Re: Phishing
On Friday, April 24, 2009, 5:05:38 PM, Thomas Casartello wrote: > One major issue we've been having lately is with phishing emails being > targeted at us. They're being sent to us from hacked accounts at other > educational institutes. The message usually is about "Your EDU webmail > account is expiring. Please send us your username and password to fix it." > We've had some users fall for it, then their Exchange account gets turned > into a spam machine (sending out usual junk spam as well as the original > phishing message.) Because they are coming from legitimate sites, it's been > very difficult to block these messages. I've been trying to write phrase > rules with common words used in the message, but whoever's responsible for > this is continually changing the message to prevent you from being able to > catch them with phrase rules. Any thoughts? If the phishes are claiming to come from your own domain, then use SPF or DKIM on your real outbound mail. Then any message claiming to be from your domain that doesn't match the SPF record or DKIM key can be considered a forgery and handled appropriately. Cheers, Jeff C. -- Jeff Chan mailto:je...@surbl.org http://www.surbl.org/
RE: Phishing
The phish are coming from real hacked accounts (Basically people that have gotten the phish email and fallen for it) at other Educational institutes (We already use SPF). Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: Jeff Chan [mailto:je...@surbl.org] Sent: Friday, April 24, 2009 9:43 PM To: Casartello, Thomas Cc: users@spamassassin.apache.org Subject: Re: Phishing On Friday, April 24, 2009, 5:05:38 PM, Thomas Casartello wrote: > One major issue we've been having lately is with phishing emails being > targeted at us. They're being sent to us from hacked accounts at other > educational institutes. The message usually is about "Your EDU webmail > account is expiring. Please send us your username and password to fix it." > We've had some users fall for it, then their Exchange account gets turned > into a spam machine (sending out usual junk spam as well as the original > phishing message.) Because they are coming from legitimate sites, it's been > very difficult to block these messages. I've been trying to write phrase > rules with common words used in the message, but whoever's responsible for > this is continually changing the message to prevent you from being able to > catch them with phrase rules. Any thoughts? If the phishes are claiming to come from your own domain, then use SPF or DKIM on your real outbound mail. Then any message claiming to be from your domain that doesn't match the SPF record or DKIM key can be considered a forgery and handled appropriately. Cheers, Jeff C. -- Jeff Chan mailto:je...@surbl.org http://www.surbl.org/ smime.p7s Description: S/MIME cryptographic signature
Re: Phishing
Maybe I can clarify how these phishes work. A phisher would send emails to a large number of people saying, literally, "I am your email administrator, your account is to be suspended, please send me your username and password". Any cursory examinationof these letters would make it obvious that they are fake. Most people do not fall for it, but the dumbest ones do fall for it. Once they send these emails, the spammers gain control of those email accounts and can abuse them however they want, including propagating of phishing, spamming, etc. DKIM will not work, as this is purely a social engineering attack. i
Re: Phishing
At 17:05 24-04-2009, Casartello, Thomas wrote: One major issue we've been having lately is with phishing emails being targeted at us. They're being sent to us from hacked accounts at other educational institutes. The message usually is about "Your EDU webmail account is expiring. Please send us your username and password to fix it." We've had some users fall for it, then their Exchange account gets turned into a spam machine (sending out usual junk spam as well as the original phishing message.) Because they are coming from legitimate sites, it's been very difficult to block these messages. I've been trying to write phrase rules with common words used in the message, but whoever's responsible for this is continually changing the message to prevent you from being able to catch them with phrase rules. Any thoughts? There was a project from an educational institution to target phishing emails. I don't recall the name of the project or whether the source code was released. It is going to be a lot of work to keep the rules updated to catch these emails. Analyze the emails instead of trying to apply the usual techniques to catch them. Instead of considering the emails as coming from legitimate sites, you should treat that as a data point as part of the patterns to identify. The words in the emails might change but the sender relies on some information for the phish to work. You should be able to parse the mail traffic for that information. BTW, there is a larger problem if there are "hacked" accounts available on the sending network and on your network. Regards, -sm
Re: Phishing
Casartello, Thomas wrote: The phish are coming from real hacked accounts (Basically people that have gotten the phish email and fallen for it) at other Educational institutes (We already use SPF). I'd go for a non technical solution here, since its effects only a small amount of organisations. Talk to the postmaster of the other organisations to track the source, make your users sensible to phishing attacks (seriously, somone thinking peter-foo-...@students.myuniversity.edu is an admin, should not be allowed to use a computer until proper training) Unfortunatly the amount of stupid people on universities seems to increase rapidly...
Re: Phishing
SM wrote: One major issue we've been having lately is with phishing emails being targeted at us. They're being sent to us from hacked accounts at other educational institutes. The message usually is about "Your EDU webmail account is expiring. Please send us your username and password to fix it." We've had some users fall for it, then their Exchange account gets turned into a spam machine (sending out usual junk spam as well as the original phishing message.) Because they are coming from legitimate sites, it's been very difficult to block these messages. I've been trying to write phrase rules with common words used in the message, but whoever's responsible for this is continually changing the message to prevent you from being able to catch them with phrase rules. Any thoughts? There was a project from an educational institution to target phishing emails. I don't recall the name of the project or whether the source code was released. It's called Kochi. I wrote it for Loughborough University. The source code was released under the GPL. Read this: https://secure.grepular.com/blog/index.php/2009/04/08/mitigating-spear-phishing/ If a phishing email gets through, and one of our staff or students replies to it, Kochi will detect the username/password in the email and block it from getting out. Kochi pulls out all of the possible username/password combinations from the email and does authentication attempts on each of them. This works for us because the usernames follow a very specific format, and our password policy is quite strict meaning that the number of possible username/password combos we pull out of emails is quite low. It has been very successful for us. -- Mike Cardwell (https://secure.grepular.com/) (http://perlcv.com/)
RE: Phishing
Well by "hacked" I mean people that have fallen for the phishing and have sent their username and password. When I notice it on our network, we immediately reset the password and inform the user. But the emails we get are coming from other colleges where users have given away their passwords. -Original Message- From: SM [mailto:s...@resistor.net] Sent: Saturday, April 25, 2009 1:03 AM To: users@spamassassin.apache.org Subject: Re: Phishing At 17:05 24-04-2009, Casartello, Thomas wrote: >One major issue we've been having lately is with phishing emails >being targeted at us. They're being sent to us from hacked accounts >at other educational institutes. The message usually is about "Your >EDU webmail account is expiring. Please send us your username and >password to fix it." We've had some users fall for it, then their >Exchange account gets turned into a spam machine (sending out usual >junk spam as well as the original phishing message.) Because they >are coming from legitimate sites, it's been very difficult to block >these messages. I've been trying to write phrase rules with common >words used in the message, but whoever's responsible for this is >continually changing the message to prevent you from being able to >catch them with phrase rules. Any thoughts? There was a project from an educational institution to target phishing emails. I don't recall the name of the project or whether the source code was released. It is going to be a lot of work to keep the rules updated to catch these emails. Analyze the emails instead of trying to apply the usual techniques to catch them. Instead of considering the emails as coming from legitimate sites, you should treat that as a data point as part of the patterns to identify. The words in the emails might change but the sender relies on some information for the phish to work. You should be able to parse the mail traffic for that information. BTW, there is a larger problem if there are "hacked" accounts available on the sending network and on your network. Regards, -sm
RE: Phishing
Haha. Unfortunately I agree. Our CIO has sent out two or three emails to faculty and staff as well as students telling them to ignore these messages since they started arriving, but yet we've still had faculty and students who have given them away anyway. -Original Message- From: Arvid Ephraim Picciani [mailto:a...@exys.org] Sent: Saturday, April 25, 2009 4:06 AM To: users@spamassassin.apache.org Subject: Re: Phishing Casartello, Thomas wrote: > The phish are coming from real hacked accounts (Basically people that have > gotten the phish email and fallen for it) at other Educational institutes > (We already use SPF). I'd go for a non technical solution here, since its effects only a small amount of organisations. Talk to the postmaster of the other organisations to track the source, make your users sensible to phishing attacks (seriously, somone thinking peter-foo-...@students.myuniversity.edu is an admin, should not be allowed to use a computer until proper training) Unfortunatly the amount of stupid people on universities seems to increase rapidly...
Re: Phishing
Hi Thomas! Casartello, Thomas wrote ... (4/24/2009 8:05 PM): > > One major issue we’ve been having lately is with phishing emails being > targeted at us. They’re being sent to us from hacked accounts at other > educational institutes. The message usually is about “Your EDU webmail > account is expiring. Please send us your username and password to fix > it.” We’ve had some users fall for it, then their Exchange account > gets turned into a spam machine (sending out usual junk spam as well > as the original phishing message.) Because they are coming from > legitimate sites, it’s been very difficult to block these messages. > I’ve been trying to write phrase rules with common words used in the > message, but whoever’s responsible for this is continually changing > the message to prevent you from being able to catch them with phrase > rules. Any thoughts? > > > I've discovered that most folks outside .EDU address space don't face the dozen of variations of these message each day. Sad part is they do in fact come from legitimate users and domains, just from a compromised account. The best advice is to use ClamAV with the SaneSecurity Databases. There is a ClamAV plugin which makes it trivial to add to spam assassin: ClamAv Plugin: http://wiki.apache.org/spamassassin/ClamAVPlugin SaneSecurity Phishing Signatures: http://sanesecurity.com/ I also have setup some rather crude SA rules that seem effective for us. When you really break down a large sampling of these you will find there are also a couple of very common words, like "WebMail", "Password", "Warning", etc. Feel free to try the following and adjust scoring as needed for your environment. # # SPEAR ATTACKS 12/10/2008 # bodyEDU_SPEAR_S /Edu Email Support Team/i descrbe EDU_SPEAR_S Email Attempting to get User Logins score EDU_SPEAR_S 15.0 body EDU_SPEAR_WM /WEBMAIL/i describe EDU_SPEAR_WM Email Contains WebMail scoreEDU_SPEAR_WM 0.1 body EDU_SPEAR_P /password/i describe EDU_SPEAR_P Email Contains password scoreEDU_SPEAR_P 0.1 meta EDU_SPEAR EDU_SPEAR_WM && EDU_SPEAR_P describe EDU_SPEAR Potenital Phish WebMail / Password scoreEDU_SPEAR 7.5 body EDU_SPEAR_U /username|user name/i describe EDU_SPEAR_U Email Contains username scoreEDU_SPEAR_U 0.1 body EDU_SPEAR_W /warning/i describe EDU_SPEAR_W Email Contains warning scoreEDU_SPEAR_W 0.1 body EDU_SPEAR_C /confirm/i describe EDU_SPEAR_C Email Contains confirm scoreEDU_SPEAR_C 0.1 body EDU_SPEAR_F /failure/i describe EDU_SPEAR_F Email Contains failure scoreEDU_SPEAR_F 0.1 meta EDU_SPEAR_1 EDU_SPEAR_U && EDU_SPEAR_P && EDU_SPEAR_W describe EDU_SPEAR_1 Potenital Phish Username, Password, Warning scoreEDU_SPEAR_1 5.0 meta EDU_SPEAR_2 EDU_SPEAR_U && EDU_SPEAR_P && EDU_SPEAR_C describe EDU_SPEAR_2 Potenital Phish Username, Password, Confirm scoreEDU_SPEAR_2 5.0 meta EDU_SPEAR_3 EDU_SPEAR_U && EDU_SPEAR_P && EDU_SPEAR_F describe EDU_SPEAR_3 Potenital Phish Username, Password, Failure scoreEDU_SPEAR_3 5.0
Re: Phishing
On Fri, 24 Apr 2009, Igor Chudov wrote: A phisher would send emails to a large number of people saying, literally, "I am your email administrator, your account is to be suspended, please send me your username and password". DKIM will not work, BAYES should work quite well. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- What nuts do with guns is terrible, certainly. But what evil or crazy people do with *anything* is not a valid argument for banning that item.-- John C. Randolph --- 94 days since Obama's inauguration and still no unicorn!
Re: Phishing
John Hardin wrote ... (4/25/2009 12:06 PM): >> A phisher would send emails to a large number of people saying, >> literally, "I am your email administrator, your account is to be >> suspended, please send me your username and password". >> >> DKIM will not work, > > BAYES should work quite well. > Actually it doesn't. The message text varies too much. While you can mass learn a single version during a particular campaign, we often see a dozen or more variations every day. BAYES can't cope with that. The SaneSecurity ClamAV DB's have been the best defense I've found to date..
Re: Phishing
On 25-Apr-2009, at 10:23, Dave Koontz wrote: John Hardin wrote ... (4/25/2009 12:06 PM): A phisher would send emails to a large number of people saying, literally, "I am your email administrator, your account is to be suspended, please send me your username and password". DKIM will not work, BAYES should work quite well. Actually it doesn't. The message text varies too much. While you can mass learn a single version during a particular campaign, we often see a dozen or more variations every day. BAYES can't cope with that. Bayes copes quite well with that. 'password' is a pretty strong spam indicator around here, for example. -- Love is like oxygen / You get too much / you get too high / Not enough and you're gonna die
Re: Phishing
On 24/04/09 11:44 PM, it was written: > Most people do not fall for it, but the dumbest ones do fall for it. This is not a question of intellect, it is a question of the verisimilitude of the messaging. -- Neil Schwartzman Director, Accreditation Security & Standards Certified | Safelist Return Path Inc. 0142002038
Re: Phishing
On Sat, April 25, 2009 05:44, Igor Chudov wrote: > DKIM will not work, as this is purely a social engineering attack. will postmas...@example.com work ? if the hacked accounts was signed with dkim remote will know what domain to contact about it, but if ab...@example.com or postmaster dont akt it does not help to cry -- http://localhost/ 100% uptime and 100% mirrored :)
Re: Phishing
Neil Schwartzman wrote: On 24/04/09 11:44 PM, it was written: Most people do not fall for it, but the dumbest ones do fall for it. This is not a question of intellect, it is a question of the verisimilitude of the messaging. both might probably more true than false. In fact I could think of several more, but won't bore you.. Ken
Re: Phishing
> On Sat, April 25, 2009 05:44, Igor Chudov wrote: > > DKIM will not work, as this is purely a social engineering attack. On 26.04.09 15:33, Benny Pedersen wrote: > will postmas...@example.com work ? > > if the hacked accounts was signed with dkim remote will know what domain > to contact about it, but if ab...@example.com or postmaster dont akt it > does not help to cry you can also block mail from domains that are listed in rfc-ignorant for not having postmaster@ and/or abuse@ address, although some people (even on this list) are strongly against it ;-) well, from the spam point of view, it has many FPs. You must understand it as policy, not an anti-spam measure. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: Phishing
We've seen some of it with our webmail too. When one of your users gives out their password and you notice their account being abused, lookin the message headers or apache logs to see where the perp is. We've seen them mostly to be from Africa, Nigeria probably. I've taken to blocking their /16 on our webmail server, and after a dozen or so IP ranges added, it's stopped. The have a lot of time on their hands and phish so they can spam. Who knows what else they do with data collected from the naieve. On Sat, Apr 25, 2009 at 09:13:52AM -0400, Casartello, Thomas wrote: > Well by "hacked" I mean people that have fallen for the phishing and > have sent their username and password. When I notice it on our > network, we immediately reset the password and inform the user. But > the emails we get are coming from other colleges where users have > given away their passwords. > > -Original Message- > From: SM [mailto:s...@resistor.net] > Sent: Saturday, April 25, 2009 1:03 AM > To: users@spamassassin.apache.org > Subject: Re: Phishing > > At 17:05 24-04-2009, Casartello, Thomas wrote: > >One major issue we've been having lately is with phishing emails > >being targeted at us. They're being sent to us from hacked accounts > >at other educational institutes. The message usually is about "Your > >EDU webmail account is expiring. Please send us your username and > >password to fix it." We've had some users fall for it, then their > >Exchange account gets turned into a spam machine (sending out usual > >junk spam as well as the original phishing message.) Because they > >are coming from legitimate sites, it's been very difficult to block > >these messages. I've been trying to write phrase rules with common > >words used in the message, but whoever's responsible for this is > >continually changing the message to prevent you from being able to > >catch them with phrase rules. Any thoughts? > > There was a project from an educational institution to target > phishing emails. I don't recall the name of the project or whether > the source code was released. > > It is going to be a lot of work to keep the rules updated to catch > these emails. Analyze the emails instead of trying to apply the > usual techniques to catch them. Instead of considering the emails as > coming from legitimate sites, you should treat that as a data point > as part of the patterns to identify. The words in the emails might > change but the sender relies on some information for the phish to > work. You should be able to parse the mail traffic for that > information. BTW, there is a larger problem if there are "hacked" > accounts available on the sending network and on your network. > > Regards, > -sm -- /* Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL KB1IOJ| Broadband Internet Access, Dialup, and Hosting http://f64.nu/ | for Midcoast Mainehttp://www.midcoast.com/ */
Re: Phishing
On Fri, 24 Apr 2009, SM wrote: > From: SM > To: users@spamassassin.apache.org > Date: Fri, 24 Apr 2009 22:03:21 -0700 > Subject: Re: Phishing ... > There was a project from an educational institution to target > phishing emails. I don't recall the name of the project or > whether the source code was released. You might be thinking of Kochi: http://oss.lboro.ac.uk/kochi1.html The Google project: http://code.google.com/p/anti-phishing-email-reply/ is also useful as it attempts to detail the compromised accounts. Just block/quarantine email for those accounts. ...of course the phishers are now sending out form URLs to be completed: http://jotform.com/form/91140758246 -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: Phishing
Dennis Davis wrote: There was a project from an educational institution to target phishing emails. I don't recall the name of the project or whether the source code was released. You might be thinking of Kochi: http://oss.lboro.ac.uk/kochi1.html The Google project: http://code.google.com/p/anti-phishing-email-reply/ is also useful as it attempts to detail the compromised accounts. Just block/quarantine email for those accounts. ...of course the phishers are now sending out form URLs to be completed: http://jotform.com/form/91140758246 Theoretically you could scan HTTP POST data using Kochi by hooking it into Squid or some other HTTP proxy. It should be no more difficult than scanning outgoing email is. Of course, that only helps if your users are accessing the web from within your sphere of control at the time. Phishers are unlikely to use SSL for this. -- Mike Cardwell (https://secure.grepular.com/) (http://perlcv.com/)
Re: Phishing
jp wrote: We've seen some of it with our webmail too. When one of your users gives out their password and you notice their account being abused, lookin the message headers or apache logs to see where the perp is. We've seen them mostly to be from Africa, Nigeria probably. I've taken to blocking their /16 on our webmail server, and after a dozen or so IP ranges added, it's stopped. The have a lot of time on their hands and phish so they can spam. Who knows what else they do with data collected from the naieve. If your webmail runs on Apache, you could block entire countries using mod_defensible. Here's an example config that would disallow requests from China and Nigeria: DnsblUse On DnsblServers ng.countries.nerd.dk cn.countries.nerd.dk Unfortunately, I don't have that luxury as I work for a University that has staff and students all over the World. You could also use rbls like sbl-xbl.spamhaus.org if you wanted as well of course. -- Mike Cardwell (https://secure.grepular.com/) (http://perlcv.com/)
Re: Phishing rules?
Micah Anderson wrote: I keep getting hit by phishing attacks, and they aren't being stopped by anything I've thrown up in front of them: postfix is doing: reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand pulls in the 25_uribl.cf automatically, right? Or do I need to configure that? if its automatic, that pulls in SURBL phishing). I've got Botnet setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the hashcash, and SPF plugins loaded, imageinfo, pretty much everything I can think ofbut for some reason phishing attempts keep getting through. Sadly, I do not have an example I can share at the moment, as I typically delete them in a rage after training my bayes filter on them. However, I am looking for any suggestions of other things I can turn on... in particular, are there rules that people have created that look for certain keywords where the body is asking for your account/password information? Thanks for any ideas, micah Report these and maybe they will add something that catches them. If one wanted to, they can get any mail the want through your filters if they are good and don't use things that trigger the rules.
Re: Phishing rules?
Micah Anderson wrote: > I keep getting hit by phishing attacks, and they aren't being stopped by > anything I've thrown up in front of them: > > postfix is doing: > reject_rbl_client b.barracudacentral.org, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client list.dsbl.org, > > I've got clamav pulling signatures updated once a day from sanesecurity > (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, > securesiteinfo) and Malware Black List, MSRBL (images, spam). > > I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand > pulls in the 25_uribl.cf automatically, right? Or do I need to configure > that? if its automatic, that pulls in SURBL phishing). I've got Botnet > setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the > hashcash, and SPF plugins loaded, imageinfo, pretty much everything I > can think ofbut for some reason phishing attempts keep getting > through. > > Sadly, I do not have an example I can share at the moment, as I > typically delete them in a rage after training my bayes filter on > them. However, I am looking for any suggestions of other things I can > turn on... in particular, are there rules that people have created that > look for certain keywords where the body is asking for your > account/password information? > > Thanks for any ideas, > micah > Consider submitting them to SaneSecurity (www.sanesecurity.com) so that the signatures can be added to their phishing signature database. Bill
Re: Phishing rules?
On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote:
> I keep getting hit by phishing attacks, and they aren't being stopped by
> anything I've thrown up in front of them:
>
> postfix is doing:
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client list.dsbl.org,
>
> I've got clamav pulling signatures updated once a day from sanesecurity
> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
> securesiteinfo) and Malware Black List, MSRBL (images, spam).
I'd increase this, at least for the SaneSecurity phish sigs. They are
being updated much more frequently.
> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
> pulls in the 25_uribl.cf automatically, right? Or do I need to configure
Yes, unless you disable network tests in general. Should be easy to
answer yourself if they are working, just by grepping for the rule names
defined in 25_uribl.cf.
> that? if its automatic, that pulls in SURBL phishing). I've got Botnet
> setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the
> hashcash, and SPF plugins loaded, imageinfo, pretty much everything I
> can think ofbut for some reason phishing attempts keep getting
> through.
>
> Sadly, I do not have an example I can share at the moment, as I
> typically delete them in a rage after training my bayes filter on
> them. However, I am looking for any suggestions of other things I can
> turn on... in particular, are there rules that people have created that
> look for certain keywords where the body is asking for your
> account/password information?
So you've pretty much thrown everything at it you could find... ;) And
they are still slipping through? How many are we talking here? Compared
to the total number of spam / phish?
Also, how many are being caught? Strikes me as odd that you don't have a
sample but yet sound like every single one is slipping by.
I guess, I would start verifying that all the above actually is working.
Most notably the SaneSecurity phish sigs. ClamAV should catch the lions
share, by far, assuming it comes before SA in your chain.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phishing rules?
Micah Anderson wrote: reject_rbl_client list.dsbl.org, DSBL has shut down, and you should remove the query from your list. It won't help with the phishing, but it'll free up some network resources. Info: http://dsbl.org/node/3 I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). Odd, ClamAV + SaneSecurty does a really good job here at blocking phish before they even get to SpamAssassin. We call clamd through MIMEDefang, then call SpamAssassin (also through MimeDefang) if a message passes. Have you verified that Clam is using the SaneSecurity signatures? How are you calling ClamAV? -- Kelson Vibber SpeedGate Communications
Re: Phishing rules?
Micah Anderson <[EMAIL PROTECTED]> wrote: I keep getting hit by phishing attacks, and they aren't being stopped by anything I've thrown up in front of them: Do you mean attempts to get your users to send their passwords, or fake mail pretending to be from banks? Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: Phishing rules?
On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote: > I keep getting hit by phishing attacks, and they aren't being stopped by > anything I've thrown up in front of them: [...] > I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand > pulls in the 25_uribl.cf automatically, right? Or do I need to configure > that? if its automatic, that pulls in SURBL phishing). Increase the score on: URIBL_PH_SURBL The current SpamAssassin rules scoring process gives it an artificially low score which is counterproductive IMO. If you want to stop more phishing spams, consider increasing the score. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Phishing rules?
Hiya See SA examples http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists Also add hostkarma.junkemailfilter.com to you DNSBL. Works really well. Another thing I do find is useful is adding additional higher valued MX records. http://www.junkemailfilter.com/spam/support.html HTH Regards Brent Clark
Re: Phishing rules?
* Kelson <[EMAIL PROTECTED]> [2008-10-30 17:29-0400]: > Micah Anderson wrote: >> reject_rbl_client list.dsbl.org, > > DSBL has shut down, and you should remove the query from your list. It > won't help with the phishing, but it'll free up some network resources. > Info: http://dsbl.org/node/3 Thanks, I wasn't aware of that. I'm only using zen.spamhaus now, which is a shame. I had to remove barracuda because I've received already 3 complaints about false-positives, thats a real shame, because it was blocking about 3x as much as zen was. >> I've got clamav pulling signatures updated once a day from sanesecurity >> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, >> securesiteinfo) and Malware Black List, MSRBL (images, spam). > > Odd, ClamAV + SaneSecurty does a really good job here at blocking phish > before they even get to SpamAssassin. We call clamd through MIMEDefang, > then call SpamAssassin (also through MimeDefang) if a message passes. > > Have you verified that Clam is using the SaneSecurity signatures? How > are you calling ClamAV? Oh I'm certainly blocking phishing attempts via the SaneSecurity signatures, probably 200+ in the last hour alone. However, the phishing emails that are getting through are not known to their signature database, and in some case have been directly targetted at the domain I am managing. Thats why I am interested in rules that look for typical phishing emails. These emails are usually quite similar in their construction, so it seems like a good case for rules. micah
Re: Phishing rules?
* Jeff Chan <[EMAIL PROTECTED]> [2008-10-31 02:36-0400]: > On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote: > > > I keep getting hit by phishing attacks, and they aren't being stopped by > > anything I've thrown up in front of them: > > [...] > > I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand > > pulls in the 25_uribl.cf automatically, right? Or do I need to configure > > that? if its automatic, that pulls in SURBL phishing). > > Increase the score on: > > URIBL_PH_SURBL > > The current SpamAssassin rules scoring process gives it an > artificially low score which is counterproductive IMO. If you > want to stop more phishing spams, consider increasing the score. Thanks, I will do so... however the phishing emails I am getting are of two types: . generalized phishes, which I would expect SURBL to be able to detect a large percentage of . targetted phishing to my domain where the phisher attempts to impersonate the 'admins' and ask for usernames/passwords. These I dont think will get hits on SURBL, because they are specific to my domain, and these are actually the more damaging because users are more likely to be fooled by something that is claiming to come from 'us'. Micah signature.asc Description: Digital signature
Re: Phishing rules?
Randy <[EMAIL PROTECTED]> writes: > Micah Anderson wrote: >> Sadly, I do not have an example I can share at the moment, as I >> typically delete them in a rage after training my bayes filter on >> them. However, I am looking for any suggestions of other things I can >> turn on... in particular, are there rules that people have created that >> look for certain keywords where the body is asking for your >> account/password information? >> > Report these and maybe they will add something that catches them. If > one wanted to, they can get any mail the want through your filters if > they are good and don't use things that trigger the rules. Report them where exactly? Here is an example one I received recently, note the hideously low bayes score on this one, caused it to autolearn as ham even, grr. >From [EMAIL PROTECTED] Fri Oct 31 20:00:45 2008 Return-Path: <[EMAIL PROTECTED]> X-OfflineIMAP-x792266711-4c6f63616c-494e424f58: 1225549253-0134941395044-v6.0.3 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on spamd2.riseup.net X-Spam-Level: X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.2.5 Delivered-To: [EMAIL PROTECTED] Received: from mx1.riseup.net (unknown [10.8.0.3]) by cormorant.riseup.net (Postfix) with ESMTP id 58BFA19581F7 for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:40 -0700 (PDT) Received: from master.debian.org (master.debian.org [70.103.162.29]) by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1 for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT) Received: from cat.cybersurf.net ([209.197.145.185] helo=cat.cia.com) by master.debian.org with esmtp (Exim 4.63) (envelope-from <[EMAIL PROTECTED]>) id 1Kw6j8-0003iT-Ix for [EMAIL PROTECTED]; Sat, 01 Nov 2008 03:00:38 + Received: from reef.cybersurf.com ([209.197.145.198]) by cat.cia.com with esmtp (Exim 4.50) id 1Kw6iz-0002Li-Pg; Fri, 31 Oct 2008 21:00:29 -0600 Received: from apache by reef.cybersurf.com with local (Exim 4.44) id 1Kw6j0-0006W5-UJ; Fri, 31 Oct 2008 20:00:30 -0700 Received: from 196-207-0-227.netcomng.com (196-207-0-227.netcomng.com [196.207.0.227]) by webmail.3web.com (IMP) with HTTP for <[EMAIL PROTECTED]>; Sat, 1 Nov 2008 14:00:30 +1100 Message-ID: <[EMAIL PROTECTED]> Date: Sat, 1 Nov 2008 14:00:30 +1100 From: WEBMAIL Help Desk <[EMAIL PROTECTED]> Reply-to: [EMAIL PROTECTED] Subject: WEBMAIL Help Desk MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.1 X-Originating-IP: 196.207.0.227 To: undisclosed-recipients:; X-Virus-Scanned: ClamAV 0.94/8552/Fri Oct 31 18:14:36 2008 on mx1.riseup.net X-Virus-Status: Clean Status: RO Content-Length: 1427 Lines: 38 Dear Webmail User, This message was sent automatically by a program on Webmail which periodically checks the size of inboxes, where new messages are received. The program is run weekly to ensure no one's inbox grows too large. If your inbox becomes too large, you will be unable to receive new email. Just before this message was sent, you had 18 Megabytes (MB) or more of messages stored in your inbox on your Webmail. To help us re-set your SPACE on our database prior to maintain your INBOX, you must reply to this e-mail and enter your Current User name () and Password( ). You will continue to receive this warning message periodically if your inbox size continues to be between 18 and 20 MB. If your inbox size grows to 20 MB, then a program on Bates Webmai will move your oldest email to a folder in your home directory to ensure that you will continue to be able to receive incoming email. You will be notified by email that this has taken place. If your inbox grows to 25 MB, you will be unable to receive new email as it will be returned to the sender. After you read a message, it is best to REPLY and SAVE it to another folder. Thank you for your cooperation. WEBMAIL Help Desk --- 3webXS HiSpeed Dial-up...surf up to 5x faster than regular dial-up alone... just $14.90/mo...visit www.get3web.com for details
Re: Phishing rules?
Karsten Bräckelmann <[EMAIL PROTECTED]> writes: > On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote: >> I keep getting hit by phishing attacks, and they aren't being stopped by >> anything I've thrown up in front of them: >> >> postfix is doing: >> reject_rbl_client b.barracudacentral.org, >> reject_rbl_client zen.spamhaus.org, >> reject_rbl_client list.dsbl.org, >> >> I've got clamav pulling signatures updated once a day from sanesecurity >> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, >> securesiteinfo) and Malware Black List, MSRBL (images, spam). > > I'd increase this, at least for the SaneSecurity phish sigs. They are > being updated much more frequently. Thanks for the pointer. For some reason I thought I had read on the SaneSecurity site that you shouldn't pull more than once a day, but now after you mentioned it I went and read again and they ask you dont pull more frequently than once an hour... so I've changed that cronjob, that should help. >> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand >> pulls in the 25_uribl.cf automatically, right? Or do I need to configure > > Yes, unless you disable network tests in general. Should be easy to > answer yourself if they are working, just by grepping for the rule names > defined in 25_uribl.cf. Network tests aren't disabled, and yeah I am seeing those rules occur in some of my headers of mail that I can search through, so I think that they are working. I've increased my overall URIBL scoring to 2.5 from the default. >> Sadly, I do not have an example I can share at the moment, as I >> typically delete them in a rage after training my bayes filter on >> them. However, I am looking for any suggestions of other things I can >> turn on... in particular, are there rules that people have created that >> look for certain keywords where the body is asking for your >> account/password information? > > So you've pretty much thrown everything at it you could find... ;) And > they are still slipping through? How many are we talking here? Compared > to the total number of spam / phish? > > Also, how many are being caught? Strikes me as odd that you don't have a > sample but yet sound like every single one is slipping by. These are hard for me to answer as I am not doing any analysis of how many are caught. In the last week, I've gotten four of them through, and I've received reports from a number of users that they too have received them. I've just sent a sample to the list however. > I guess, I would start verifying that all the above actually is working. > Most notably the SaneSecurity phish sigs. ClamAV should catch the lions > share, by far, assuming it comes before SA in your chain. Yeah, I'm using the clamav-milter, so those get rejected really early on. Thanks for the ideas, Micah
Re: Phishing rules?
Joseph Brennan <[EMAIL PROTECTED]> writes: > Micah Anderson <[EMAIL PROTECTED]> wrote: > >> I keep getting hit by phishing attacks, and they aren't being stopped by >> anything I've thrown up in front of them: > > Do you mean attempts to get your users to send their passwords, > or fake mail pretending to be from banks? I mean attempts to get my users to send their passwords, are these not called phishing? micah
Re: Phishing rules?
Brent Clark <[EMAIL PROTECTED]> writes: > Hiya > > See SA examples > > http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists > > Also add hostkarma.junkemailfilter.com to you DNSBL. Thanks, I'll add this to my local.cf and see how it goes. > Another thing I do find is useful is adding additional higher valued > MX records. > > http://www.junkemailfilter.com/spam/support.html I dont really like the idea of adding some other site's MX to my DNS, so I think I'll pass on this one. thanks for the suggestions! micah
Re: Phishing rules?
At 07:56 01-11-2008, Micah Anderson wrote: Here is an example one I received recently, note the hideously low bayes score on this one, caused it to autolearn as ham even, grr. [snip] X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.2.5 The sender is whitelisted by www.dnswl.org. Received: from master.debian.org (master.debian.org [70.103.162.29]) by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1 for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT) The mail is coming through debian.org. Do you want to blacklist that host? Regards, -sm
Re: Phishing rules?
Reply-to: [EMAIL PROTECTED] First pass: header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/ score LOCAL_REPLYTO_LIVE8.0 Maybe scoring 8.0 for one thing scares you, but I haven't seen this fp in a couple of months. Joseph Brennan Columbia University Information Technology
Re: Phishing rules?
Micah Anderson <[EMAIL PROTECTED]> wrote:
I mean attempts to get my users to send their passwords, are these not
called phishing?
micah
Yes, it's phishing, but for thos you might want to make local rules to
catch things specific to your own web mail system and domain.
I find myself reluctant to publish all the patterns we check, in case
someone is watching, but taking your sample, these would match here:
/Dear .{0,12}(web ?mail|columbia\.edu)/i
/Password.{0,10}\([\s\.\*\_]+\)/
/you must reply to this email/i
Reply-to =~ /[EMAIL PROTECTED]/
The first of course is partly local to us. Another useful local rule
is to check for the uri of your own webmail.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Re: Phishing rules?
On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote:
> Joseph Brennan <[EMAIL PROTECTED]> writes:
> > Do you mean attempts to get your users to send their passwords,
> > or fake mail pretending to be from banks?
>
> I mean attempts to get my users to send their passwords, are these not
> called phishing?
An important bit of information, missing from the OP. :) Targeted
attacks at your users, so the general phishing BLs don't really apply.
Anyway, can't you educate your users, that
(a) Any administrative email will be sent from an official, well known,
internal address? That means *not* an arbitrary address. Yes, sorry,
the obvious...
(b) They will *never* ever be asked for a password by mail. Period.
Again, obvious...
Then block internal / administrative From addresses coming from any
external SMTP.
This is not a technical way to stopping these, but an educational
approach to prevent the most dumb and gross social engineering. At least
the second one actually should be well-known, and I've seen ISPs
pointing it out frequently...
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phishing rules?
Karsten Bräckelmann <[EMAIL PROTECTED]> wrote: Anyway, can't you educate your users Experience tells me the answer is no, or at least a qualified no. And we're supposed to have smart people here. I suppose the number of responses might be even higher if we did not try to educate people. I'll try to comfort myself with that. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: Phishing rules?
On Sat, 2008-11-01 at 18:01 -0400, Joseph Brennan wrote:
> Karsten Bräckelmann <[EMAIL PROTECTED]> wrote:
>
> > Anyway, can't you educate your users [...]
>
> Experience tells me the answer is no, or at least a qualified no. And
> we're supposed to have smart people here.
>
> I suppose the number of responses might be even higher if we did not
> try to educate people. I'll try to comfort myself with that.
Joseph, I was afraid you or Micah would tell me exactly that. *sigh*
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phishing rules?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Micah Anderson wrote: [...] > Report them where exactly? > > Here is an example one I received recently, note the hideously low bayes > score on this one, caused it to autolearn as ham even, grr. > > > From [EMAIL PROTECTED] Fri Oct 31 20:00:45 2008 > Return-Path: <[EMAIL PROTECTED]> > X-OfflineIMAP-x792266711-4c6f63616c-494e424f58: > 1225549253-0134941395044-v6.0.3 > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on spamd2.riseup.net > X-Spam-Level: > X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW > autolearn=ham version=3.2.5 > Delivered-To: [EMAIL PROTECTED] > Received: from mx1.riseup.net (unknown [10.8.0.3]) > by cormorant.riseup.net (Postfix) with ESMTP id 58BFA19581F7 > for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:40 -0700 (PDT) > Received: from master.debian.org (master.debian.org [70.103.162.29]) > by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1 > for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT) [...] Contact debian.org's list manager instead of other actions. That's more reasonable. And more, i think we need to study about DKIM specification [RFC4871] to make the Internet of trust ;; byunghee -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkkNE/oACgkQsCouaZaxlv5YqACeIozvqJ96tTKm4oLnRySHAfc1 xUIAoI0G4FXr+PqdqvULxm0V+xZOSP77 =8NV0 -END PGP SIGNATURE-
Re: Phishing rules?
Joseph Brennan <[EMAIL PROTECTED]> writes: >> Reply-to: [EMAIL PROTECTED] > > > First pass: > > header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/ > score LOCAL_REPLYTO_LIVE8.0 > > Maybe scoring 8.0 for one thing scares you, but I haven't seen this > fp in a couple of months. Is live.com a legitimate email sender? It looks microsoft related. If I set it to 8, then any mail from that address is surely to get caught as spam, which may not be the right thing depending on other potential legitimate addresses sending from that domain. Or perhaps nothing but spam comes from live.com? I dont know anything about it. micah
Re: Phishing rules?
SM <[EMAIL PROTECTED]> writes: > At 07:56 01-11-2008, Micah Anderson wrote: >>Here is an example one I received recently, note the hideously low bayes >>score on this one, caused it to autolearn as ham even, grr. > > [snip] > >>X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW >> autolearn=ham version=3.2.5 > > The sender is whitelisted by www.dnswl.org. Yeah, because this one was forwarded through debian.org, which is legitimate. The spam originator was not debian.org, but debian.org is the one in dnswl.org. >>Received: from master.debian.org (master.debian.org [70.103.162.29]) >> by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1 >> for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT) > > The mail is coming through debian.org. Do you want to blacklist that host? No, I do not.
Re: Phishing rules?
Karsten Bräckelmann <[EMAIL PROTECTED]> writes: > On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote: >> Joseph Brennan <[EMAIL PROTECTED]> writes: > >> > Do you mean attempts to get your users to send their passwords, >> > or fake mail pretending to be from banks? >> >> I mean attempts to get my users to send their passwords, are these not >> called phishing? > > An important bit of information, missing from the OP. :) Targeted > attacks at your users, so the general phishing BLs don't really apply. > > Anyway, can't you educate your users, that > > (a) Any administrative email will be sent from an official, well known, > internal address? That means *not* an arbitrary address. Yes, sorry, > the obvious... > (b) They will *never* ever be asked for a password by mail. Period. > Again, obvious... We've been telling our users this for years, but there is always someone who doesn't listen, or forgets, or something. I dont know. I find it absolutely incredible that anyone would fall for any of these, yet I am the one who has to clean up the mess :P > Then block internal / administrative From addresses coming from any > external SMTP. Yeah, thats done, they dont get by faking our From, but the body is constructed in a way to mislead and impersonate our "staff" or whatever, usually by threatening people that their account will be closed, unless they reply. > This is not a technical way to stopping these, but an educational > approach to prevent the most dumb and gross social engineering. At least > the second one actually should be well-known, and I've seen ISPs > pointing it out frequently... Thanks, but we've done all these, and continue to do them, they are another plank in the various mechanisms that we must employ. micah
Re: Phishing rules?
Micah Anderson <[EMAIL PROTECTED]> wrote: > Joseph Brennan <[EMAIL PROTECTED]> writes: > > >> Reply-to: [EMAIL PROTECTED] > > > > > > First pass: > > > > header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/ > > score LOCAL_REPLYTO_LIVE8.0 > > > > Maybe scoring 8.0 for one thing scares you, but I haven't seen this > > fp in a couple of months. > > Is live.com a legitimate email sender? It looks microsoft related. If I > set it to 8, then any mail from that address is surely to get caught as > spam, which may not be the right thing depending on other potential > legitimate addresses sending from that domain. It is Microsoft: % whois `dig +short live.com` OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way ... > Or perhaps nothing but spam comes from live.com? I dont know anything > about it. We get some legitimate email from @live.com users. -- Sahil Tandon <[EMAIL PROTECTED]>
Re: Phishing rules?
Sahil Tandon <[EMAIL PROTECTED]> wrote: We get some legitimate email from @live.com users. But they don't set a Reply-to header. That's the test. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: Phishing rules?
On Sun, 2008-11-02 at 22:36 -0500, Micah Anderson wrote: > Joseph Brennan <[EMAIL PROTECTED]> writes: > > >> Reply-to: [EMAIL PROTECTED] > > > > > > First pass: > > > > header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/ > > score LOCAL_REPLYTO_LIVE8.0 > > > > Maybe scoring 8.0 for one thing scares you, but I haven't seen this > > fp in a couple of months. > > Is live.com a legitimate email sender? It looks microsoft related. If I > set it to 8, then any mail from that address is surely to get caught as > spam, which may not be the right thing depending on other potential > legitimate addresses sending from that domain. > The latest pharmacy scam to get through my filters has a URI that matches: ^http:.*\.spaces\.live\.com\/$ in its body but the From: header identifies a completely unrelated address. Would a rule that tags messages with this From and URI combo be useful or would it generate too many FPs? Martin
Re: Phishing rules?
Jeff Chan wrote: On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote: I keep getting hit by phishing attacks, and they aren't being stopped by anything I've thrown up in front of them: [...] I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand pulls in the 25_uribl.cf automatically, right? Or do I need to configure that? if its automatic, that pulls in SURBL phishing). Increase the score on: URIBL_PH_SURBL out of curiosity, what score do you suggest? The current SpamAssassin rules scoring process gives it an artificially low score which is counterproductive IMO. If you want to stop more phishing spams, consider increasing the score. Jeff C.
Re: Phishing rules?
Micah Anderson wrote: * Kelson <[EMAIL PROTECTED]> [2008-10-30 17:29-0400]: Micah Anderson wrote: reject_rbl_client list.dsbl.org, DSBL has shut down, and you should remove the query from your list. It won't help with the phishing, but it'll free up some network resources. Info: http://dsbl.org/node/3 Thanks, I wasn't aware of that. I'm only using zen.spamhaus now, which is a shame. why? that's what I use (I only use other DNSBLs in some cases). I had to remove barracuda because I've received already 3 complaints about false-positives, thats a real shame, because it was blocking about 3x as much as zen was. can you share these FPs? if you can't post them to a public list but can post them to me, I am interested. I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). Odd, ClamAV + SaneSecurty does a really good job here at blocking phish before they even get to SpamAssassin. We call clamd through MIMEDefang, then call SpamAssassin (also through MimeDefang) if a message passes. Have you verified that Clam is using the SaneSecurity signatures? How are you calling ClamAV? Oh I'm certainly blocking phishing attempts via the SaneSecurity signatures, probably 200+ in the last hour alone. However, the phishing emails that are getting through are not known to their signature database, and in some case have been directly targetted at the domain I am managing. Thats why I am interested in rules that look for typical phishing emails. These emails are usually quite similar in their construction, so it seems like a good case for rules. It's hard to block all phishes, since new forms appear every now and then.
Re: Phishing rules?
On Mon, November 3, 2008 12:02, Martin Gregorie wrote: > ^http:.*\.spaces\.live\.com\/$ > in its body but the From: header identifies a completely unrelated > address. Would a rule that tags messages with this From and URI combo be > useful or would it generate too many FPs? http://www.nabble.com/Re:-FreeMail-plugin-td16200020.html might be helpfull -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Phishing rules?
Joseph Brennan <[EMAIL PROTECTED]> wrote: >> We get some legitimate email from @live.com users. > > But they don't set a Reply-to header. That's the test. But that wasn't his question; he asked whether any legitimate mail flows from live.com. That was my answer. :) -- Sahil Tandon <[EMAIL PROTECTED]>
Re: Phishing rules?
Sahil Tandon <[EMAIL PROTECTED]> writes: > Joseph Brennan <[EMAIL PROTECTED]> wrote: > >>> We get some legitimate email from @live.com users. >> >> But they don't set a Reply-to header. That's the test. > > But that wasn't his question; he asked whether any legitimate mail flows > from live.com. That was my answer. :) You are technically correct, but Joseph's message made clear the information that I was not aware of, which was quite helpful and technically better. Micah
Re: Phishing rules?
Joseph Brennan <[EMAIL PROTECTED]> writes:
> /Dear .{0,12}(web ?mail|columbia\.edu)/i
>
> /Password.{0,10}\([\s\.\*\_]+\)/
>
> /you must reply to this email/i
>
> Reply-to =~ /[EMAIL PROTECTED]/
I created a meta-rule out of these (with a score of 8), and then ran
spamassassin -D < phish to see how it worked, it matched the metarule
flawlessly, but the phish ended up with only a 5.4 score due to BAYES_00
dragging it down. That was surprising to me, so I started to wonder if
my bayes DB was poisoned.
I ran some stats, and the results seem to indicate a healthy bayes
database (unless I am reading this wrong)... A side note: its
interesting to note how only 9% of our email is spam, which seems low,
but maybe clamav-milter+rbls are blocking the remaining 40%?
Email: 2379392 Autolearn: 1075396 AvgScore: -6.32 AvgScanTime: 5.96 sec
Spam:227816 Autolearn: 114079 AvgScore: 14.75 AvgScanTime: 4.23 sec
Ham:2151576 Autolearn: 961317 AvgScore: -8.56 AvgScanTime: 6.15 sec
Time Spent Running SA: 3941.26 hours
Time Spent Processing Spam: 267.76 hours
Time Spent Processing Ham: 3673.50 hours
TOP SPAM RULES FIRED
--
RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM
--
1HTML_MESSAGE154522 54.03 67.83 52.57
2BAYES_991345316.09 59.050.48
3BOTNET 1336878.90 58.683.63
4RDNS_NONE 102255 10.19 44.886.51
5URIBL_JP_SURBL 98879 4.94 43.400.87
6MIME_HTML_ONLY 87518 7.62 38.424.36
7URIBL_OB_SURBL 76624 3.98 33.630.84
8DCC_CHECK 74600 8.51 32.755.94
9URIBL_AB_SURBL 59890 2.72 26.290.23
10URIBL_SC_SURBL 53911 2.51 23.660.27
11RCVD_IN_BL_SPAMCOP_NET 43120 2.43 18.930.68
12URIBL_WS_SURBL 38251 1.79 16.790.21
13URIBL_RHS_DOB 36565 2.17 16.050.70
14BAYES_5035322 3.93 15.502.71
15HTML_IMAGE_ONLY_16 33887 1.68 14.870.28
16HTML_SHORT_LINK_IMG_2 33118 1.56 14.540.19
17HTML_IMAGE_RATIO_02 32757 2.93 14.381.72
18URIBL_SBL 30456 1.80 13.370.57
19RAZOR2_CHECK27722 2.55 12.171.53
20RAZOR2_CF_RANGE_51_100 26856 2.41 11.791.41
--
TOP HAM RULES FIRED
--
RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM
--
1BAYES_002002969 84.675.15 93.09
2HTML_MESSAGE1131073 54.03 67.83 52.57
3UNPARSEABLE_RELAY 760567 32.93 10.12 35.35
4DKIM_SIGNED 693328 29.746.26 32.22
5DKIM_VERIFIED 531590 22.673.38 24.71
6ALL_TRUSTED 1736127.300.058.07
7USER_IN_WHITELIST 1557046.540.007.24
8RDNS_NONE 140127 10.19 44.886.51
9DCC_CHECK 1278448.51 32.755.94
10RCVD_IN_DNSWL_LOW 1018634.310.344.73
11MIME_HTML_ONLY 93817 7.62 38.424.36
12RCVD_IN_DNSWL_MED 90038 3.810.314.18
13WHOIS_NETSOLPR 87575 3.720.384.07
14MIME_QP_LONG_LINE 82804 4.49 10.523.85
15BOTNET 78052 8.90 58.683.63
16BAYES_5058286 3.93 15.502.71
17FUZZY_AMBIEN53284 2.280.382.48
18SARE_SUB_ENC_UTF8 50533 2.140.172.35
19SARE_MILLIONSOF 42268 1.840.671.96
20FORGED_YAHOO_RCVD 38762 1.741.161.80
--
Then I looked to see what bayes did with the message, but I do not
understand how to read the output, can someone explain this to me and
give me an idea why BAYES_00 fired when we've been feeding every one of
these spams to bayes to train on it?
$ spamassassin -D bayes < phish
[9595] dbg: bayes: using username: @GLOBAL
[9595] dbg: bayes: database connection established
[9595] dbg: bayes: found ba
Re: Phishing rules?
Micah Anderson wrote:
Joseph Brennan <[EMAIL PROTECTED]> writes:
/Dear .{0,12}(web ?mail|columbia\.edu)/i
/Password.{0,10}\([\s\.\*\_]+\)/
/you must reply to this email/i
Reply-to =~ /[EMAIL PROTECTED]/
I'm new at writing custom rules, so I am trying to figure out the best
way to do this. Would it be better to make a different rule for each one
of these, or would it be better to bmake a meta-rule? My guess is its
better to make a meta-rule, but that means that each rule must hit in
order to get the larger score, versus some of the individual rules
hitting and adding up to the larger score. The meta-rule seems good
because it describes a full profile phishing email that must be met, but
it seems bad because one tweak of the phish would result in the
meta-rule not matching overall. I suppose this is the point of the
arthemetic meta-rule possibility, however I'm puzzled at the best
mechanism to choose. Any advice would be appreciated.
My thinking is lots of low scoring rules are better than one large
scoring rule. You can however combine the two techniques with metarules
whereby if 3 or more single scoring rules are met a metarule adds an
additional score just for good measure.
Once I figure out the best way to match these, I need a good way to
determine what I should score these, the rule-writing documentation
suggests starting at 0.1 and then moving it up as you test it, and
suggests extreme caution scoring a custom rule over 1, however it seems
like these would be better scored higher than that.
That depends on how specific your rules are. Try to write rules for
phrases rather than single words. If the phish are specific to you then
it shouldn't be too difficult to write rules to specifically catch them.
If/when the phishers tweak the phish then you'll need to tweak your rules.
Look at the emails with an analytical eye - what giveaway signs tell you
that they are spam? Then try to write rules to detect what you see.
The first of course is partly local to us. Another useful local rule
is to check for the uri of your own webmail.
Yeah, i'll make a uri rule for that and probably add that to the
meta-rule.
Thanks for any advice,
micah
Re: Phishing rules?
Joseph Brennan <[EMAIL PROTECTED]> writes:
> /Dear .{0,12}(web ?mail|columbia\.edu)/i
>
> /Password.{0,10}\([\s\.\*\_]+\)/
>
> /you must reply to this email/i
>
> Reply-to =~ /[EMAIL PROTECTED]/
I'm new at writing custom rules, so I am trying to figure out the best
way to do this. Would it be better to make a different rule for each one
of these, or would it be better to bmake a meta-rule? My guess is its
better to make a meta-rule, but that means that each rule must hit in
order to get the larger score, versus some of the individual rules
hitting and adding up to the larger score. The meta-rule seems good
because it describes a full profile phishing email that must be met, but
it seems bad because one tweak of the phish would result in the
meta-rule not matching overall. I suppose this is the point of the
arthemetic meta-rule possibility, however I'm puzzled at the best
mechanism to choose. Any advice would be appreciated.
Once I figure out the best way to match these, I need a good way to
determine what I should score these, the rule-writing documentation
suggests starting at 0.1 and then moving it up as you test it, and
suggests extreme caution scoring a custom rule over 1, however it seems
like these would be better scored higher than that.
> The first of course is partly local to us. Another useful local rule
> is to check for the uri of your own webmail.
Yeah, i'll make a uri rule for that and probably add that to the
meta-rule.
Thanks for any advice,
micah
Re: Phishing filtering?
On Monday, May 2, 2005, 7:18:04 PM, Steve Lake wrote: > I'm curious. How well does SA do with handling phishing spam and is > there > stuff built into it to identify and nail these kind of emails? I'm just > curious because I heard that in just the past 5 months Netcraft has logged > over 5600 unique phishing sites on the net, so I wanted to be sure any spam > about those wouldn't get through. Any info is welcome. :D SURBL lists are supported in the default SA 3 configuration if network tests are enabled and a current Net::DNS is installed. The SURBL List ph.surbl.org contains 2000 current phishing sites from and MailSecurity and MailPolice: http://www.surbl.org/lists.html#ph We are working with antiphishing.org to add their data also. (SURBLs allow you to block spams based on URIs they contain, such as phishing site. More info at our site.) Cheers, Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Phishing filtering?
Jeff Chan wrote: On Monday, May 2, 2005, 7:18:04 PM, Steve Lake wrote: I'm curious. How well does SA do with handling phishing spam and is there stuff built into it to identify and nail these kind of emails? I'm just curious because I heard that in just the past 5 months Netcraft has logged over 5600 unique phishing sites on the net, so I wanted to be sure any spam about those wouldn't get through. Any info is welcome. :D SURBL lists are supported in the default SA 3 configuration if network tests are enabled and a current Net::DNS is installed. The SURBL List ph.surbl.org contains 2000 current phishing sites from and MailSecurity and MailPolice: http://www.surbl.org/lists.html#ph We are working with antiphishing.org to add their data also. (SURBLs allow you to block spams based on URIs they contain, such as phishing site. More info at our site.) Cheers, Jeff C. Over here the phishing attempts are being caught by Clamav, which is run first by Amavisd-new. Jo
RE: Phishing filtering?
>-Original Message- >From: Steve Lake [mailto:[EMAIL PROTECTED] >Sent: Monday, May 02, 2005 10:18 PM >To: users@spamassassin.apache.org >Subject: Phishing filtering? > > > I'm curious. How well does SA do with handling >phishing spam and is there >stuff built into it to identify and nail these kind of emails? > I'm just >curious because I heard that in just the past 5 months >Netcraft has logged >over 5600 unique phishing sites on the net, so I wanted to be >sure any spam >about those wouldn't get through. Any info is welcome. :D We also add them to black.uribl.com list. We differentiate internally that they are phish domains and IPs. But we just add them to the black list because the outcome is the same :) Chris Santerre System Admin and SARE/URIBL Ninja http://www.rulesemporium.com http://www.uribl.com
Re: Phishing filtering?
Steve Lake wrote: > I'm curious. How well does SA do with handling phishing spam and is > there stuff built into it to identify and nail these kind of emails? > I'm just curious because I heard that in just the past 5 months > Netcraft has logged over 5600 unique phishing sites on the net, so I > wanted to be sure any spam about those wouldn't get through. Any > info is welcome. :D The "Spoof" rules on the rulesemporium.com site are able to identify many phish attempts. They use basic logic to check the From, URI, and Received headers to attempt simple validation based on what they should be. They are scored high, mostly because customers often whitelist those domains and these rules are created to over-ride any of those innocent whitelists. I noticed they haven't changed since 12-21-2004, that shows their stability. ** I am the author of those rules, get them here. http://www.rulesemporium.com/rules/70_sare_spoof.cf Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400
Re: phishing rule
Dan wrote:
I am trying to write a rule to catch phishing schemes of this nature:
http://legit-stie.com/login
Is there anything wrong with this regexp?
/href=\"\d{1,3}(\.\d{1,3}){3}[^\"]*\"[^\>]*\>\s*http/
I realize that it is probably really error-prone, but that is why I am
throwing it out to this list. Has anyone else tried to tackle this
with success?
You don't need to use the 'match anything but' components. It's also a
generally accepted practice not use use * but rather to put in a
restriction on the number of characters that can be matched. Also note
that this would have to be a rawbody test.
The following works for me in that it triggers on your example.
However, most of the newer phishing emails I've seen use maps laid over
legit hrefs.
rawbody MYPHISHTEST
/href=\"\d{1,3}(\.\d{1,3}){3}.{0,20}\".{0,20}\>\s{0,5}http/i
score MYPHISHTEST 0.1
RE: phishing rule
>-Original Message-
>From: Dan [mailto:[EMAIL PROTECTED]
>Sent: Wednesday, January 12, 2005 6:40 PM
>To: [EMAIL PROTECTED]
>Subject: phishing rule
>
>
>I am trying to write a rule to catch phishing schemes of this nature:
>http://legit-stie.com/login
>
>Is there anything wrong with this regexp?
>/href=\"\d{1,3}(\.\d{1,3}){3}[^\"]*\"[^\>]*\>\s*http/
>
>I realize that it is probably really error-prone, but that is why I am
>throwing it out to this list. Has anyone else tried to tackle this
>with success?
On top of what Kevin posted, you could search for a shorter phrase, like:
.123/login">http
Instead of the whole long line. Keeps the memory lower. And rule should be
quicker that way.
As a general rule of thumb, I try to look for the smallest 'phrase' that
will cause the best results. Sounds like nit picking, until you run a few
hundred custom rules :)
HTH,
--Chris
RE: phishing rule
I was suggesting - a while ago, to make a more general check (which would probably be a plugin) - to detect phish based on different urls (e.g check whether they end up at the same ip) but was told that quite a lot of legit email have differing urls While I understand that datbased systems may generate links different from the displayed url, I still cannot see too many reasonable uses of different hosts (ip's might differ as part of a load balancing scheme, however) Wolfgang Hamann Dan wrote: >I am trying to write a rule to catch phishing schemes of this nature: >http://legit-stie.com/login >
Re: phishing rules
On August 24, 2015 5:14:53 AM Nick Edwards wrote: ciao Agere, create share deploy, thank you
Re: phishing rules
On Mon, 24 Aug 2015 13:14:41 +1000 Nick Edwards wrote: > Hey, > > Kind of had enough of regular URIBL's not getting this stuff, so > wondering has anyone wrote any rules they want to share on/off list to > match on mismatched URI links, Are you getting a lot of phishes that still do this? It used to be really common, but I haven't seen it much recently.
Re: phishing rules
Nick Edwards wrote: example the displayed version in mail might be www.example.com, but the actual URI when you highlight or click on it, is foobar.example.net The most common case is that the text shows the real web page, but the link goes to a click counter page that redirects to the real web page. This is usually not spam but wanted list mail from Mail Chimp, Constant Contact, and friends. A recent variation is a link going to urldefense.proofpoint.com which redirects to the real web page-- or not, if Proofpoint has found the web page to be malicious by the time the user clicks. Even if you don't use Proofpoint to do this rewriting, you're going to see the result sometimes in replies that include the original, and forwards. Ironically this is an ANTI phishing technique. I realize you're not interested but other people read this list :-) Joseph Brennan Columbia University
Re: phishing rules
On 24-08-15 18:34, Joseph Brennan wrote: > > Nick Edwards wrote: > >> example >> the displayed version in mail might be www.example.com, but the actual >> URI when you highlight or click on it, is foobar.example.net > > > The most common case is that the text shows the real web page, but the > link goes to a click counter page that redirects to the real web page. > This is usually not spam but wanted list mail from Mail Chimp, Constant > Contact, and friends. That is why all those messages actually don't use a URL in the text, but a regular textual description: BAD: http://redirector.tld?go=acme.com";>acme.com GOOD: http://redirector.tld?go=acme.com";>Visit ACME website Basically every MUA I know will label the message as a possible scam when you use the BAD version, which why you actually never see it in non-spam mail, unless the editor was a real noob. I have no recent experience with MailChimp and friends, but I hope they're educating users to use the GOOD version. So a clear spam indicator for me. Regards, Tom
Re: phishing rules
On Tue, 25 Aug 2015 09:55:57 +0200 Tom Hendrikx wrote: > Basically every MUA I know will label the message as a possible scam > when you use the BAD version, which why you actually never see it in > non-spam mail, unless the editor was a real noob. That applies to spam too. Would this really have a significant effect on modern phishes?
Re: phishing rules
On 8/25/2015 7:51 AM, RW wrote: On Tue, 25 Aug 2015 09:55:57 +0200 Tom Hendrikx wrote: Basically every MUA I know will label the message as a possible scam when you use the BAD version, which why you actually never see it in non-spam mail, unless the editor was a real noob. That applies to spam too. Would this really have a significant effect on modern phishes? It still works against a lot of people, even those who know what to look for. It's easy to get complacent and click a link without checking it first when you go through a hundred emails a day. That said, it also works because it's common in ham to the point that you just sometimes have to ignore it. Lots of questionable but consented-to mass marketing emails will use a tracker domain for embedded URLs, so when someone links to href=http://apache.org>apache.org, it gets rewritten and now it hits this new rule. Or perhaps if you ever are told to go to href=http://*www*.google.com>google.com and log into href=http://*accounts.google.com*>gmail.com you'll hit the rule too... There's a lot of reasons to have such a rule and lots of reasons to not have it. Without any data, I would lean towards not having it, because there's usually a better pattern to match on. But we can have data! Put the rule in a sandbox and see what RuleQA thinks of its stats.
Re: phishing rules
On Tue, 25 Aug 2015 08:25:30 -0400 Joe Quinn wrote: > On 8/25/2015 7:51 AM, RW wrote: > > On Tue, 25 Aug 2015 09:55:57 +0200 > > Tom Hendrikx wrote: > > > > > >> Basically every MUA I know will label the message as a possible > >> scam when you use the BAD version, which why you actually never > >> see it in non-spam mail, unless the editor was a real noob. > > That applies to spam too. > > > > Would this really have a significant effect on modern phishes? > It still works against a lot of people, even those who know what to > look for. It's easy to get complacent and click a link without > checking it first when you go through a hundred emails a day. It's not really about whether it might work, but whether it's actually being used. The original post was about the current wave of phishes that are getting though SA. What I'm seeing is phishes that are convincing without using the domain miss-match which triggers a malicious link warming. I just wondered whether it had been established that domain mismatches are a common feature of the phishes that are getting through.
Re: Phishing attempts getting through.
Sunny Forro wrote: >Hello, > I've got a problem. I've got a lot of phishing attacks making it >through my mailscanner setup. I do have phishing fraud detection turned >on, and I have not modifed the phishing safe sites list. Most(if not >all) of the phishing emails are ebay account notices with forged IP >addresses. I don't understand how these are getting through. Is anyone >else out there having the same problem? Does anyone have any >suggestions? The only reason I know they're getting through is because >I've set up MailWatch for MailScanner(works great, makes it easy to see >what's going on) > Have you considered adding clamav to your MailScanner setup? clamav detects a wide variety of stock phishing scams as if they were viruses. Works great for me with my setup. (I use it with MailScanner, but I have the MailScanner phishing net disabled). It's not 100%, but it catches 80-90% of them without any work on my part. http://www.clamav.net/ >From there you might want to consider the SARE spoofing ruleset for SpamAssassin (I've not tried it myself, but it seems well written) http://www.rulesemporium.com/rules/70_sare_spoof.cf
Re: Phishing attempts getting through.
And this has what to do with Spamassassin? Sunny Forro wrote: Hello, I've got a problem. I've got a lot of phishing attacks making it through my mailscanner setup. I do have phishing fraud detection turned on, and I have not modifed the phishing safe sites list. Most(if not all) of the phishing emails are ebay account notices with forged IP addresses. I don't understand how these are getting through. Is anyone else out there having the same problem? Does anyone have any suggestions? The only reason I know they're getting through is because I've set up MailWatch for MailScanner(works great, makes it easy to see what's going on). Any ideas? Sunny Elmer Steve Forro III (Sunny) Assistant Manager of Information Systems Compco Industries 400 West Railroad Street Suite 1 Columbiana, OH 44408 Phone: (330) 482-0200 Cell: (330) 881-8401 Fax: (330) 482-6492 Email: [EMAIL PROTECTED] Web: http://www.compcoind.com/ -- Michael H. Collins Admiral, Penguinista Navy http://linuxlink.com /"\ASCII Ribbon Campaign \ / No HTML/RTF in email x No Word docs in email / \ Respect for open standards In a related story, the IRS has recently ruled that the cost of Windows upgrades can NOT be deducted as a gambling loss.
Re: Phishing attempts getting through.
On Tue, 22 Mar 2005, Matt Kettler wrote:
> Sunny Forro wrote:
>
> >Hello,
> > I've got a problem. I've got a lot of phishing attacks making it
> >through my mailscanner setup. I do have phishing fraud detection turned
> >on, and I have not modifed the phishing safe sites list. Most(if not
> >all) of the phishing emails are ebay account notices with forged IP
[snip..]
> Have you considered adding clamav to your MailScanner setup? clamav
> detects a wide variety of stock phishing scams as if they were viruses.
> Works great for me with my setup. (I use it with MailScanner, but I have
> the MailScanner phishing net disabled). It's not 100%, but it catches
> 80-90% of them without any work on my part.
>
> http://www.clamav.net/
>
> From there you might want to consider the SARE spoofing ruleset for
> SpamAssassin (I've not tried it myself, but it seems well written)
>
> http://www.rulesemporium.com/rules/70_sare_spoof.cf
I'll second that advice, am doing both and well worth the effort.
(not to mention the side effect of blocking viri ;).
I've integrated clamav into the SMTP system to do a SMTP-REJECT on all
detected baddies, so viri and many phishes never make it in our front
door.
I augmented 70_sare_spoof.cf to improve its coverage, added more
bank sites we've seen (EG: wamu.com, huntington.com, keybank.com
hiberniainfo.com, etc).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Phishing attempts getting through.
Are you using the SARE anti-spoof rules? We catch the ebay stuff pretty well. Loren
Re: Phishing attempts getting through.
> From: "David B Funk" <[EMAIL PROTECTED]> > > I augmented 70_sare_spoof.cf to improve its coverage, added more > bank sites we've seen (EG: wamu.com, huntington.com, keybank.com > hiberniainfo.com, etc). If yould' be willing to share your rule enhancements with the rest of the community, we'd be more than happy to mass-check them and add them to the file! We'll credit you with the rules, and about all you have to do is agree with the licence terms on the file. Loren
Re: Phishing attempts getting through.
On Tuesday, March 22, 2005, 10:58:30 AM, Sunny Forro wrote: > Hello, > I've got a problem. I've got a lot of phishing attacks making it > through my mailscanner setup. I do have phishing fraud detection turned > on, and I have not modifed the phishing safe sites list. Most(if not > all) of the phishing emails are ebay account notices with forged IP > addresses. I don't understand how these are getting through. Is anyone > else out there having the same problem? Does anyone have any > suggestions? The only reason I know they're getting through is because > I've set up MailWatch for MailScanner(works great, makes it easy to see > what's going on). Try using SURBLs: http://www.surbl.org/ specifically: http://www.surbl.org/lists.html#ph Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Phishing attempts getting through.
Sunny depends where the problem is and what you mean by the phishing emails getting through? 1. Ask on the MailScanner list, I'll be there too.. 2. use the free ClamAV anti-virus system, this is quite good at catchingthis stuff. 3. Do you mean the MS phishing net or actual phishing emails? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Sunny Forro wrote: Hello, I've got a problem. I've got a lot of phishing attacks making it through my mailscanner setup. I do have phishing fraud detection turned on, and I have not modifed the phishing safe sites list. Most(if not all) of the phishing emails are ebay account notices with forged IP addresses. I don't understand how these are getting through. Is anyone else out there having the same problem? Does anyone have any suggestions? The only reason I know they're getting through is because I've set up MailWatch for MailScanner(works great, makes it easy to see what's going on). Any ideas? Sunny Elmer Steve Forro III (Sunny) Assistant Manager of Information Systems Compco Industries 400 West Railroad Street Suite 1 Columbiana, OH 44408 Phone: (330) 482-0200 Cell: (330) 881-8401 Fax: (330) 482-6492 Email: [EMAIL PROTECTED] Web: http://www.compcoind.com/ ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Phishing attempts getting through.
Can someone expand on the ClamAV detecting phishing attempts. Or direct me some where? Thank you, --Joe Matt Kettler wrote: Sunny Forro wrote: Hello, I've got a problem. I've got a lot of phishing attacks making it through my mailscanner setup. I do have phishing fraud detection turned on, and I have not modifed the phishing safe sites list. Most(if not all) of the phishing emails are ebay account notices with forged IP addresses. I don't understand how these are getting through. Is anyone else out there having the same problem? Does anyone have any suggestions? The only reason I know they're getting through is because I've set up MailWatch for MailScanner(works great, makes it easy to see what's going on) Have you considered adding clamav to your MailScanner setup? clamav detects a wide variety of stock phishing scams as if they were viruses. Works great for me with my setup. (I use it with MailScanner, but I have the MailScanner phishing net disabled). It's not 100%, but it catches 80-90% of them without any work on my part. http://www.clamav.net/ From there you might want to consider the SARE spoofing ruleset for SpamAssassin (I've not tried it myself, but it seems well written) http://www.rulesemporium.com/rules/70_sare_spoof.cf
Re: Phishing attempts getting through.
Joe Young wrote: > > Can someone expand on the ClamAV detecting phishing attempts. Or > direct me some where? > > Thank you, It just detects the message itself as a virus. Here's a sample report generated when MailScanner fed a phishing email to our virus scanners: The following e-mails were found to have: Virus Detected Sender: [EMAIL PROTECTED] IP Address: 66.199.161.40 Recipient: [EMAIL PROTECTED] Subject: Your Account Will Be Suspended ; Checking MessageID: j2ELE82X031642 Report: ClamAV: msg-18232-49.html contains HTML.Phishing.Pay-6
Re: Phishing attempts getting through.
> Can someone expand on the ClamAV detecting phishing attempts. Or direct > me some where? Pick up some of the SARE rulesets. I think spoof or fraud is the one that contains an assortment of phishhooks. Won't get 'em all, but will sure cut down on the more common ones. Loren
Re: Phishing obfuscated url detection
On Wednesday, September 15, 2004, 1:38:30 AM, Julian Field wrote: > I have checked the archives, can't find anything directly related to this. > In most phishing scams, the real address of a URL is unrelated to the link > text that appears in the mail client. Is it possible to detect where > bar > and foo and bar are unrelated domains? > Thanks folks. That could be a good idea for a rule. It would be nice if it could be determined canonically, without actually resolving either location. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Phishing obfuscated url detection
On Wed, 15 Sep 2004 09:38:30 +0100, Julian Field wrote: > I have checked the archives, can't find anything directly related to this. > > In most phishing scams, the real address of a URL is unrelated to the link > text that appears in the mail client. Is it possible to detect where > bar > and foo and bar are unrelated domains? > > Thanks folks. I guess the question boils down to "can backreferences be used in regexes for SA rules"? If so, the combined wisdom of the list ought to be able to come up with a suitable rule... John. -- -- Over 2500 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: Phishing obfuscated url detection
On Wed, Sep 15, 2004 at 02:17:15AM -0700, Jeff Chan wrote: > On Wednesday, September 15, 2004, 1:38:30 AM, Julian Field wrote: > > ... Is it possible to detect where > > bar > > and foo and bar are unrelated domains? > > That could be a good idea for a rule. It would be nice if it > could be determined canonically, without actually resolving > either location. IMHO this is near impossible. The trivial String Back-reference check can never determine whether 'foo' and 'bar' are un*related*. Just whether the text *in* the HREF is unequal to the text shown to the user highlighted as a link. In all cases, where the HREF is only 'semantically' *related* to the following link text, a string check will assume 'spam', while 'spam/scam' will sooner or later just obfuscate the text portion by javascript or encoding tricks. e.g.: imail.de is 'related' (even if 'mis'constructed) because you find access to the 'imail.de' Mails via the 'www.eplus.de' webserver. Also many Mail-Texts of the kind ... to reach FOO click here would be very difficult to 'analyze correctly'. So I believe it to be an interesting idea for AI specialists, but alas not for inclusion in spamassassin as it works now. Stucki (postmaster at mi.fu-berlin.de using spamassassin 2.63)
Re: Phishing obfuscated url detection
On Wednesday, September 15, 2004, 2:41:14 AM, Chr. Stuckrad wrote: > On Wed, Sep 15, 2004 at 02:17:15AM -0700, Jeff Chan wrote: >> On Wednesday, September 15, 2004, 1:38:30 AM, Julian Field wrote: >> > ... Is it possible to detect where >> > bar >> > and foo and bar are unrelated domains? >> >> That could be a good idea for a rule. It would be nice if it >> could be determined canonically, without actually resolving >> either location. > IMHO this is near impossible. > The trivial String Back-reference check can never > determine whether 'foo' and 'bar' are un*related*. > Just whether the text *in* the HREF is unequal to > the text shown to the user highlighted as a link. > In all cases, where the HREF is only 'semantically' > *related* to the following link text, a string check > will assume 'spam', while 'spam/scam' will sooner or > later just obfuscate the text portion by javascript > or encoding tricks. > e.g.: imail.de > is 'related' (even if 'mis'constructed) > because you find access to the 'imail.de' > Mails via the 'www.eplus.de' webserver. > Also many Mail-Texts of the kind > ... to reach FOO click here > would be very difficult to 'analyze correctly'. > So I believe it to be an interesting idea for AI specialists, > but alas not for inclusion in spamassassin as it works now. > Stucki (postmaster at mi.fu-berlin.de using spamassassin 2.63) Hmm, well there's always the brute force method of matching phisher URI domains in our phishing SURBL using urhrhsbl, urirhssub or SpamCopURI: http://www.surbl.org/lists.html#ph Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Phishing obfuscated url detection
> > In most phishing scams, the real address of a URL is unrelated to the link > > text that appears in the mail client. Is it possible to detect where > > bar > > and foo and bar are unrelated domains? > > > I guess the question boils down to "can backreferences be used in > regexes for SA rules"? If so, the combined wisdom of the list ought to > be able to come up with a suitable rule... And the answer is... Grab the SARE phishing rules. Although I don't think any of them use backreferences for catching that sort of thing. Loren
Re: Phishing obfuscated url detection
I'd written a test for this some time back, and it worked reasonably well, except for newsletters from various legit sources (eg T-Mobile NL, Microsoft, Gamespy daily) which all use some click referencing script that is located on the server of the company that actually does the emailing, instead of the company whom the mail was actually sent for. As I didn't want to write a lt of exceptions into the rule, I've dropepd the idea. Jesse -Original Message- From: Jeff Chan <[EMAIL PROTECTED]> To: users@spamassassin.apache.org Date: Wed, 15 Sep 2004 02:57:13 -0700 Subject: Re: Phishing obfuscated url detection > On Wednesday, September 15, 2004, 2:41:14 AM, Chr. Stuckrad wrote: > > On Wed, Sep 15, 2004 at 02:17:15AM -0700, Jeff Chan wrote: > >> On Wednesday, September 15, 2004, 1:38:30 AM, Julian Field wrote: > >> > ... Is it possible to detect where > >> > bar > >> > and foo and bar are unrelated domains? > >> > >> That could be a good idea for a rule. It would be nice if it > >> could be determined canonically, without actually resolving > >> either location. > > > IMHO this is near impossible. > > > The trivial String Back-reference check can never > > determine whether 'foo' and 'bar' are un*related*. > > Just whether the text *in* the HREF is unequal to > > the text shown to the user highlighted as a link. > > > In all cases, where the HREF is only 'semantically' > > *related* to the following link text, a string check > > will assume 'spam', while 'spam/scam' will sooner or > > later just obfuscate the text portion by javascript > > or encoding tricks. > > > e.g.: imail.de > > is 'related' (even if 'mis'constructed) > > because you find access to the 'imail.de' > > Mails via the 'www.eplus.de' webserver. > > > Also many Mail-Texts of the kind > > ... to reach FOO click here > > would be very difficult to 'analyze correctly'. > > > So I believe it to be an interesting idea for AI specialists, > > but alas not for inclusion in spamassassin as it works now. > > > Stucki (postmaster at mi.fu-berlin.de using spamassassin 2.63) > > Hmm, well there's always the brute force method of matching > phisher URI domains in our phishing SURBL using urhrhsbl, > urirhssub or SpamCopURI: > > http://www.surbl.org/lists.html#ph > > Jeff C. > -- > Jeff Chan > mailto:[EMAIL PROTECTED] > http://www.surbl.org/ >
Re: Phishing obfuscated url detection
Many thanks for the responses. Shame it can't be done easily. I already use the SURBL ph domain. At 13:30 15/09/2004, you wrote: I'd written a test for this some time back, and it worked reasonably well, except for newsletters from various legit sources (eg T-Mobile NL, Microsoft, Gamespy daily) which all use some click referencing script that is located on the server of the company that actually does the emailing, instead of the company whom the mail was actually sent for. As I didn't want to write a lt of exceptions into the rule, I've dropepd the idea. Jesse -Original Message- From: Jeff Chan <[EMAIL PROTECTED]> To: users@spamassassin.apache.org Date: Wed, 15 Sep 2004 02:57:13 -0700 Subject: Re: Phishing obfuscated url detection > On Wednesday, September 15, 2004, 2:41:14 AM, Chr. Stuckrad wrote: > > On Wed, Sep 15, 2004 at 02:17:15AM -0700, Jeff Chan wrote: > >> On Wednesday, September 15, 2004, 1:38:30 AM, Julian Field wrote: > >> > ... Is it possible to detect where > >> > bar > >> > and foo and bar are unrelated domains? > >> > >> That could be a good idea for a rule. It would be nice if it > >> could be determined canonically, without actually resolving > >> either location. > > > IMHO this is near impossible. > > > The trivial String Back-reference check can never > > determine whether 'foo' and 'bar' are un*related*. > > Just whether the text *in* the HREF is unequal to > > the text shown to the user highlighted as a link. > > > In all cases, where the HREF is only 'semantically' > > *related* to the following link text, a string check > > will assume 'spam', while 'spam/scam' will sooner or > > later just obfuscate the text portion by javascript > > or encoding tricks. > > > e.g.: imail.de > > is 'related' (even if 'mis'constructed) > > because you find access to the 'imail.de' > > Mails via the 'www.eplus.de' webserver. > > > Also many Mail-Texts of the kind > > ... to reach FOO click here > > would be very difficult to 'analyze correctly'. > > > So I believe it to be an interesting idea for AI specialists, > > but alas not for inclusion in spamassassin as it works now. > > > Stucki (postmaster at mi.fu-berlin.de using spamassassin 2.63) > > Hmm, well there's always the brute force method of matching > phisher URI domains in our phishing SURBL using urhrhsbl, > urirhssub or SpamCopURI: > > http://www.surbl.org/lists.html#ph -- Julian FieldTeaching Systems Manager [EMAIL PROTECTED] Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ
RE: Phishing obfuscated url detection
>-Original Message- >From: Chr. von Stuckrad [mailto:[EMAIL PROTECTED] >Sent: Wednesday, September 15, 2004 5:41 AM >To: users@spamassassin.apache.org >Subject: Re: Phishing obfuscated url detection > > >On Wed, Sep 15, 2004 at 02:17:15AM -0700, Jeff Chan wrote: >> On Wednesday, September 15, 2004, 1:38:30 AM, Julian Field wrote: >> > ... Is it possible to detect where >> > bar >> > and foo and bar are unrelated domains? >> >> That could be a good idea for a rule. It would be nice if it >> could be determined canonically, without actually resolving >> either location. > >IMHO this is near impossible. > >The trivial String Back-reference check can never >determine whether 'foo' and 'bar' are un*related*. >Just whether the text *in* the HREF is unequal to >the text shown to the user highlighted as a link. > >In all cases, where the HREF is only 'semantically' >*related* to the following link text, a string check >will assume 'spam', while 'spam/scam' will sooner or >later just obfuscate the text portion by javascript >or encoding tricks. > >e.g.: imail.de >is 'related' (even if 'mis'constructed) >because you find access to the 'imail.de' >Mails via the 'www.eplus.de' webserver. > >Also many Mail-Texts of the kind > ... to reach FOO click here >would be very difficult to 'analyze correctly'. > >So I believe it to be an interesting idea for AI specialists, >but alas not for inclusion in spamassassin as it works now. > >Stucki (postmaster at mi.fu-berlin.de using spamassassin 2.63) I have to agree with Stucki. What about all those image caching services? They would all get tagged, which is a large amount of legit newsletters. It was a good idea, so don't feel bad. --Chris
Re: Phishing obfuscated url detection
On Wed, 15 Sep 2004 10:03:02 -0400, Chris Santerre wrote: > What about all those image caching services? > They would all get tagged, which is a large amount of legit newsletters. I suspect we're talking at cross purposes. I assumed that Julian's original query was about cases where the text to be rendered in the message is itself an URI, but not the one in the HREF. In other words, we're not talking about cases like | Click http://example.com/page";>here much less about tags, but only cases like | Please visit http://phisher.com/path/to/page";>http://example.com/page where we have a displayed URI different from the actual linked URI. Are you aware of any legit cases of this? John. -- -- Over 2500 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: Phishing obfuscated url detection
At 15:53 15/09/2004, John Wilcock wrote: On Wed, 15 Sep 2004 10:03:02 -0400, Chris Santerre wrote: > What about all those image caching services? > They would all get tagged, which is a large amount of legit newsletters. I suspect we're talking at cross purposes. I assumed that Julian's original query was about cases where the text to be rendered in the message is itself an URI, but not the one in the HREF. Yes, I hadn't realised that Chris wasn't talking about the same thing I was. In other words, we're not talking about cases like | Click http://example.com/page";>here much less about tags, but only cases like | Please visit http://phisher.com/path/to/page";>http://example.com/page Those ones, indeed. -- Julian FieldTeaching Systems Manager [EMAIL PROTECTED] Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ
Re: Phishing obfuscated url detection
Please visit http://phisher.com/path/to/page";>http://example.com/page Those ones, indeed. And, IMO easier to detect, and worthy of a higher score: http://phisher.com/page";>https://example.com/page Even worse: http://123.456.78.90/page";>https://example.com/page You can throw in a few extra points for an onMouseOver clause that sets the status bar to https ... :) --Stewart
Re: Phishing obfuscated url detection
> Even worse: > http://123.456.78.90/page";>https://example.com/page > > You can throw in a few extra points for an onMouseOver clause > that sets the status bar to https ... :) Would you believe that there is no reasonable way to detect that last one currently with SA? Which is a shame, since it is a dead-assured phish/spam sign. It would probably be possible in 3.0 with a special plugin. Loren
Re: Phishing email or no?
On 10/11/18 3:30 PM, Alex wrote: > Hi, > > I'm curious what people think of this: > > https://pastebin.com/1XjwaCY1 > > It's unsolicited, so that makes it spam to me, but is it dangerous? > yesinsights.com appears to be a legitimate company, but the sender, > e...@hrteamerus.com, is a registered domain but has no DNS record. > > Is it just a lame attempt to confirm email addresses? > > Outlook just seems to be a non-stop source of spam. I'd report it to > yesinsights, but it appears it's being used exactly as the service > intended? > > Any idea on tips to block it, other than bayes? > Is that the entire email in the pastebin link above? I ran it through my SA platform and it's missing a few headers. DKIM_INVALID,DKIM_SIGNED,ENA_NO_TO_CC,MISSING_DATE,MISSING_FROM, MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT Since it doesn't have a valid opt-out, I would report it to SpamCop, report it to yesinsights.com's abuse if SpamCop doesn't already, and add a blacklist_from *@hrteamerus.com entry. If you start seeing patterns of repeating emails, then a local content rule and Bayes training would be the best option. Maybe get these into the nightly masscheck so others can work on some rules to go into the default ruleset. -- David Jones
Re: Phishing email or no?
On Thu, 2018-10-11 at 16:30 -0400, Alex wrote: > Hi, > > I'm curious what people think of this: > > https://pastebin.com/1XjwaCY1 > My SA setup thinks its spam. I notice its DKIM is invalid and that the envelope from doesn't match the message-ID, which makes me suspicious. Doesn't a $100 draw look a little bit too big for a single multiple-choice question? Martin
Re: Phishing email or no?
Hi, On Thu, Oct 11, 2018 at 5:15 PM David Jones wrote: > > On 10/11/18 3:30 PM, Alex wrote: > > Hi, > > > > I'm curious what people think of this: > > > > https://pastebin.com/1XjwaCY1 > > > > It's unsolicited, so that makes it spam to me, but is it dangerous? > > yesinsights.com appears to be a legitimate company, but the sender, > > e...@hrteamerus.com, is a registered domain but has no DNS record. > > > > Is it just a lame attempt to confirm email addresses? > > > > Outlook just seems to be a non-stop source of spam. I'd report it to > > yesinsights, but it appears it's being used exactly as the service > > intended? > > > > Any idea on tips to block it, other than bayes? > > > > Is that the entire email in the pastebin link above? I ran it through > my SA platform and it's missing a few headers. > > DKIM_INVALID,DKIM_SIGNED,ENA_NO_TO_CC,MISSING_DATE,MISSING_FROM, > MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT Yes, it's the complete email - those missing headers are in the pastebin. It also passed DKIM. Send me a message if you want the original. > Since it doesn't have a valid opt-out, I would report it to SpamCop, > report it to yesinsights.com's abuse if SpamCop doesn't already, and add > a blacklist_from *@hrteamerus.com entry. Yes, we've seen an increase in these types of emails. We've reported it to spamcop, but there doesn't appear to be a way to communicate abuse to yesinsights. > If you start seeing patterns of repeating emails, then a local content > rule and Bayes training would be the best option. Maybe get these into > the nightly masscheck so others can work on some rules to go into the > default ruleset. I'll see if I can get this submitted.
Re: Phishing email or no?
Hi, > > I'm curious what people think of this: > > > > https://pastebin.com/1XjwaCY1 > > > My SA setup thinks its spam. > > I notice its DKIM is invalid and that the envelope from doesn't match > the message-ID, which makes me suspicious. Doesn't a $100 draw look a > little bit too big for a single multiple-choice question? Is it spam because of your own rules, or something I'm missing? Could it be failing DKIM because of my santizing? Also, it probably should have been "drawing" in the first place, not "draw".
Re: Phishing email or no?
On Thu, 2018-10-11 at 20:41 -0400, Alex wrote: > Is it spam because of your own rules, or something I'm missing? Could > it be failing DKIM because of my santizing? > Spotted in one - its was spam because a local rule triggered on your munging of some body URIs to contain 'example.com'. This domain isn't seen in my normal mail stream or appear any body URIs in my spam corpus. I originally added a rule that catches URLs with domains starting with 'exam' to trap various examination cheating spam that infested some mail lists I used to subscribe to. The rule is not so crude as to trip on just 'exam', but example.com will trigger it. Martin
Re: Phishing email or no?
In my opinion, any company dedicated so send out emails should put maximun attention to each and every minimun detail All the defects some of you are pointing out look like too "basic" to not pay attention to them! PedroD
Re: Phishing email or no?
On 10/11/18 7:00 PM, Alex wrote: > Hi, > > On Thu, Oct 11, 2018 at 5:15 PM David Jones wrote: >> >> On 10/11/18 3:30 PM, Alex wrote: >>> Hi, >>> >>> I'm curious what people think of this: >>> >>> https://pastebin.com/1XjwaCY1 >>> >>> It's unsolicited, so that makes it spam to me, but is it dangerous? >>> yesinsights.com appears to be a legitimate company, but the sender, >>> e...@hrteamerus.com, is a registered domain but has no DNS record. >>> >>> Is it just a lame attempt to confirm email addresses? >>> >>> Outlook just seems to be a non-stop source of spam. I'd report it to >>> yesinsights, but it appears it's being used exactly as the service >>> intended? >>> >>> Any idea on tips to block it, other than bayes? >>> >> >> Is that the entire email in the pastebin link above? I ran it through >> my SA platform and it's missing a few headers. >> >> DKIM_INVALID,DKIM_SIGNED,ENA_NO_TO_CC,MISSING_DATE,MISSING_FROM, >> MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT > > Yes, it's the complete email - those missing headers are in the > pastebin. It also passed DKIM. Send me a message if you want the > original. > >> Since it doesn't have a valid opt-out, I would report it to SpamCop, >> report it to yesinsights.com's abuse if SpamCop doesn't already, and add >> a blacklist_from *@hrteamerus.com entry. > > Yes, we've seen an increase in these types of emails. We've reported > it to spamcop, but there doesn't appear to be a way to communicate > abuse to yesinsights. > I checked yesinsights.com site and they don't have a way to contact them or report abuse. They do have a free week trial so you could setup a trial to get in touch with someone and tell them they need to have an abuse contact setup with Spamcop or they will eventually be listed on RBLs if they have enough shady customers sending to recipients that haven't opted into these emails. If I received complaints from my customers about spam from yesinsights, I would put a REJECT line in my Postfix config with a details explanation as to why they were being blocked to give them feedback in their logs in case they actually check them. Another option you have if you see repeating characteristics is to create a local meta rule that combines URLs with yesinsights.com with the envelope-from domain of hrteamerus.com or other things you see over and over to add some points. This email came via Office 365 which is a major problem for sorting out spam. They are so large that you can't block them outright so I have created a set of meta rules that amplify some spammy scores for O365 and add a point or two for all O365 email then put known good O365 senders to an exception list. It has worked pretty well for the past year. Takes a little work up front to start the list but I haven't had to do much lately. I mainly had to exclude senders that send odd attachments or invoices that trigger suspicious phishing-type rules. -- David Jones
Re: Phishing email or no?
I love outlook.com ... Sent from ProtonMail Mobile On Thu, Oct 11, 2018 at 22:30, Alex wrote: > Hi, > > I'm curious what people think of this: > > https://pastebin.com/1XjwaCY1 > > It's unsolicited, so that makes it spam to me, but is it dangerous? > yesinsights.com appears to be a legitimate company, but the sender, > e...@hrteamerus.com, is a registered domain but has no DNS record. > > Is it just a lame attempt to confirm email addresses? > > Outlook just seems to be a non-stop source of spam. I'd report it to > yesinsights, but it appears it's being used exactly as the service > intended? > > Any idea on tips to block it, other than bayes?
Re: Phishing email or no?
>On Friday, October 12, 2018, 10:48:21 PM GMT+2, Rupert Gallagher wrote: >I love outlook.com ... i have seen recently an Office365 Phishing campaign coming from Office365 severs... as good as it gets... -PedroD
Re: Phishing email or no?
On 10/12/18 4:12 PM, Pedro David Marco wrote: > > > >On Friday, October 12, 2018, 10:48:21 PM GMT+2, Rupert Gallagher > wrote: > > >I love outlook.com ... > > i have seen recently an Office365 Phishing campaign coming from > Office365 severs... as good as it gets... > > - > PedroD What we need is a milter or SA plugin that keeps track of new Office365 senders like greylisting just for outbound.protection.outlook.com to handle compromised accounts and spammers that Microsoft can't seem to detect and lock fast enough. Maybe they need to start using SpamAssassin and hire some of us to do their mail filtering. :) -- David Jones
