if it continues i do it localy
> 
> no need to argue http://multirbl.valli.org/lookup/149.72.91.245.html :-)
> 
>> On 1/19/2021 9:07 PM, Benny Pedersen wrote:
>>> i have added urls to phishtank
>>> if its could be added rules to spamassassin to detect it better i can send 
>>> sample to sa pmc members
>>> X-Spam-Status: Yes, score=8.9, required=5.0, Autolearn=no 
>>> autolearn_force=no,
>>> LastExt=149.72.91.245
>>> X-Spam-Rules_score: 
>>> DATE_IN_PAST_03_06=1.076,DKIM_SIGNED=-0.1,DKIM_VALID=-0.1,
>>> DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_IMAGE_ONLY_32=0.001,
>>> HTML_MESSAGE=0.1,KAM_NUMSUBJECT=0.5,KAM_REALLYHUGEIMGSRC=0.5,
>>> KAM_SENDGRID=1.5,RCVD_IN_BRUKALAI_BLACK=2,SENDGRID_REDIR=0.932,
>>> SPF_HELO_NONE=3,SPF_PASS=-0.1,TXREP=-0.187,UNPARSEABLE_RELAY=0.001
>>> mx relay is sendgrid, but enveloppe sender is not sendgrid
>>> https://phishtank.com/phish_detail.php?phish_id=6927641
>>> https://phishtank.com/phish_detail.php?phish_id=6927893

Re: netflix phishing emails forwarded via sendgrid

[Benny Pedersen]

On 2021-02-02 03:25, Kevin A. McGrail wrote:

Since it's already hitting 8.9, why do more?


too much phishing in winter half year to my taste

i just google report urls now, and still add to phishtank, hopefully 
phishers get a real life


you can safely add 1.5 more to KAM_SENDGRID, if it continues i do it 
localy


no need to argue http://multirbl.valli.org/lookup/149.72.91.245.html :-)



On 1/19/2021 9:07 PM, Benny Pedersen wrote:

i have added urls to phishtank

if its could be added rules to spamassassin to detect it better i can 
send sample to sa pmc members


X-Spam-Status: Yes, score=8.9, required=5.0, Autolearn=no 
autolearn_force=no,

LastExt=149.72.91.245
X-Spam-Rules_score: 
DATE_IN_PAST_03_06=1.076,DKIM_SIGNED=-0.1,DKIM_VALID=-0.1,

DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_IMAGE_ONLY_32=0.001,
HTML_MESSAGE=0.1,KAM_NUMSUBJECT=0.5,KAM_REALLYHUGEIMGSRC=0.5,
KAM_SENDGRID=1.5,RCVD_IN_BRUKALAI_BLACK=2,SENDGRID_REDIR=0.932,
SPF_HELO_NONE=3,SPF_PASS=-0.1,TXREP=-0.187,UNPARSEABLE_RELAY=0.001

mx relay is sendgrid, but enveloppe sender is not sendgrid

https://phishtank.com/phish_detail.php?phish_id=6927641
https://phishtank.com/phish_detail.php?phish_id=6927893

Re: netflix phishing emails forwarded via sendgrid

[Kevin A. McGrail]

Since it's already hitting 8.9, why do more?

On 1/19/2021 9:07 PM, Benny Pedersen wrote:

i have added urls to phishtank

if its could be added rules to spamassassin to detect it better i can 
send sample to sa pmc members


X-Spam-Status: Yes, score=8.9, required=5.0, Autolearn=no 
autolearn_force=no,

LastExt=149.72.91.245
X-Spam-Rules_score: 
DATE_IN_PAST_03_06=1.076,DKIM_SIGNED=-0.1,DKIM_VALID=-0.1,

DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_IMAGE_ONLY_32=0.001,
HTML_MESSAGE=0.1,KAM_NUMSUBJECT=0.5,KAM_REALLYHUGEIMGSRC=0.5,
KAM_SENDGRID=1.5,RCVD_IN_BRUKALAI_BLACK=2,SENDGRID_REDIR=0.932,
SPF_HELO_NONE=3,SPF_PASS=-0.1,TXREP=-0.187,UNPARSEABLE_RELAY=0.001

mx relay is sendgrid, but enveloppe sender is not sendgrid

https://phishtank.com/phish_detail.php?phish_id=6927641
https://phishtank.com/phish_detail.php?phish_id=6927893


--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

netflix phishing emails forwarded via sendgrid

[Benny Pedersen]

i have added urls to phishtank

if its could be added rules to spamassassin to detect it better i can 
send sample to sa pmc members


X-Spam-Status: Yes, score=8.9, required=5.0, Autolearn=no 
autolearn_force=no,

LastExt=149.72.91.245
X-Spam-Rules_score: 
DATE_IN_PAST_03_06=1.076,DKIM_SIGNED=-0.1,DKIM_VALID=-0.1,

DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_IMAGE_ONLY_32=0.001,
HTML_MESSAGE=0.1,KAM_NUMSUBJECT=0.5,KAM_REALLYHUGEIMGSRC=0.5,
KAM_SENDGRID=1.5,RCVD_IN_BRUKALAI_BLACK=2,SENDGRID_REDIR=0.932,
SPF_HELO_NONE=3,SPF_PASS=-0.1,TXREP=-0.187,UNPARSEABLE_RELAY=0.001

mx relay is sendgrid, but enveloppe sender is not sendgrid

https://phishtank.com/phish_detail.php?phish_id=6927641
https://phishtank.com/phish_detail.php?phish_id=6927893

phishing mails undetected

[Benny Pedersen]

https://phishtank.com/phish_detail.php?phish_id=6867093

help blocking this shit

note the pt url reveals own ip in url, nice try maybe

i have added it to phishtank and google phising report

if i can added this mails to corpus test i will send it privately for 
any intrested to help stop it

Re: Catching Phishing messages

[RW]

On Wed, 23 Sep 2020 14:03:32 -0600
@lbutlr wrote:

> On 21 Sep 2020, at 08:21, Daryl Rose  wrote:
> > I don't have the email server, it's hosted by a provider.  This
> > provider does a crappy job at filtering spam and phishing, so I am
> > running ISBG and Spamassassin to block the spam and phishing.  
> 
> This isn't really a workable solution 

It really is, unless the account is being deluged with spam.

> as there are many tests that your SA can't do that a mail server can
> do.

There are a few tests that SA can't do, but SA can do some of them a lot
better. Mail servers have a huge handicap in that they mostly work in
real time. A polling delay and not testing 24/7 can make a huge
difference. On the list we see people reporting difficult spams that
have huge scores on retesting. 


It's not necessarily true that an ISP with poor spam filtering is
failing to do server-side filtering. It may be just skimping on
expensive content-filtering, but still doing the cheap tests that save
resources. This is an ideal case for client-side filtering. 

Re: Catching Phishing messages

[@lbutlr]

On 21 Sep 2020, at 08:21, Daryl Rose  wrote:
> I don't have the email server, it's hosted by a provider.  This provider does 
> a crappy job at filtering spam and phishing, so I am running ISBG and 
> Spamassassin to block the spam and phishing.

This isn't really a workable solution as there are many tests that 
your SA can't do that a mail server can do. The better solutions include:

1) Never use ISP email, they are pretty much universally garbage.
2) Get your own domain and pay for someone to run email service 
   for you, pick a company that does a good job at managing spam 
   and if you are unhappy with them, move to another provider.
4) Gmail
5) a service like SaneBox or others that acts as an intermediary 
   to filter spam (and often for other services as well.
6) Get an email from a provider that takes email and spam seriously.
7) Run your own server (I don't recommend this)

Probably several others I am not thinking of.



-- 
"Are you pondering what I'm pondering?"
"I think so, Brain, but couldn't the constant use of a henna rinse
lead to premature baldness?"

Re: Catching Phishing messages

[Daryl Rose]

I don't have the email server, it's hosted by a provider.  This provider
does a crappy job at filtering spam and phishing, so I am running ISBG and
Spamassassin to block the spam and phishing.

Thanks

Daryl

On Mon, Sep 21, 2020 at 7:33 AM Bryan K. Walton <
bwalton+1576874...@leepfrog.com> wrote:

> On Sun, Sep 20, 2020 at 09:35:22AM -0500, Daryl Rose wrote:
> > I tend to get  a lot of phishing attempts, and they all get through.
> >
> > This appears to come from Apple, but obviously is not.
>
> Not a spamassassin solution, but Apple has a DMARC policy of quarantine
> for those types of emails.  If you implement dmarc policy checking on
> your mail server and enforce the policy that Apple asks you to follow
> when you receive emails supposedly from apple.com, those phishing
> emails will end up in your mail server's quarantine directory.
>
> -Bryan
>