In this case, the actual domain on the reply-to header was uk-1.me – this
exists and is registered. The domain has wildcard DNS so *.uk-1.me will return
valid DNS records – both A and MX. I suspect that the domain has been
registered for the express intention of sending these kinds of phishing emails
so I’ve added *@*.uk-1.me<mailto:*@*.uk-1.me> to blackListedDomains but it
wouldn’t take much for them to change domains.
As a result, the reply-to address of localdomain.co.uk-1.me appears valid to
all checks. The only thing that could tell ASSP that this is a phishing address
is that the hostname contains an entry from localdomains with a bit on the end.
It just so happens that this particular message also had multiple from headers
– something that you have updated ASSP to be able to detect now. We will now
catch any similar emails on that basis however it is still possible that such a
phishing email would get past if it did not have multiple from headers.
As these kinds of emails tend to be targeted and manually crafted for high
value amounts I would guess it won’t take long for a miscreant to figure that
out with a few tests.
All the best,
Colin.
From: Thomas Eckardt <thomas.ecka...@thockar.com>
Sent: 21 April 2018 08:18
To: ASSP development mailing list <assp-test@lists.sourceforge.net>
Subject: Re: [Assp-test] Multiple From headers/regex based on localdomains
>None of the addresses are actually @domain.tld
I'm right ? The used domains never ends with a valid TLD - so the domains never
exists? Or at least - they ends with a valid TLD, but domains not exists?
Thomas
Von: "Colin Waring"
<co...@dolphinict.co.uk<mailto:co...@dolphinict.co.uk>>
An: "ASSP development mailing list"
<assp-test@lists.sourceforge.net<mailto:assp-test@lists.sourceforge.net>>
Datum: 20.04.2018 21:49
Betreff: Re: [Assp-test] Multiple From headers/regex based on
localdomains
________________________________
Yes there is so this particular message gets caught which is great.
There is no guarantee that all emails with the -1.me also have multiple from
headers, also the -1.me can change but it is always -something.tld on the end.
All the best,
Colin.
From: Thomas Eckardt
<thomas.ecka...@thockar.com<mailto:thomas.ecka...@thockar.com>>
Sent: 20 April 2018 17:54
To: ASSP development mailing list
<assp-test@lists.sourceforge.net<mailto:assp-test@lists.sourceforge.net>>
Subject: Re: [Assp-test] Multiple From headers/regex based on localdomains
But there should be a scoring because of multiple Fom: and/or Sender: headers-
Thomas
Von: "Colin Waring"
<co...@dolphinict.co.uk<mailto:co...@dolphinict.co.uk>>
An: "ASSP development mailing list"
<assp-test@lists.sourceforge.net<mailto:assp-test@lists.sourceforge.net>>
Datum: 20.04.2018 16:42
Betreff: Re: [Assp-test] Multiple From headers/regex based on
localdomains
________________________________
Hi Thomas,
I’ve run the message through the analyser and although a great feature to have
it is not going to catch these emails.
None of the addresses are actually @domain.tld
The Reply-to: is @domain.tld-1.me so the extra -1.me bypasses the spoofing
check.
The DoNoFrom: option is catching the multiple from headers which is great.
All the best,
Colin.
From: Thomas Eckardt [mailto:thomas.ecka...@thockar.com]
Sent: 20 April 2018 15:24
To: ASSP development mailing list
<assp-test@lists.sourceforge.net<mailto:assp-test@lists.sourceforge.net>>
Subject: Re: [Assp-test] Multiple From headers/regex based on localdomains
Colin,
solved build 18107 the problem for you?
changed:
...
'DoNoSpoofing4From','Do NoSpoofing for from:'
'Do the NoSpoofing check also for header 'from:', 'sender:', 'reply-to:' and
'errors-to:' addresses.
Thomas
Von: "cw" <colin.war...@gmail.com<mailto:colin.war...@gmail.com>>
An: "ASSP development mailing list"
<Assp-test@lists.sourceforge.net<mailto:Assp-test@lists.sourceforge.net>>
Datum: 14.04.2018 09:47
Betreff: Re: [Assp-test] Multiple From headers/regex based on
localdomains
________________________________
Hi Thomas,
Looks like a good feature. I'll have to double check the headers for this
message. I think the domains in all three from headers actually exist but have
no relation to the recipient.
As the smtp address & from headers are a legitimate but compromised account the
only header that would fail a legitimate domain check would be the reply to
header.
These are carefully crafted phishing emails that are targeted, I've seen them
sent to many accounts departments pretending to be from company directors
requesting bank payments of up to £10,000. Of course the accounts department
goes straight to said director who comes to us wanting to know why we aren't
blocking them.
All the best,
Colin
On Sat, 14 Apr 2018, 08:26 Thomas Eckardt,
<thomas.ecka...@thockar.com<mailto:thomas.ecka...@thockar.com>> wrote:
> I thought this would not be caught by nospoofing because that would only
> match if the RHS ended in the entry from localdomains.
OK.
And what if the 'DoNoFrom' feature would work like this:
Check for Existing and Valid From: and Sender: Header Tag and Address (DoNoFrom)
If enabled, the MIME header is checked for valid From: and Sender: header tags.
This header check fails and faults are counted, if both headers (From: and
Sender:) are missing - or if any of these headers contains not a valid email
address - or if multiple of the same headers are found.
The scoring value nofromValencePB is added for each detected fault.
In your example:
Reply-to: Sender Name
<n...@recipientdomain.tld-1.me<mailto:n...@recipientdomain.tld-1.me>>
To: recipi...@recipientdomain.tld<mailto:recipi...@recipientdomain.tld>
From: Sender Name <f...@domain.tld<mailto:f...@domain.tld>>
From: Sender Name <f...@domain2.tld<mailto:f...@domain2.tld>>
From: Sender Name
<actualsmtpfromaddr...@legitimatebutcompromiseddomain.tld<mailto:actualsmtpfromaddr...@legitimatebutcompromiseddomain.tld>>
'nofromValencePB' would be added two times - one time for each additionally
From: header.
Thomas
Von: "Colin Waring"
<co...@dolphinict.co.uk<mailto:co...@dolphinict.co.uk>>
An: "ASSP development mailing list"
<assp-test@lists.sourceforge.net<mailto:assp-test@lists.sourceforge.net>>
Datum: 13.04.2018 20:55
Betreff: Re: [Assp-test] Multiple From headers/regex based on
localdomains
________________________________
Thank you for the reply Thomas,
Being able to include sender:, reply to: and errors-to: would be handy in my
opinion
However, in this case the local domain was not in any of the from: fields
whatsoever. By using
n...@recipientdomain.tld-1.me<mailto:n...@recipientdomain.tld-1.me>, this hits
a stupid bug in Outlook where in some places it will only display
n...@recipientdomain.tld<mailto:n...@recipientdomain.tld>. The
-1.me<http://1.me/> is completely fictional and varies from message to message.
I thought this would not be caught by nospoofing because that would only match
if the RHS ended in the entry from localdomains.
All the best,
Colin.
From: Thomas Eckardt
<thomas.ecka...@thockar.com<mailto:thomas.ecka...@thockar.com>>
Sent: 13 April 2018 16:55
To: ASSP development mailing list
<assp-test@lists.sourceforge.net<mailto:assp-test@lists.sourceforge.net>>
Subject: Re: [Assp-test] Multiple From headers/regex based on localdomains
Colin,
'DoNoSpoofing4From' should do it - but it is'nt. Only the first 'From:' address
is currently checked and this will not prevent this attack.
But it is possible to include 'sender: , reply-to: and errors-to:' in to this
check - which would catch this mails.
What do you think?
Thomas
Von: "Colin Waring"
<co...@dolphinict.co.uk<mailto:co...@dolphinict.co.uk>>
An: "ASSP development mailing list"
<assp-test@lists.sourceforge.net<mailto:assp-test@lists.sourceforge.net>>
Datum: 13.04.2018 17:17
Betreff: [Assp-test] Multiple From headers/regex based on localdomains
________________________________
Hi,
I’ve a couple of fun ones at the moment. Basically I’m getting reports of
phishing emails that get past everything.
The headers are like this:
Reply-to: Sender Name
<n...@recipientdomain.tld-1.me<mailto:n...@recipientdomain.tld-1.me>>
To: recipi...@recipientdomain.tld<mailto:recipi...@recipientdomain.tld>
From: Sender Name <f...@domain.tld<mailto:f...@domain.tld>>
From: Sender Name <f...@domain2.tld<mailto:f...@domain2.tld>>
From: Sender Name
<actualsmtpfromaddr...@legitimatebutcompromiseddomain.tld<mailto:actualsmtpfromaddr...@legitimatebutcompromiseddomain.tld>>
These bypass no spoofing as none of the from/SMTP header domains are actually
the recipient domain. Annoyingly, Outlook chooses the Reply-to address to
display so it appears almost legitimate.
I’m aware that the RFCs allow multiple from headers, though I can’t see of any
legitimate reason for this so I was considering blocking or increasing spam
score based on this – is this possible with ASSP at the moment or not?
The second thing I was looking at doing was coming up with a regex.
Essentially, all recipient domains are in localdomains.txt so I’d want a regex
that would take all lines from localdomains. If the reply to or smtp from
address is a line from localdomains with anything else after it, then bin it. I
accept that there may in some extremely obscure cases be a clash with a
legitimate domain but do not believe that to be likely. I’ll have a look next
week as to if I can figure out a way to do it but if there’s something obvious
that you could let me know that’d be great.
All the best,
Colin.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net<mailto:Assp-test@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net<mailto:Assp-test@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net<mailto:Assp-test@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net<mailto:Assp-test@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net<mailto:Assp-test@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net<mailto:Assp-test@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test