On 01/23/2018 07:11 PM, Alex wrote:
Hi,
On Tue, Jan 23, 2018 at 4:52 PM, David Jones <djo...@ena.com> wrote:
Here is a good example of a spoof that might get user clicks. It didn't
have good SPF or DKIM but it could have pretty easily making it look pretty
clean in a default SA installation.
https://pastebin.com/GTG8K56a
Need to get this IP off of the HostKarma and dnswl.org whitelists if anyone
from there is on this list.
Sounds like this is a shared IP with some good senders so this may need
to be reported to cloud9.net so they can find the source of this abuse
of their server.
This appears to have hit on your side. Is this just an FYI?
Do you mean my SA (MailScanner) blocked it? Yes it did. Mostly due to
properly trained Bayes DB, DCC, Pyzor, and a local rules. Just trying
to show my strategy for detecting and blocking spoofing as SPF, DKIM,
and DMARC are being properly implemented by companies that are common
targets of spoofing.
Safely whitelist_auth the Envelope-From domain and then setup
header/body rules to block the spoofing text.
X-ENA-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (cached,
score=17.85, required 4, BAYES_99 5.20, BAYES_999 0.20,
Yeah, not good.
-2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
[168.100.1.4 listed in hostkarma.junkemailfilter.com]
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust [168.100.1.4 listed in list.dnswl.org]
Were there no EnvelopeFrom or Return-Path header?
EnvelopeFrom domain was welcome.aexp.com as you can see in the
Authentication-Results added by my MTA with OpenDMARC. The legit email
has perfect DMARC alignment on both SPF and DKIM and they run with p=reject.
No Return-Path header in the original.
This hits a local rule involving undisclosed-recips and/or not to my
domain and "urgent" messages. It also now hits pyzor and dcc
Is this Bcc'd recipients? That can be helpful information but probably
not a high scoring rule unless you are combining it in a meta with other
hits.
I also have a rule that adds 1.2 points to emails that hit hostkarma
with no domain security.
How is this a sign of spam? Have you noticed a pattern? I will search
my logs (actually run a SQL query) for this to see if you are onto
something here.
Kevin already had something similar to this in KAM.cf checking for SPF_FAIL
from aexp.com but it wouldn't help with that spoofed one at the top with the
"m" in the domain.
Should we try to do something about "american express" with a faked
domain (amexp.com)?
We could setup a 60_blacklist_from.cf file in the SA ruleset for
definite bad domains but that's probably not the best place to maintain
that. It really should be in major DBLs that SA already knows to check.
--
David Jones
