Am 27.06.2016 um 17:10 schrieb Ram:
On Monday 27 June 2016 06:50 PM, Reindl Harald wrote:Am 27.06.2016 um 15:11 schrieb Ram:I am seeing messages that appear to come from the MD or the CEO of the company to the accounts department asking people to transfer money to some fake accounthappens all day longI know these are not spam messages so catching them will be out of scope for a spam filter."appear to come from" is by definition a spam message and most of that crap *in fact* is trainable and catchable with a combination of clamav-signatures (sanesecurity) and bayesThese messages have different envelope ids so SPF checks always pass. The header from is properly formatted exactly how it will be in a normal mail What measures do you take for such spear phishingwithout a sample or a crystal ball hard to sayHere is the sample I just redacted the actual recpient email id and name
looks by far not untrainable, see second sa-report after learn it to bayes - and if you think you can't train such messages you did not realize how bayes works
and FREEMAIL_FORGED_REPLYTO is a big indicatori don't get what you want to tell us with "I know these are not spam messages" when *it is* spam
________________________________ Content analysis details: (7.5 points, 5.5 required) pts rule name description---- ---------------------- --------------------------------------------------
0.0 TVD_RCVD_SPACE_BRACKET No description available.
0.1 HK_RANDOM_FROM From username looks random
-0.1 CUST_DNSWL_5_ORG_NT RBL: list.dnswl.org (No Trust)
[173.201.193.64 listed in list.dnswl.org]
-0.1 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
[173.201.193.64 listed in wl.mailspike.net]
0.0 HTML_MESSAGE BODY: HTML included in message
1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
-0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust)
[173.201.193.64 listed in
score.senderscore.com]
-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.2 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag 3.0 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) ________________________________ Content analysis details: (13.9 points, 5.5 required) pts rule name description---- ---------------------- --------------------------------------------------
-0.1 CUST_DNSWL_5_ORG_NT RBL: list.dnswl.org (No Trust)
[173.201.193.64 listed in list.dnswl.org]
7.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
0.0 TVD_RCVD_SPACE_BRACKET No description available.
0.1 HK_RANDOM_FROM From username looks random
-0.1 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
[173.201.193.64 listed in wl.mailspike.net]
-0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust)
[173.201.193.64 listed in
score.senderscore.com]
0.0 HTML_MESSAGE BODY: HTML included in message
0.4 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
1.2 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
3.0 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
signature.asc
Description: OpenPGP digital signature
