Re: Crap getting through
On Mon, 9 Nov 2020 12:44:04 + RW wrote: > On Sun, 8 Nov 2020 19:49:20 -0500 > Rob McEwen wrote: > > > Daryl, > > > > Can you please post a copy of the raw email message - with headers > > - perhaps with your own user's email address (and name?) masked out > > (change to "") > > It's best to leave it syntactically correct and with self-consistent > obfuscation, so it can be run though SA without having to be edited a > send time. second time
Re: Crap getting through
On Sun, 8 Nov 2020 19:49:20 -0500 Rob McEwen wrote: > Daryl, > > Can you please post a copy of the raw email message - with headers - > perhaps with your own user's email address (and name?) masked out > (change to "") It's best to leave it syntactically correct and with self-consistent obfuscation, so it can be run though SA without having to be edited a send time.
Re: Crap getting through
On 09.11.20 05:07, Daryl Rose wrote: Sorry, I deleted it right away. I normally delete that crap as soon as it comes in. I'll remember to keep it next time I get something so I can post the headers. i keep spam ans phishes in special mail directories for later examination On Sun, Nov 8, 2020 at 6:49 PM Rob McEwen wrote: Can you please post a copy of the raw email message - with headers - perhaps with your own user's email address (and name?) masked out (change to "") - to pastebin, or to a similar site - then reply here with the link. It is difficult to give specific suggestions without having the raw underlying text of the message (w/headers). But please try to avoid pasting that directly to this list. Thanks! On 11/8/2020 5:00 PM, Daryl Rose wrote: I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * this is not garbage, this is mime-encoded string: *WễllsḞargo Bank * ...and that is a garbage. But should be quite easily catched. I received another one that was meant to be an Amazon Prime Membership failure. How can I block these? The last time I inquired about phishing, it was suggested to install KAM, which I did, but this crap is still getting through. Any other suggestions? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: Crap getting through
Sorry, I deleted it right away. I normally delete that crap as soon as it comes in. I'll remember to keep it next time I get something so I can post the headers. Daryl On Sun, Nov 8, 2020 at 6:49 PM Rob McEwen wrote: > Daryl, > > Can you please post a copy of the raw email message - with headers - > perhaps with your own user's email address (and name?) masked out (change > to "") - to pastebin, or to a similar site - then reply here with > the link. It is difficult to give specific suggestions without having the > raw underlying text of the message (w/headers). But please try to avoid > pasting that directly to this list. Thanks! > > Rob McEwen > > > On 11/8/2020 5:00 PM, Daryl Rose wrote: > > I'm getting obvious phishing attempts. This one was made to look like it > was from Wells Fargo with an obvious spoofed email address. However, when > I examined the headers, the From Address was this garbage: > *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * > > I received another one that was meant to be an Amazon Prime Membership > failure. How can I block these? The last time I inquired about phishing, > it was suggested to install KAM, which I did, but this crap is still > getting through. Any other suggestions? > > Thank you. > > Daryl > > > > > -- > Rob McEwen, invaluement > >
Re: Crap getting through
On Sun, 8 Nov 2020, Daryl Rose wrote: I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * Easy enough to write a "FUZZY_WELLSFARGO" rule for that, but it probably won't pass masscheck and get published because there are probably few examples of that in the corpus. Added to my sandbox: ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FUZZY_WELLSFARGO_BODY /(?!ells[-\s]?Fargo)[-\s]?/i replace_rules __FUZZY_WELLSFARGO_BODY header__FUZZY_WELLSFARGO_FROM From:name =~ /(?!ells[-\s]?Fargo)[-\s]?/i replace_rules __FUZZY_WELLSFARGO_FROM meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM endif Do you have something like this in place? whitelist_auth *@wellsfargo.com blacklist_from *@wellsfargo.com whitelist_auth *@*.wellsfargo.com blacklist_from *@*.wellsfargo.com whitelist_auth *@bankofamerica.com blacklist_from *@bankofamerica.com whitelist_auth *@*.bankofamerica.com blacklist_from *@*.bankofamerica.com -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Sheep have only two speeds: graze and stampede. -- LTC Grossman --- Tomorrow: The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: Crap getting through
Daryl Rose skrev den 2020-11-08 23:00: I'm getting obvious phishing attempts. report to https://phishtank.com/ then This one was made to look like it was from Wells Fargo with an obvious spoofed email address. so what did spamassassin say about that ? However, when I examined the headers, the From Address was this garbage: =?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= nice trick to avoid testing ? developpers of sa, utf-8 and qp is basicly fucked everywhere :/ but this one is base64 I received another one that was meant to be an Amazon Prime Membership failure. maybe amazon prime hands out to many free accounts ? :-) How can I block these? if you like me to answer that i could give next weeks lotto numbers in return :-) The last time I inquired about phishing, it was suggested to install KAM, now it seems you need to build corpus without rescoreing anything in kam.cf make a DR.cf to build localy on you self control which I did, but this crap is still getting through. Any other suggestions? without any samples no one can help you have all that is needed to make DR.cf ?
Re: Crap getting through
Daryl, Can you please post a copy of the raw email message - with headers - perhaps with your own user's email address (and name?) masked out (change to "") - to pastebin, or to a similar site - then reply here with the link. It is difficult to give specific suggestions without having the raw underlying text of the message (w/headers). But please try to avoid pasting that directly to this list. Thanks! Rob McEwen On 11/8/2020 5:00 PM, Daryl Rose wrote: I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * I received another one that was meant to be an Amazon Prime Membership failure. How can I block these? The last time I inquired about phishing, it was suggested to install KAM, which I did, but this crap is still getting through. Any other suggestions? Thank you. Daryl -- Rob McEwen, invaluement