Re: Crap getting through
On Mon, 9 Nov 2020 12:44:04 + RW wrote: > On Sun, 8 Nov 2020 19:49:20 -0500 > Rob McEwen wrote: > > > Daryl, > > > > Can you please post a copy of the raw email message - with headers > > - perhaps with your own user's email address (and name?) masked out > > (change to "") > > It's best to leave it syntactically correct and with self-consistent > obfuscation, so it can be run though SA without having to be edited a > send time. second time
Re: Crap getting through
On Sun, 8 Nov 2020 19:49:20 -0500 Rob McEwen wrote: > Daryl, > > Can you please post a copy of the raw email message - with headers - > perhaps with your own user's email address (and name?) masked out > (change to "") It's best to leave it syntactically correct and with self-consistent obfuscation, so it can be run though SA without having to be edited a send time.
Re: Crap getting through
On 09.11.20 05:07, Daryl Rose wrote: Sorry, I deleted it right away. I normally delete that crap as soon as it comes in. I'll remember to keep it next time I get something so I can post the headers. i keep spam ans phishes in special mail directories for later examination On Sun, Nov 8, 2020 at 6:49 PM Rob McEwen wrote: Can you please post a copy of the raw email message - with headers - perhaps with your own user's email address (and name?) masked out (change to "") - to pastebin, or to a similar site - then reply here with the link. It is difficult to give specific suggestions without having the raw underlying text of the message (w/headers). But please try to avoid pasting that directly to this list. Thanks! On 11/8/2020 5:00 PM, Daryl Rose wrote: I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * this is not garbage, this is mime-encoded string: *WễllsḞargo Bank * ...and that is a garbage. But should be quite easily catched. I received another one that was meant to be an Amazon Prime Membership failure. How can I block these? The last time I inquired about phishing, it was suggested to install KAM, which I did, but this crap is still getting through. Any other suggestions? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: Crap getting through
Sorry, I deleted it right away. I normally delete that crap as soon as it comes in. I'll remember to keep it next time I get something so I can post the headers. Daryl On Sun, Nov 8, 2020 at 6:49 PM Rob McEwen wrote: > Daryl, > > Can you please post a copy of the raw email message - with headers - > perhaps with your own user's email address (and name?) masked out (change > to "") - to pastebin, or to a similar site - then reply here with > the link. It is difficult to give specific suggestions without having the > raw underlying text of the message (w/headers). But please try to avoid > pasting that directly to this list. Thanks! > > Rob McEwen > > > On 11/8/2020 5:00 PM, Daryl Rose wrote: > > I'm getting obvious phishing attempts. This one was made to look like it > was from Wells Fargo with an obvious spoofed email address. However, when > I examined the headers, the From Address was this garbage: > *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * > > I received another one that was meant to be an Amazon Prime Membership > failure. How can I block these? The last time I inquired about phishing, > it was suggested to install KAM, which I did, but this crap is still > getting through. Any other suggestions? > > Thank you. > > Daryl > > > > > -- > Rob McEwen, invaluement > >
Re: Crap getting through
On Sun, 8 Nov 2020, Daryl Rose wrote: I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * Easy enough to write a "FUZZY_WELLSFARGO" rule for that, but it probably won't pass masscheck and get published because there are probably few examples of that in the corpus. Added to my sandbox: ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FUZZY_WELLSFARGO_BODY /(?!ells[-\s]?Fargo)[-\s]?/i replace_rules __FUZZY_WELLSFARGO_BODY header__FUZZY_WELLSFARGO_FROM From:name =~ /(?!ells[-\s]?Fargo)[-\s]?/i replace_rules __FUZZY_WELLSFARGO_FROM meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM endif Do you have something like this in place? whitelist_auth *@wellsfargo.com blacklist_from *@wellsfargo.com whitelist_auth *@*.wellsfargo.com blacklist_from *@*.wellsfargo.com whitelist_auth *@bankofamerica.com blacklist_from *@bankofamerica.com whitelist_auth *@*.bankofamerica.com blacklist_from *@*.bankofamerica.com -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Sheep have only two speeds: graze and stampede. -- LTC Grossman --- Tomorrow: The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: Crap getting through
Daryl Rose skrev den 2020-11-08 23:00: I'm getting obvious phishing attempts. report to https://phishtank.com/ then This one was made to look like it was from Wells Fargo with an obvious spoofed email address. so what did spamassassin say about that ? However, when I examined the headers, the From Address was this garbage: =?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= nice trick to avoid testing ? developpers of sa, utf-8 and qp is basicly fucked everywhere :/ but this one is base64 I received another one that was meant to be an Amazon Prime Membership failure. maybe amazon prime hands out to many free accounts ? :-) How can I block these? if you like me to answer that i could give next weeks lotto numbers in return :-) The last time I inquired about phishing, it was suggested to install KAM, now it seems you need to build corpus without rescoreing anything in kam.cf make a DR.cf to build localy on you self control which I did, but this crap is still getting through. Any other suggestions? without any samples no one can help you have all that is needed to make DR.cf ?
Re: Crap getting through
Daryl, Can you please post a copy of the raw email message - with headers - perhaps with your own user's email address (and name?) masked out (change to "") - to pastebin, or to a similar site - then reply here with the link. It is difficult to give specific suggestions without having the raw underlying text of the message (w/headers). But please try to avoid pasting that directly to this list. Thanks! Rob McEwen On 11/8/2020 5:00 PM, Daryl Rose wrote: I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * I received another one that was meant to be an Amazon Prime Membership failure. How can I block these? The last time I inquired about phishing, it was suggested to install KAM, which I did, but this crap is still getting through. Any other suggestions? Thank you. Daryl -- Rob McEwen, invaluement
Crap getting through
I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * I received another one that was meant to be an Amazon Prime Membership failure. How can I block these? The last time I inquired about phishing, it was suggested to install KAM, which I did, but this crap is still getting through. Any other suggestions? Thank you. Daryl
