Re: Catching well directed spear phishing messages

Hi all, On Mon, Sep 19, 2016 at 5:46 AM, Paul Stead wrote: > On 15/09/16 20:54, RW wrote: >> >> On Thu, 15 Sep 2016 15:37:42 +0100 >> Paul Stead wrote: >> >>> https://github.com/fmbla/spamassassin-levenshtein >>> >>> An implementation I made for SA - feedback

Re: Catching well directed spear phishing messages

On 15/09/16 20:54, RW wrote: On Thu, 15 Sep 2016 15:37:42 +0100 Paul Stead wrote: https://github.com/fmbla/spamassassin-levenshtein An implementation I made for SA - feedback welcome A couple of things 1. Instead of having a with/without tld option you could compute the distance without

Re: Catching well directed spear phishing messages

On Thu, 15 Sep 2016 15:37:42 +0100 Paul Stead wrote: > > https://github.com/fmbla/spamassassin-levenshtein > > An implementation I made for SA - feedback welcome A couple of things 1. Instead of having a with/without tld option you could compute the distance without the tld and then add 1 if

Re: Catching well directed spear phishing messages

No, I have not used it, although it is a good idea. Could probably be used for comparing From:names too, running after each new version of "Pay-pal, paupal, etc." is a pain. If I make any progress on that I will keep the list posted. My plugin is written in Perl with a home-made

Re: Catching well directed spear phishing messages

On Thu, 15 Sep 2016 15:37:42 +0100 Paul Stead wrote: > https://github.com/fmbla/spamassassin-levenshtein Cool! Not sure what the performance implications are... there are XS implementations of the Levenshtein distance... for example:

Re: Catching well directed spear phishing messages

On 15/09/16 15:22, Chip M. wrote: The other way to fix that is to detect the lexical distance between the sender's domain and your organisation's domains, e.g. by building a plugin that uses https://en.wikipedia.org/wiki/Levenshtein_distance. That could be done for a small number of domains

Re: Catching well directed spear phishing messages

On Thu, 30 Jun 2016, Olivier Coutu wrote: >The other way to fix that is to detect the lexical distance between the >sender's domain and your organisation's domains, e.g. by building a >plugin that uses https://en.wikipedia.org/wiki/Levenshtein_distance. >That could be done for a small number of

Re: Catching well directed spear phishing messages

Hi, >> It's easy to write a CUSTOM set of rules just for actual/likely >> targeted senders (CEO/etc). >> For each person/target, create a rule that tests an explicit >> list of that person's normal Realname(s) (including reasonable >> variations), against the Realname part of the From header, and

Re: Catching well directed spear phishing messages

Hi, On Wed, Jun 29, 2016 at 12:58 AM, Chip M. wrote: > On Tue, 28 Jun 2016 14:13:57 + David Jones wrote: >>If I search the Internet for the CEO/CIO/CTO/etc of a company >>and send and email from my domain but make the displayed name >>in the visible From: be that

Re: Catching well directed spear phishing messages

On 2016-06-28 10:48, John Wilcock wrote: Or, if your company is a worthwhile target, it is equally easy for the scammer to setup a lookalike domain and configure it with proper SPF, DKIM and the like. Who's going to notice that the message came from examp1e.com instead of example.com?

Re: Catching well directed spear phishing messages

On Wed, 29 Jun 2016, David Jones wrote: Almost all MUAs I've ever used hide the From: address in favour of the full name if it is present.  And most of them have no option for revealing the address, either. Mainly Microsoft Outlook and Exchange webmail? Most webmail interfaces will show the

Re: Catching well directed spear phishing messages

On 6/29/2016 11:12 AM, Dianne Skoll wrote: On Wed, 29 Jun 2016 15:04:04 + David Jones wrote: If everyone (really Microsoft) had some sense, they will start showing the full display name with the email address to help users see the incorrect domain and possibly help users

Re: Catching well directed spear phishing messages

On Wed, 29 Jun 2016 15:04:04 + David Jones wrote: > Mainly Microsoft Outlook and Exchange webmail? Most webmail > interfaces will show the full From: display name with email address. Oh sure, if you open the message, you'll see it. I meant to qualify my post by saying most

Re: Catching well directed spear phishing messages

>From: Dianne Skoll <d...@roaringpenguin.com> >Sent: Wednesday, June 29, 2016 9:50 AM >To: users@spamassassin.apache.org >Subject: Re: Catching well directed spear phishing messages   >On Wed, 29 Jun 2016 10:31:47 -0400 >"Bill Cole" <sausers-20150...@billmai

Re: Catching well directed spear phishing messages

On Wed, 29 Jun 2016 10:31:47 -0400 "Bill Cole" wrote: > On 28 Jun 2016, at 10:31, Jari Fredriksson wrote: > > Sure, but the case now is that the FROM != 'company adress' as this > > info is not even show to the user. What is shown is the CEO Name > >

Re: Catching well directed spear phishing messages

On 28 Jun 2016, at 10:31, Jari Fredriksson wrote: > Sure, but the case now is that the FROM != 'company adress' as this info > is not even show to the user. What is shown is the CEO Name only. I > could't even find a setting for this behaviour in my MUA! That's a broken-by-design MUA.

Re: Catching well directed spear phishing messages

On Tue, 28 Jun 2016 14:13:57 + David Jones wrote: >If I search the Internet for the CEO/CIO/CTO/etc of a company >and send and email from my domain but make the displayed name >in the visible From: be that CEO/CIO/CTO/etc's full name that >the recipient is used to seeing in the mail client,

Re: Catching well directed spear phishing messages

David Jones wrote on 29/06/16 2:13 AM: >> From: RW >> That wont work in this example because nothing has actually been >> spoofed. > > Exactly. If I search the Internet for the CEO/CIO/CTO/etc of a company > and send and email from my domain but make the displayed

Re: Catching well directed spear phishing messages

Le 28/06/2016 à 16:13, David Jones a écrit : From: RW That wont work in this example because nothing has actually been spoofed. ... All it takes is a compromised account on a trusted mail server (happens all of the time) to provide a conduit for this type of

Re: Catching well directed spear phishing messages

>Am I missing something here: Respectfully, you are. >An email comes in from the CEO of the business - seemingly from the company, >and has a Spam score of 7.5 I am talking about legit emails from trusted senders that won't hit FREEMAIL_FORGED, RBLs, DBLs or any high scoring rules so they are

Re: Catching well directed spear phishing messages

Groach kirjoitti 28.6.2016 17:24: > On 28/06/2016 16:13, David Jones wrote: > > David Jones wrote on 29/06/16 12:46 AM: > > No, technology can help. The IT department sets up the mail client > that the CEO uses when out of the office so that it sends mail using > the company mail server with

Re: Catching well directed spear phishing messages

On 28/06/2016 16:13, David Jones wrote: David Jones wrote on 29/06/16 12:46 AM: No, technology can help. The IT department sets up the mail client that the CEO uses when out of the office so that it sends mail using the company mail server with SSL/TLS and user authentication. Or it uses the

Re: Catching well directed spear phishing messages

About the only way to combat these sorts of things is to have proper financial processes in place. In other words, have checks to ensure that no-one can initiate a wire transfer without a vendor invoice, etc. Common sense stuff... but it's so easy to slip and you only have to slip once. :(

Re: Catching well directed spear phishing messages

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Reindl Harald kirjoitti 28.6.2016 16:56: > Am 28.06.2016 um 15:25 schrieb Jari Fredriksson: >>> Almost all the phishes I've received in the last few years have done >>> this - except that they have something like "paypal support" rather >>> than an

Re: Catching well directed spear phishing messages

>From: RW <rwmailli...@googlemail.com> >Sent: Tuesday, June 28, 2016 8:50 AM >To: users@spamassassin.apache.org >Subject: Re: Catching well directed spear phishing messages   >On Wed, 29 Jun 2016 01:30:55 +1200 >Sidney Markowitz wrote: >> David Jo

Re: Catching well directed spear phishing messages

Am 28.06.2016 um 16:08 schrieb Jari Fredriksson: Reindl Harald kirjoitti 28.6.2016 16:56: Am 28.06.2016 um 15:25 schrieb Jari Fredriksson: Almost all the phishes I've received in the last few years have done this - except that they have something like "paypal support" rather than an

Re: Catching well directed spear phishing messages

On Wed, 29 Jun 2016 01:30:55 +1200 Sidney Markowitz wrote: > David Jones wrote on 29/06/16 12:46 AM: > > This is pure social engineering that can't be stopped by > > technology. The AP dept has to have proper safeguards and out of > > band validation (i.e. phone call to the "Recognized Name").

Re: Catching well directed spear phishing messages

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Reindl Harald kirjoitti 28.6.2016 16:56: > Am 28.06.2016 um 15:25 schrieb Jari Fredriksson: >>> Almost all the phishes I've received in the last few years have done >>> this - except that they have something like "paypal support" rather >>> than an

Re: Catching well directed spear phishing messages

Am 28.06.2016 um 15:25 schrieb Jari Fredriksson: Almost all the phishes I've received in the last few years have done this - except that they have something like "paypal support" rather than an individual's name. Ah, so true you should look at that - enters my junk folder even with a

Re: Catching well directed spear phishing messages

Am 28.06.2016 um 15:30 schrieb Sidney Markowitz: You are right that social engineering can't be stopped by technology. The company should have procedures in place that provide the flexibility that CEO seems to need but will still prevent the fraud even in the face of successful social

Re: Catching well directed spear phishing messages

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 RW kirjoitti 28.6.2016 16:10: > On Tue, 28 Jun 2016 15:52:10 +0300 > Jari Fredriksson wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> David Jones kirjoitti 28.6.2016 15:46: > >> > One of my customers has been hit by at least one

Re: Catching well directed spear phishing messages

David Jones wrote on 29/06/16 12:46 AM: > This is pure social engineering that can't be stopped by technology. The AP > dept has to have proper safeguards and out of band validation (i.e. phone > call to the "Recognized Name"). No, technology can help. The IT department sets up the mail client

Re: Catching well directed spear phishing messages

On Tue, 28 Jun 2016 15:52:10 +0300 Jari Fredriksson wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > David Jones kirjoitti 28.6.2016 15:46: > > One of my customers has been hit by at least one of these emails > > even with good RBLs in use and properly trained Bayes. The emails > >

Re: Catching well directed spear phishing messages

Am 28.06.2016 um 14:52 schrieb Jari Fredriksson: I just refuse the believe that the technology has to trust to the From:.*xxx in the smtp payload and not reject this at once. Does the customer use some dmarc-implementation in their mail chain at all? well, when none of your users are

Re: Catching well directed spear phishing messages

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Jones kirjoitti 28.6.2016 15:46: >> From: Sidney Markowitz <sid...@sidney.com> >> Sent: Tuesday, June 28, 2016 3:15 AM >> To: Ram; users@spamassassin.apache.org >> Subject: Re: Catching well directed spear phis

Re: Catching well directed spear phishing messages

>From: Sidney Markowitz <sid...@sidney.com> >Sent: Tuesday, June 28, 2016 3:15 AM >To: Ram; users@spamassassin.apache.org >Subject: Re: Catching well directed spear phishing messages   >Ram wrote on 28/06/16 7:19 PM: >> >> >> On Tuesday 28 June 2016 12:0

Re: Catching well directed spear phishing messages

Ram wrote on 28/06/16 7:19 PM: > > > On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote: >> Hai! >> >> I dont understand why they would match your spf record either. Are they >> sended out by a IP adres you 'approved' ?? > SPF does not fail , because they use a different envelope

Re: Catching well directed spear phishing messages

On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote: Hai! I dont understand why they would match your spf record either. Are they sended out by a IP adres you 'approved' ?? SPF does not fail , because they use a different envelope address.. which may pass SPF The end recipient does

Re: Catching well directed spear phishing messages

Hai! I dont understand why they would match your spf record either. Are they sended out by a IP adres you 'approved' ?? Thanks, Raymond Dijkxhoorn > Op 28 jun. 2016 om 03:27 heeft jdebert het volgende > geschreven: > > On Mon, 27 Jun 2016 18:41:04 +0530 > Ram

Re: Catching well directed spear phishing messages

On Mon, 27 Jun 2016 18:41:04 +0530 Ram wrote: > I am seeing messages that appear to come from the MD or the CEO of > the company to the accounts department asking people to transfer > money to some fake account > > These messages were initially few and I ignored. But now

Re: Catching well directed spear phishing messages

Ram wrote on 28/06/16 3:10 AM: > > Here is the sample > > > I just redacted the actual recpient email id and name > > > Return-Path: This isn't a SpamAssassin problem, but it is a problem that you can use SpamAssassin as a tool to help solve. If your company's

Re: Catching well directed spear phishing messages

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ram kirjoitti 27.6.2016 16:11: > I am seeing messages that appear to come from the MD or the CEO of the > company to the accounts department asking people to transfer money to > some fake account > > These messages were initially few and I ignored.

Re: Catching well directed spear phishing messages

On Mon, 27 Jun 2016, Reindl Harald wrote: > Am 27.06.2016 um 15:11 schrieb Ram: > > I am seeing messages that appear to come from the MD or the CEO of the > > company to the accounts department asking people to transfer money to > > some fake account > > > These messages have different

Re: Catching well directed spear phishing messages

Hi, >>> These messages have different envelope ids so SPF checks always pass. >>> The header from is properly formatted exactly how it will be in a normal >>> mail >>> >>> What measures do you take for such spear phishing - look for little anomalies that are unique to these messages and

Re: Catching well directed spear phishing messages

Am 27.06.2016 um 17:10 schrieb Ram: On Monday 27 June 2016 06:50 PM, Reindl Harald wrote: Am 27.06.2016 um 15:11 schrieb Ram: I am seeing messages that appear to come from the MD or the CEO of the company to the accounts department asking people to transfer money to some fake account

Re: Catching well directed spear phishing messages

On Monday 27 June 2016 06:50 PM, Reindl Harald wrote: Am 27.06.2016 um 15:11 schrieb Ram: I am seeing messages that appear to come from the MD or the CEO of the company to the accounts department asking people to transfer money to some fake account happens all day long I know these are

Re: Catching well directed spear phishing messages

Am 27.06.2016 um 15:11 schrieb Ram: I am seeing messages that appear to come from the MD or the CEO of the company to the accounts department asking people to transfer money to some fake account happens all day long I know these are not spam messages so catching them will be out of scope

Catching well directed spear phishing messages

I am seeing messages that appear to come from the MD or the CEO of the company to the accounts department asking people to transfer money to some fake account These messages were initially few and I ignored. But now this has become a problem. I know these are not spam messages so catching