-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Jones kirjoitti 28.6.2016 15:46: >> From: Sidney Markowitz <sid...@sidney.com> >> Sent: Tuesday, June 28, 2016 3:15 AM >> To: Ram; users@spamassassin.apache.org >> Subject: Re: Catching well directed spear phishing messages > >> Ram wrote on 28/06/16 7:19 PM: >>> >>> >>> On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote: >>>> Hai! >>>> >>>> I dont understand why they would match your spf record either. Are they >>>> sended out by a IP adres you 'approved' ?? >>> SPF does not fail , because they use a different envelope address.. >>> which may pass SPF >>> The end recipient does not check the envelope anyway > >> You should have local SpamAssassin rules that do check the envelope sender. >> This is about official company mail from the company domain. You can require >> that all employees use mail clients that are properly configured by the >> company IT to send all official company mail. SpamAssassin can be configured >> with local rules that stop anything that has a company domain header sender >> address that does not also have a matching envelope sender address and passes >> SPF. There is no reason to allow the CEO to send company mail without using a >> proper mail server that appears on the SPF record. > >> The end recipient can't be expected to check all the headers, but >> SpamAssassin >> can do that before the end recipient receives the mail. > >> Sidney > > One of my customers has been hit by at least one of these emails even with > good RBLs in use and properly trained Bayes. The emails themselves are > perfectly formed and score very low. They use an envelope-from of their > own domain to pass all SPF checks but they use a visible From: of > "Recognized Name <recn...@otherdomain.com>". Even DMARC checks > would pass for the otherdomain.com. The issue is the finance person sees > the "Recognized Name" and doesn't look closely at the otherdomain.com. > This is pure social engineering that can't be stopped by technology. The AP > dept has to have proper safeguards and out of band validation (i.e. phone > call to the "Recognized Name"). > > In my instance, the finance person was told to wire thousands of dollars > and the bad guy changed the banking information twice and the person > still wasn't suspicious enough to stop and validate the request. The real > problem is this is a very common practice for high-level people to request > wire transfers for legitimate projects while out on the road so the AP dept > lets down their guard.
I just refuse the believe that the technology has to trust to the From:.*xxx in the smtp payload and not reject this at once. Does the customer use some dmarc-implementation in their mail chain at all? - -- Jari Fredriksson Bitwell Oy +358 400 779 440 ja...@bitwell.biz https://www.bitwell.biz - cost effective hosting and security for ecommerce -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAldycvsACgkQKL4IzOyjSrZFcQCgo28pdB9piIMlt9lktMpTnxgw 9IEAnibpGKGmR2geqgpQ2IpMGwqb+7aA =kBlj -----END PGP SIGNATURE-----
