I could use some guidance on how to best block these mails without causing false positives.
Over the last 3 weeks or so, we're getting a bunch of spam of the "your account has been infected," "we see embarrassing things that you're doing" type which ultimately threatens the recipient unless a bitcoin payment is made. I'm seeing the same emails at other (non-ASSP) organizations that I work with. The messages all have the same characteristics: 1) Spoofs the recipient address in the header, envelope varies 2) Sent through servers all over the world 3) The subject is almost always blank, sometimes it is the user part of the email, sometimes the whole recipient address 4) the body of the email contains only an embedded jpg. That JPG is all text, and a lot of it. 5) AFC does a scan of the embedded file, doesn't find anything wrong with it, it's just a jpg, and it's not the same JPG every time. Very similar, but with different payment information 6) The message body is different in most mails, sometimes it shows an apple mail embedded jpg, sometimes a generic one. All multipart messages. We are getting a nospoofing score, so that's good. DNSBL are almost always neutral. The servers are greylisted, and then retry. Thoughts / issues / questions 1) More strict dmarc / SPF rules aren't an option. In what I find very frustrating, my org uses third party services that spoof our addresses regularly. I've tried to get them to use a subdomain, use DKIM signing, get us correct SPF information to no avail. 2) I'm not using the OCR plugin, is that the magic fix here? 3) What's the best way to stop spoofed inbound email to our domains? I'm concerned that some (poorly designed IMO) legitimate external systems seem to send email with the envelope from being their domain, but with our domain in the FROM header. I'm tempted to just block spoofed mail, though I'm terrified of the ramifications of doing to from management and inadvertently blocking good mail. 3a) If I add exceptions to noSpoofingCheckDomain for the services that I know spoof us in the from or reply to, will a match in the envelope-from to this list allow a message through even if there is a spoof in the header FROM or REPLY-TO? 4) Any other suggestions would be highly appreciated Thanks
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
