Re: Catching Phishing messages

2020-09-24 Thread RW 
On Wed, 23 Sep 2020 14:03:32 -0600
@lbutlr wrote:

> On 21 Sep 2020, at 08:21, Daryl Rose  wrote:
> > I don't have the email server, it's hosted by a provider.  This
> > provider does a crappy job at filtering spam and phishing, so I am
> > running ISBG and Spamassassin to block the spam and phishing.  
> 
> This isn't really a workable solution 

It really is, unless the account is being deluged with spam.

> as there are many tests that your SA can't do that a mail server can
> do.

There are a few tests that SA can't do, but SA can do some of them a lot
better. Mail servers have a huge handicap in that they mostly work in
real time. A polling delay and not testing 24/7 can make a huge
difference. On the list we see people reporting difficult spams that
have huge scores on retesting. 


It's not necessarily true that an ISP with poor spam filtering is
failing to do server-side filtering. It may be just skimping on
expensive content-filtering, but still doing the cheap tests that save
resources. This is an ideal case for client-side filtering.

Re: Catching Phishing messages

2020-09-23 Thread @lbutlr 
On 21 Sep 2020, at 08:21, Daryl Rose  wrote:
> I don't have the email server, it's hosted by a provider.  This provider does 
> a crappy job at filtering spam and phishing, so I am running ISBG and 
> Spamassassin to block the spam and phishing.

This isn't really a workable solution as there are many tests that 
your SA can't do that a mail server can do. The better solutions include:

1) Never use ISP email, they are pretty much universally garbage.
2) Get your own domain and pay for someone to run email service 
   for you, pick a company that does a good job at managing spam 
   and if you are unhappy with them, move to another provider.
4) Gmail
5) a service like SaneBox or others that acts as an intermediary 
   to filter spam (and often for other services as well.
6) Get an email from a provider that takes email and spam seriously.
7) Run your own server (I don't recommend this)

Probably several others I am not thinking of.



-- 
"Are you pondering what I'm pondering?"
"I think so, Brain, but couldn't the constant use of a henna rinse
lead to premature baldness?"

Re: Catching Phishing messages

2020-09-21 Thread Daryl Rose 
I don't have the email server, it's hosted by a provider.  This provider
does a crappy job at filtering spam and phishing, so I am running ISBG and
Spamassassin to block the spam and phishing.

Thanks

Daryl

On Mon, Sep 21, 2020 at 7:33 AM Bryan K. Walton <
bwalton+1576874...@leepfrog.com> wrote:

> On Sun, Sep 20, 2020 at 09:35:22AM -0500, Daryl Rose wrote:
> > I tend to get  a lot of phishing attempts, and they all get through.
> >
> > This appears to come from Apple, but obviously is not.
>
> Not a spamassassin solution, but Apple has a DMARC policy of quarantine
> for those types of emails.  If you implement dmarc policy checking on
> your mail server and enforce the policy that Apple asks you to follow
> when you receive emails supposedly from apple.com, those phishing
> emails will end up in your mail server's quarantine directory.
>
> -Bryan
>

Re: Catching Phishing messages

2020-09-21 Thread RW 
On Mon, 21 Sep 2020 07:33:01 -0500
Bryan K. Walton wrote:

> On Sun, Sep 20, 2020 at 09:35:22AM -0500, Daryl Rose wrote:
> > I tend to get  a lot of phishing attempts, and they all get through.
> > 
> > This appears to come from Apple, but obviously is not.  
> 
> Not a spamassassin solution, but Apple has a DMARC policy of
> quarantine for those types of emails.  If you implement dmarc policy
> checking on your mail server and enforce the policy that Apple asks
> you to follow when you receive emails supposedly from apple.com,
> those phishing emails will end up in your mail server's quarantine
> directory.

Assuming they actually have Apple's domain as the author address, which
they very likely don't.

Re: Catching Phishing messages

2020-09-21 Thread Bryan K. Walton 
On Sun, Sep 20, 2020 at 09:35:22AM -0500, Daryl Rose wrote:
> I tend to get  a lot of phishing attempts, and they all get through.
> 
> This appears to come from Apple, but obviously is not.

Not a spamassassin solution, but Apple has a DMARC policy of quarantine
for those types of emails.  If you implement dmarc policy checking on
your mail server and enforce the policy that Apple asks you to follow
when you receive emails supposedly from apple.com, those phishing 
emails will end up in your mail server's quarantine directory.

-Bryan

Re: Catching Phishing messages

2020-09-21 Thread Daryl Rose 
I'm not familiar with RBL.  What and how would I use it?

Thanks

Daryl

On Sun, Sep 20, 2020 at 9:42 AM sebast...@debianfan.de <
sebast...@debianfan.de> wrote:

> What about rbl integration in spamassassin?
>
> Am 20. September 2020 16:35:22 MESZ schrieb Daryl Rose  >:
>>
>> I tend to get  a lot of phishing attempts, and they all get through.
>>
>> This appears to come from Apple, but obviously is not.
>>
>>   Subject: Re: Purchase Notification - Here is confirmation of your order
>>>
>>
>>
>> Mail From:
>>> acc.mubmx4btmqkymgfv1leobg.copsess2049113.222...@v2345t3w4t0inbox13.com
>>
>>
>> I can blacklist the email address, but I know that won't help.  Is there
>> a rule that I can set up to catch more phishing attempts?
>>
>> Thanks
>>
>> Daryl
>>
>
> --
> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>

Re: Catching Phishing messages

2020-09-21 Thread Daryl Rose 
I am not using the KAM.cf rule set.  I found the script on github.  Can I
just drop in into /etc/mail/spamassassin stop/start spamassassin and start
catching phishing emails?

Thanks

Daryl

On Sun, Sep 20, 2020 at 10:32 AM Kevin A. McGrail 
wrote:

> Are you using the KAM.cf ruleset?
>
> Can you manually test the email and give the output from the report?  Or
> put a spample up on pastebin?
>
>
> On 9/20/2020 10:35 AM, Daryl Rose wrote:
>
> I tend to get  a lot of phishing attempts, and they all get through.
>
> This appears to come from Apple, but obviously is not.
>
>   Subject: Re: Purchase Notification - Here is confirmation of your order
>
>
> Mail From:
>> acc.mubmx4btmqkymgfv1leobg.copsess2049113.222...@v2345t3w4t0inbox13.com
>
>
> I can blacklist the email address, but I know that won't help.  Is there a
> rule that I can set up to catch more phishing attempts?
>
> Thanks
>
> Daryl
>
> --
> Kevin A. mcgrailkmcgr...@apache.org
>
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin 
> Projecthttps://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>

Re: Catching Phishing messages

2020-09-21 Thread Daryl Rose 
I understand what you're saying.  Yes, my email client only shows the fake
email address, so to find the actual email address, I copy the header
contents into an email header analyzer.  I prefer https://mailheader.org/.
It breaks apart the header really nicely and I can see the actual email
address.

Thanks

Daryl

On Sun, Sep 20, 2020 at 11:34 PM @lbutlr  wrote:

> On 20 Sep 2020, at 08:35, Daryl Rose  wrote:
> > I can blacklist the email address, but I know that won't help.  Is there
> a rule that I can set up to catch more phishing attempts?
>
> SPF and DMARC seem to be the only ways to deal with spams from large
> senders that are faked, but what is considered ‘faked’ may nt always match
> expectations.
>
> As an example, with many GUI mail clients the client shows the “nice” part
> of the from, and does not show the actual address. So some scammer can send
> an email from
>
> From: “supportad...@paypal.com” 
>
> And the recipient will only see a fake PayPal address.
>
>
> --
> "...and Digby considered how much he liked salt..."

Re: Catching Phishing messages

2020-09-20 Thread @lbutlr 
On 20 Sep 2020, at 08:35, Daryl Rose  wrote:
> I can blacklist the email address, but I know that won't help.  Is there a 
> rule that I can set up to catch more phishing attempts?

SPF and DMARC seem to be the only ways to deal with spams from large senders 
that are faked, but what is considered ‘faked’ may nt always match expectations.

As an example, with many GUI mail clients the client shows the “nice” part of 
the from, and does not show the actual address. So some scammer can send an 
email from

From: “supportad...@paypal.com” 

And the recipient will only see a fake PayPal address.


-- 
"...and Digby considered how much he liked salt..."

Re: Catching Phishing messages

2020-09-20 Thread Bill Cole 

On 20 Sep 2020, at 10:35, Daryl Rose wrote:


I tend to get  a lot of phishing attempts, and they all get through.

This appears to come from Apple, but obviously is not.

  Subject: Re: Purchase Notification - Here is confirmation of your 
order



Mail From:

acc.mubmx4btmqkymgfv1leobg.copsess2049113.222...@v2345t3w4t0inbox13.com



I can blacklist the email address, but I know that won't help.  Is 
there a

rule that I can set up to catch more phishing attempts?


To catch (MOST) Apple phishing:

  whitelist_auth  *@*.apple.com
  whitelist_auth  *@apple.com
  header FROM_APPLE  From =~ /\bapple\b/i
  describe FROM_APPLE Seems to claim to be from Apple
  score FROM_APPLE 4

Similar combinations of whitelist_auth rules to clear mail that passes 
SPF and/or DKIM authentication for a domain but strongly suspect 
anything else that seems to claim to be from them.


Note that if you happen to be on mailing lists with Apple employee 
participants using their apple.com addresses, you should take other 
measures to favor the list mail, since mailing lists commonly break 
author DKIM and SPF is applied to the list's domain.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

Re: Catching Phishing messages

2020-09-20 Thread Kevin A. McGrail 
Are you using the KAM.cf ruleset?

Can you manually test the email and give the output from the report?  Or
put a spample up on pastebin?


On 9/20/2020 10:35 AM, Daryl Rose wrote:
>
> I tend to get  a lot of phishing attempts, and they all get through.  
>
> This appears to come from Apple, but obviously is not.    
>
>   Subject: Re: Purchase Notification - Here is confirmation of
> your order 
>
>
> Mail
> From: 
> acc.mubmx4btmqkymgfv1leobg.copsess2049113.222...@v2345t3w4t0inbox13.com
> 
> 
>
>
> I can blacklist the email address, but I know that won't help.  Is
> there a rule that I can set up to catch more phishing attempts?
>
> Thanks
>
> Daryl

-- 
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

Re: Catching Phishing messages

2020-09-20 Thread sebast...@debianfan.de 
What about rbl integration in spamassassin? 

Am 20. September 2020 16:35:22 MESZ schrieb Daryl Rose :
>I tend to get  a lot of phishing attempts, and they all get through.
>
>This appears to come from Apple, but obviously is not.
>
>Subject: Re: Purchase Notification - Here is confirmation of your order
>
>
>Mail From:
>>
>acc.mubmx4btmqkymgfv1leobg.copsess2049113.222...@v2345t3w4t0inbox13.com
>
>
>I can blacklist the email address, but I know that won't help.  Is
>there a
>rule that I can set up to catch more phishing attempts?
>
>Thanks
>
>Daryl

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.