Hi all,
On Mon, Sep 19, 2016 at 5:46 AM, Paul Stead
wrote:
> On 15/09/16 20:54, RW wrote:
>>
>> On Thu, 15 Sep 2016 15:37:42 +0100
>> Paul Stead wrote:
>>
>>> https://github.com/fmbla/spamassassin-levenshtein
>>>
>>> An implementation I made for SA - feedback
On 15/09/16 20:54, RW wrote:
On Thu, 15 Sep 2016 15:37:42 +0100
Paul Stead wrote:
https://github.com/fmbla/spamassassin-levenshtein
An implementation I made for SA - feedback welcome
A couple of things
1. Instead of having a with/without tld option you could compute
the distance without
On Thu, 15 Sep 2016 15:37:42 +0100
Paul Stead wrote:
>
> https://github.com/fmbla/spamassassin-levenshtein
>
> An implementation I made for SA - feedback welcome
A couple of things
1. Instead of having a with/without tld option you could compute
the distance without the tld and then add 1 if
No, I have not used it, although it is a good idea. Could probably be
used for comparing From:names too, running after each new version of
"Pay-pal, paupal, etc." is a pain. If I make any progress on that I will
keep the list posted.
My plugin is written in Perl with a home-made
On Thu, 15 Sep 2016 15:37:42 +0100
Paul Stead wrote:
> https://github.com/fmbla/spamassassin-levenshtein
Cool! Not sure what the performance implications are... there are XS
implementations of the Levenshtein distance... for example:
On 15/09/16 15:22, Chip M. wrote:
The other way to fix that is to detect the lexical distance between the
sender's domain and your organisation's domains, e.g. by building a
plugin that uses https://en.wikipedia.org/wiki/Levenshtein_distance.
That could be done for a small number of domains
On Thu, 30 Jun 2016, Olivier Coutu wrote:
>The other way to fix that is to detect the lexical distance between the
>sender's domain and your organisation's domains, e.g. by building a
>plugin that uses https://en.wikipedia.org/wiki/Levenshtein_distance.
>That could be done for a small number of
Hi,
>> It's easy to write a CUSTOM set of rules just for actual/likely
>> targeted senders (CEO/etc).
>> For each person/target, create a rule that tests an explicit
>> list of that person's normal Realname(s) (including reasonable
>> variations), against the Realname part of the From header, and
Hi,
On Wed, Jun 29, 2016 at 12:58 AM, Chip M. wrote:
> On Tue, 28 Jun 2016 14:13:57 + David Jones wrote:
>>If I search the Internet for the CEO/CIO/CTO/etc of a company
>>and send and email from my domain but make the displayed name
>>in the visible From: be that
On 2016-06-28 10:48, John Wilcock wrote:
Or, if your company is a worthwhile target, it is equally easy for the
scammer to setup a lookalike domain and configure it with proper SPF,
DKIM and the like. Who's going to notice that the message came from
examp1e.com instead of example.com?
On Wed, 29 Jun 2016, David Jones wrote:
Almost all MUAs I've ever used hide the From: address in favour of
the full name if it is present. And most of them have no option for
revealing the address, either.
Mainly Microsoft Outlook and Exchange webmail? Most webmail
interfaces will show the
On 6/29/2016 11:12 AM, Dianne Skoll wrote:
On Wed, 29 Jun 2016 15:04:04 +
David Jones wrote:
If everyone (really Microsoft) had some sense, they will start
showing the full display name with the email address to help users
see the incorrect domain and possibly help users
On Wed, 29 Jun 2016 15:04:04 +
David Jones wrote:
> Mainly Microsoft Outlook and Exchange webmail? Most webmail
> interfaces will show the full From: display name with email address.
Oh sure, if you open the message, you'll see it. I meant to qualify
my post by saying most
>From: Dianne Skoll <d...@roaringpenguin.com>
>Sent: Wednesday, June 29, 2016 9:50 AM
>To: users@spamassassin.apache.org
>Subject: Re: Catching well directed spear phishing messages
>On Wed, 29 Jun 2016 10:31:47 -0400
>"Bill Cole" <sausers-20150...@billmai
On Wed, 29 Jun 2016 10:31:47 -0400
"Bill Cole" wrote:
> On 28 Jun 2016, at 10:31, Jari Fredriksson wrote:
> > Sure, but the case now is that the FROM != 'company adress' as this
> > info is not even show to the user. What is shown is the CEO Name
> >
On 28 Jun 2016, at 10:31, Jari Fredriksson wrote:
> Sure, but the case now is that the FROM != 'company adress' as this info
> is not even show to the user. What is shown is the CEO Name only. I
> could't even find a setting for this behaviour in my MUA!
That's a broken-by-design MUA.
On Tue, 28 Jun 2016 14:13:57 + David Jones wrote:
>If I search the Internet for the CEO/CIO/CTO/etc of a company
>and send and email from my domain but make the displayed name
>in the visible From: be that CEO/CIO/CTO/etc's full name that
>the recipient is used to seeing in the mail client,
David Jones wrote on 29/06/16 2:13 AM:
>> From: RW
>> That wont work in this example because nothing has actually been
>> spoofed.
>
> Exactly. If I search the Internet for the CEO/CIO/CTO/etc of a company
> and send and email from my domain but make the displayed
Le 28/06/2016 à 16:13, David Jones a écrit :
From: RW
That wont work in this example because nothing has actually been
spoofed.
...
All it takes is a compromised account on a trusted mail server (happens
all of the time) to provide a conduit for this type of
>Am I missing something here:
Respectfully, you are.
>An email comes in from the CEO of the business - seemingly from the company,
>and has a Spam score of 7.5
I am talking about legit emails from trusted senders that won't
hit FREEMAIL_FORGED, RBLs, DBLs or any high scoring rules so
they are
Groach kirjoitti 28.6.2016 17:24:
> On 28/06/2016 16:13, David Jones wrote:
>
> David Jones wrote on 29/06/16 12:46 AM:
>
> No, technology can help. The IT department sets up the mail client
> that the CEO uses when out of the office so that it sends mail using
> the company mail server with
On 28/06/2016 16:13, David Jones wrote:
David Jones wrote on 29/06/16 12:46 AM:
No, technology can help. The IT department sets up the mail client
that the CEO uses when out of the office so that it sends mail using
the company mail server with SSL/TLS and user authentication. Or it
uses the
About the only way to combat these sorts of things is to have proper
financial processes in place. In other words, have checks to ensure
that no-one can initiate a wire transfer without a vendor invoice,
etc. Common sense stuff... but it's so easy to slip and you only have
to slip once. :(
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Reindl Harald kirjoitti 28.6.2016 16:56:
> Am 28.06.2016 um 15:25 schrieb Jari Fredriksson:
>>> Almost all the phishes I've received in the last few years have done
>>> this - except that they have something like "paypal support" rather
>>> than an
>From: RW <rwmailli...@googlemail.com>
>Sent: Tuesday, June 28, 2016 8:50 AM
>To: users@spamassassin.apache.org
>Subject: Re: Catching well directed spear phishing messages
>On Wed, 29 Jun 2016 01:30:55 +1200
>Sidney Markowitz wrote:
>> David Jo
Am 28.06.2016 um 16:08 schrieb Jari Fredriksson:
Reindl Harald kirjoitti 28.6.2016 16:56:
Am 28.06.2016 um 15:25 schrieb Jari Fredriksson:
Almost all the phishes I've received in the last few years have done
this - except that they have something like "paypal support" rather
than an
On Wed, 29 Jun 2016 01:30:55 +1200
Sidney Markowitz wrote:
> David Jones wrote on 29/06/16 12:46 AM:
> > This is pure social engineering that can't be stopped by
> > technology. The AP dept has to have proper safeguards and out of
> > band validation (i.e. phone call to the "Recognized Name").
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Reindl Harald kirjoitti 28.6.2016 16:56:
> Am 28.06.2016 um 15:25 schrieb Jari Fredriksson:
>>> Almost all the phishes I've received in the last few years have done
>>> this - except that they have something like "paypal support" rather
>>> than an
Am 28.06.2016 um 15:25 schrieb Jari Fredriksson:
Almost all the phishes I've received in the last few years have done
this - except that they have something like "paypal support" rather
than an individual's name.
Ah, so true
you should look at that - enters my junk folder even with a
Am 28.06.2016 um 15:30 schrieb Sidney Markowitz:
You are right that social engineering can't be stopped by technology. The
company should have procedures in place that provide the flexibility that CEO
seems to need but will still prevent the fraud even in the face of successful
social
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
RW kirjoitti 28.6.2016 16:10:
> On Tue, 28 Jun 2016 15:52:10 +0300
> Jari Fredriksson wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> David Jones kirjoitti 28.6.2016 15:46:
>
>> > One of my customers has been hit by at least one
David Jones wrote on 29/06/16 12:46 AM:
> This is pure social engineering that can't be stopped by technology. The AP
> dept has to have proper safeguards and out of band validation (i.e. phone
> call to the "Recognized Name").
No, technology can help. The IT department sets up the mail client
On Tue, 28 Jun 2016 15:52:10 +0300
Jari Fredriksson wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> David Jones kirjoitti 28.6.2016 15:46:
> > One of my customers has been hit by at least one of these emails
> > even with good RBLs in use and properly trained Bayes. The emails
> >
Am 28.06.2016 um 14:52 schrieb Jari Fredriksson:
I just refuse the believe that the technology has to trust to the
From:.*xxx in the smtp payload and not reject this at once. Does the
customer use some dmarc-implementation in their mail chain at all?
well, when none of your users are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David Jones kirjoitti 28.6.2016 15:46:
>> From: Sidney Markowitz <sid...@sidney.com>
>> Sent: Tuesday, June 28, 2016 3:15 AM
>> To: Ram; users@spamassassin.apache.org
>> Subject: Re: Catching well directed spear phis
>From: Sidney Markowitz <sid...@sidney.com>
>Sent: Tuesday, June 28, 2016 3:15 AM
>To: Ram; users@spamassassin.apache.org
>Subject: Re: Catching well directed spear phishing messages
>Ram wrote on 28/06/16 7:19 PM:
>>
>>
>> On Tuesday 28 June 2016 12:0
Ram wrote on 28/06/16 7:19 PM:
>
>
> On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote:
>> Hai!
>>
>> I dont understand why they would match your spf record either. Are they
>> sended out by a IP adres you 'approved' ??
> SPF does not fail , because they use a different envelope
On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote:
Hai!
I dont understand why they would match your spf record either. Are they sended
out by a IP adres you 'approved' ??
SPF does not fail , because they use a different envelope address..
which may pass SPF
The end recipient does
Hai!
I dont understand why they would match your spf record either. Are they sended
out by a IP adres you 'approved' ??
Thanks,
Raymond Dijkxhoorn
> Op 28 jun. 2016 om 03:27 heeft jdebert het volgende
> geschreven:
>
> On Mon, 27 Jun 2016 18:41:04 +0530
> Ram
On Mon, 27 Jun 2016 18:41:04 +0530
Ram wrote:
> I am seeing messages that appear to come from the MD or the CEO of
> the company to the accounts department asking people to transfer
> money to some fake account
>
> These messages were initially few and I ignored. But now
Ram wrote on 28/06/16 3:10 AM:
>
> Here is the sample
>
>
> I just redacted the actual recpient email id and name
>
>
> Return-Path:
This isn't a SpamAssassin problem, but it is a problem that you can use
SpamAssassin as a tool to help solve.
If your company's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ram kirjoitti 27.6.2016 16:11:
> I am seeing messages that appear to come from the MD or the CEO of the
> company to the accounts department asking people to transfer money to
> some fake account
>
> These messages were initially few and I ignored.
On Mon, 27 Jun 2016, Reindl Harald wrote:
> Am 27.06.2016 um 15:11 schrieb Ram:
> > I am seeing messages that appear to come from the MD or the CEO of the
> > company to the accounts department asking people to transfer money to
> > some fake account
>
> > These messages have different
Hi,
>>> These messages have different envelope ids so SPF checks always pass.
>>> The header from is properly formatted exactly how it will be in a normal
>>> mail
>>>
>>> What measures do you take for such spear phishing
- look for little anomalies that are unique to these messages and
Am 27.06.2016 um 17:10 schrieb Ram:
On Monday 27 June 2016 06:50 PM, Reindl Harald wrote:
Am 27.06.2016 um 15:11 schrieb Ram:
I am seeing messages that appear to come from the MD or the CEO of the
company to the accounts department asking people to transfer money to
some fake account
On Monday 27 June 2016 06:50 PM, Reindl Harald wrote:
Am 27.06.2016 um 15:11 schrieb Ram:
I am seeing messages that appear to come from the MD or the CEO of the
company to the accounts department asking people to transfer money to
some fake account
happens all day long
I know these are
Am 27.06.2016 um 15:11 schrieb Ram:
I am seeing messages that appear to come from the MD or the CEO of the
company to the accounts department asking people to transfer money to
some fake account
happens all day long
I know these are not spam messages so catching them will be out of scope
I am seeing messages that appear to come from the MD or the CEO of the
company to the accounts department asking people to transfer money to
some fake account
These messages were initially few and I ignored. But now this has become
a problem.
I know these are not spam messages so catching
48 matches
Mail list logo