On 06/13/2018 02:20 PM, Alex wrote:
Hi,
This phish appears to have been routed through Amazon but DKIM signed
by squareup. Is this a compromised squareup.com account?
https://pastebin.com/CxvULHF6
From 01000163fa173c6b-7d47b00d-af5c-4755-b203-74392b57ec3d-000...@amazonses.com
Wed Jun 13 13:00:20 2018
From: INVOICE#
Reply-To: "Advanced Consulting & Treatment, LLC"
Thanks,
Alex
Compromised accounts or bad customers are going to happen with any
system. If you see one or two here or there, report them to SpamCop and
maybe directly to their abuse contact and move on. If you start seeing
a pattern of abuse that they are not handling, then start working on a
way to block the individual sender within that platform. If it's a
major platform like amazoneses.com, then it could cause too much
collateral damage to block the whole platform.
On that particular email in pastebin, my SA would not have blocked it
either but you may want to bump up the score of DCC_CHECK a bit or make
a meta rule with DCC_CHECK and DRUGS_DIET to add a point or so. Also,
now that IP is not hitting RCVD_IN_HOSTKARMA_W so your scoring may come
close to blocking that same email today.
I am adding some characteristics of that email to my local rules to
block them going forward. For example:
- INVOICE in all caps is suspicious in the Subject -- add 1 point
- INVOICE in the From:name is suspicious -- add 1 point
- Combo of Invoice and DRUGS_DIET should never hit in a real Invoice
email so adding a couple of points for that.
Now that email is hitting a score of 9.3 on my local SA so thanks for
the spample.
Invoice phishing emails have become very bad the past 6 months which has
caused me the most work to stay on top of them. I have had to take the
approach of potentially over blocking them to be on the safe side then
whitelist the good ones since these are causing major economical damage
in finance departments from social engineering.
--
David Jones