subject:"Re\: help with phishing email\?"

Re: help with phishing email?

2017-12-10 Thread David Jones


On 12/10/2017 11:49 AM, Colony.three wrote:



 *
http://www.postfix.org/POSTSCREEN_README.html

with that config and postscreen properly configured you block far more
than 90% of junk without risk false positives

postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_sites =
dnsbl.sorbs.net=127.0.0.10/9
dnsbl.sorbs.net=127.0.0.14/9
zen.spamhaus.org=127.0.0.[10;11]/8
dnsbl.sorbs.net=127.0.0.5/7
zen.spamhaus.org=127.0.0.[4..7]/7
b.barracudacentral.org=127.0.0.2/7
zen.spamhaus.org=127.0.0.3/7
dnsbl.inps.de=127.0.0.2/7
hostkarma.junkemailfilter.com=127.0.0.2/4
dnsbl.sorbs.net=127.0.0.7/4
bl.spamcop.net=127.0.0.2/4
bl.spameatingmonkey.net=127.0.0.[2;3]/4
dnsrbl.swinog.ch=127.0.0.3/4
ix.dnsbl.manitu.net=127.0.0.2/4
psbl.surriel.com=127.0.0.2/4
bl.mailspike.net=127.0.0.[10;11;12]/4
bl.mailspike.net=127.0.0.2/4
zen.spamhaus.org=127.0.0.2/3
score.senderscore.com=127.0.4.[0..20]/3
bl.spamcannibal.org=127.0.0.2/3
dnsbl.sorbs.net=127.0.0.6/3
dnsbl.sorbs.net=127.0.0.8/2
hostkarma.junkemailfilter.com=127.0.0.4/2
dnsbl.sorbs.net=127.0.0.9/2
dnsbl-1.uceprotect.net=127.0.0.2/2
all.spamrats.com=127.0.0.38/2
bl.nszones.com=127.0.0.[2;3]/1
dnsbl-2.uceprotect.net=127.0.0.2/1
dnsbl.sorbs.net=127.0.0.2/1
dnsbl.sorbs.net=127.0.0.4/1
score.senderscore.com=127.0.4.[0..69]/1
dnsbl.sorbs.net=127.0.0.3/1
hostkarma.junkemailfilter.com=127.0.1.2/1
dnsbl.sorbs.net=127.0.0.15/1
ips.backscatterer.org=127.0.0.2/1
bl.nszones.com=127.0.0.5/-1
score.senderscore.com=127.0.4.[90..100]/-1
wl.mailspike.net=127.0.0.[18;19;20]/-2
hostkarma.junkemailfilter.com=127.0.0.1*-2
ips.whitelisted.org=127.0.0.2*-2
list.dnswl.org=127.0.[0..255].0*-2
dnswl.inps.de=127.0.[0;1].[2..10]/-2
list.dnswl.org=127.0.[0..255].1/-3
list.dnswl.org=127.0.[0..255].2*-4
list.dnswl.org=127.0.[0..255].3*-5
Now that I've had a chance to study this, and despite our history, I'd 
like to thank you Harald, for this useful information.  I am sure that a 
number of other present are grateful too.


This will bring peace to many an Inbox.


Postwhite goes perfectly with the above postscreen weighted RBLs to 
reduce FPs down to zero:


https://github.com/stevejenkins/postwhite

You will want to setup the special Yahoo exclusions and add any other 
major/trusted senders (ex. authsmtp.com) based on their SPF record.


--
David Jones

Re: help with phishing email?

2017-12-10 Thread Colony.three

> -  http://www.postfix.org/POSTSCREEN_README.html
>
> with that config and postscreen properly configured you block far more
> than 90% of junk without risk false positives
>
> postscreen_dnsbl_threshold = 8
> postscreen_dnsbl_action = enforce
> postscreen_greet_action = enforce
> postscreen_dnsbl_sites =
> dnsbl.sorbs.net=127.0.0.109
> dnsbl.sorbs.net=127.0.0.149
> zen.spamhaus.org=127.0.0.[10;11]8
> dnsbl.sorbs.net=127.0.0.57
> zen.spamhaus.org=127.0.0.[4..7]7
> b.barracudacentral.org=127.0.0.27
> zen.spamhaus.org=127.0.0.37
> dnsbl.inps.de=127.0.0.27
> hostkarma.junkemailfilter.com=127.0.0.24
> dnsbl.sorbs.net=127.0.0.74
> bl.spamcop.net=127.0.0.24
> bl.spameatingmonkey.net=127.0.0.[2;3]4
> dnsrbl.swinog.ch=127.0.0.34
> ix.dnsbl.manitu.net=127.0.0.24
> psbl.surriel.com=127.0.0.24
> bl.mailspike.net=127.0.0.[10;11;12]4
> bl.mailspike.net=127.0.0.24
> zen.spamhaus.org=127.0.0.23
> score.senderscore.com=127.0.4.[0..20]3
> bl.spamcannibal.org=127.0.0.23
> dnsbl.sorbs.net=127.0.0.63
> dnsbl.sorbs.net=127.0.0.82
> hostkarma.junkemailfilter.com=127.0.0.42
> dnsbl.sorbs.net=127.0.0.92
> dnsbl-1.uceprotect.net=127.0.0.22
> all.spamrats.com=127.0.0.382
> bl.nszones.com=127.0.0.[2;3]1
> dnsbl-2.uceprotect.net=127.0.0.21
> dnsbl.sorbs.net=127.0.0.21
> dnsbl.sorbs.net=127.0.0.41
> score.senderscore.com=127.0.4.[0..69]1
> dnsbl.sorbs.net=127.0.0.31
> hostkarma.junkemailfilter.com=127.0.1.21
> dnsbl.sorbs.net=127.0.0.151
> ips.backscatterer.org=127.0.0.21
> bl.nszones.com=127.0.0.5-1
> score.senderscore.com=127.0.4.[90..100]-1
> wl.mailspike.net=127.0.0.[18;19;20]-2
> hostkarma.junkemailfilter.com=127.0.0.1*-2
> ips.whitelisted.org=127.0.0.2*-2
> list.dnswl.org=127.0.[0..255].0*-2
> dnswl.inps.de=127.0.[0;1].[2..10]-2
> list.dnswl.org=127.0.[0..255].1-3
> list.dnswl.org=127.0.[0..255].2*-4
> list.dnswl.org=127.0.[0..255].3*-5

Now that I've had a chance to study this, and despite our history, I'd like to 
thank you Harald, for this useful information.  I am sure that a number of 
other present are grateful too.

This will bring peace to many an Inbox.

Re: help with phishing email?

2017-12-09 Thread David Jones


On 12/09/2017 05:40 AM, Rupert Gallagher wrote:

...

On Sat, Dec 9, 2017 at 04:24, Jari Fredriksson > wrote:
0.0 SPF_FAIL SPF: sender does not match SPF record (fail) 


I would recommend setting the score for SPF_FAIL to a point or two these 
days.  Major mail hosting providers like Google would have put this 
email into the Spam/Junk folder because of the SPF failure.


/etc/mail/spamassassin/local.cf (or zz_scores.cf to make sure it loads 
last):


score SPF_FAIL 2.0

I have it score much higher on my SA platform due to other local meta 
rules that amplify some good and bad rules.


--
David Jones

Re: help with phishing email?

2017-12-09 Thread Rupert Gallagher

...

On Sat, Dec 9, 2017 at 04:24, Jari Fredriksson  wrote:

> 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) @whyscream.net>

Re: help with phishing email?

2017-12-09 Thread Pedro David Marco

wow... depending on your geolocation, the phishing text changes and, at least 
in Spanish, it is totally correct!!
sometimes i have to take my hat off... 
-PedroD

Re: help with phishing email?

2017-12-08 Thread Colony.three

> first: before you call me again a fascist just because i don't agree
> with your opinions backed by 10 years professional mailadmin better
> don't give half thought advises!
>
> Am 09.12.2017 um 03:50 schrieb Colony.three:
>
>> Also in /etc/postfix/main.cf add to smtpd_recipient_restrictions =
>> ...reject_rbl_client zen.spamhaus.org
>>
>> this is a completly wrong and dangerous

Oh?  Why didn't you say anything three days ago when another member of this 
listserv recommended it, Harald?

Re: help with phishing email?

2017-12-08 Thread Jari Fredriksson



> Tom Hendrikx  kirjoitti 9.12.2017 kello 0.34:
> 
> On 08-12-17 19:09, AJ Weber wrote:
>> I'm trying to decide the best way to detect something like this.
>> 
>> https://pastebin.com/hCX9MWNg
>> 
>> Looking at the raw headers and body it's pretty easy to tell this is a
>> spoof, but when it shows-up in an inbox, it looks pretty good.
>> 
>> Something specific to Amazon (where this is purported to come from)
>> would be to check if their domain is in the From and Reply-To and at
>> least score that relatively high if it's not correct - but compared to
>> what?  Maybe if From text contains amazon/i and from-address does not
>> end with amazon.com (for me in the US at least)?
>> 
>> That feels forced.  Does anyone have any suggestions to help me out on
>> this fine Friday?
>> 
> 
> Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO
> you can easily whitelist anything from amazon based on that, and then
> subtract some points for everything that has '\bAmazon\b' is the
> from:name. Header.
> 
> Kind regards,
>   Tom

A couple of local rules saved here:

Content analysis details:   (8.2 points, 5.0 required)

pts rule name  description
 -- --
2.5 L_SUOMISPAMRBL: Sender is in #suomispam blocklist
   [20160519 coinletters1.com]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
   trust
   [69.252.207.24 listed in list.dnswl.org]
0.0 SPF_FAIL   SPF: sender does not match SPF record (fail)
[SPF failed: Please see 
http://www.openspf.org/Why?s=mfrom;id=contact%40email.linushonor.co.uk;ip=69.252.207.24;r=gamecock.fredriksson.dy.fi]
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
   domains are different
0.0 T_TVD_MIME_NO_HEADERS  BODY: No description available.
0.8 BAYES_50   BODY: Bayes spam probability is 40 to 60%
   [score: 0.4998]
1.7 MIME_BASE64_TEXT   RAW: Message text disguised using base64 encoding
1.4 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/)
1.0 L_FROM_NOT_REPLY   From: and Reply-To: have different domains
0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay lines
0.8 RDNS_NONE  Delivered to internal network by a host with no rDNS





signature.asc
Description: Message signed with OpenPGP

Re: help with phishing email?

2017-12-08 Thread Jari Fredriksson



> Tom Hendrikx  kirjoitti 9.12.2017 kello 0.34:
> 
> On 08-12-17 19:09, AJ Weber wrote:
>> I'm trying to decide the best way to detect something like this.
>> 
>> https://pastebin.com/hCX9MWNg
>> 
>> Looking at the raw headers and body it's pretty easy to tell this is a
>> spoof, but when it shows-up in an inbox, it looks pretty good.
>> 
>> Something specific to Amazon (where this is purported to come from)
>> would be to check if their domain is in the From and Reply-To and at
>> least score that relatively high if it's not correct - but compared to
>> what?  Maybe if From text contains amazon/i and from-address does not
>> end with amazon.com (for me in the US at least)?
>> 
>> That feels forced.  Does anyone have any suggestions to help me out on
>> this fine Friday?
>> 
> 
> Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO
> you can easily whitelist anything from amazon based on that, and then
> subtract some points for everything that has '\bAmazon\b' is the
> from:name. Header.
> 
> Kind regards,
>   Tom

A couple of local rules saved here:

Content analysis details:   (8.2 points, 5.0 required)

pts rule name  description
 -- --
2.5 L_SUOMISPAMRBL: Sender is in #suomispam blocklist
   [20160519 coinletters1.com]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
   trust
   [69.252.207.24 listed in list.dnswl.org]
0.0 SPF_FAIL   SPF: sender does not match SPF record (fail)
[SPF failed: Please see 
http://www.openspf.org/Why?s=mfrom;id=contact%40email.linushonor.co.uk;ip=69.252.207.24;r=gamecock.fredriksson.dy.fi]
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
   domains are different
0.0 T_TVD_MIME_NO_HEADERS  BODY: No description available.
0.8 BAYES_50   BODY: Bayes spam probability is 40 to 60%
   [score: 0.4998]
1.7 MIME_BASE64_TEXT   RAW: Message text disguised using base64 encoding
1.4 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/)
1.0 L_FROM_NOT_REPLY   From: and Reply-To: have different domains
0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay lines
0.8 RDNS_NONE  Delivered to internal network by a host with no rDNS





signature.asc
Description: Message signed with OpenPGP

Re: help with phishing email?

2017-12-08 Thread Colony.three

> I'm trying to decide the best way to detect something like this.
>
> https://pastebin.com/hCX9MWNg
>
> Looking at the raw headers and body it's pretty easy to tell this is a
> spoof, but when it shows-up in an inbox, it looks pretty good.
>
> Something specific to Amazon (where this is purported to come from)
> would be to check if their domain is in the From and Reply-To and at
> least score that relatively high if it's not correct - but compared to
> what?  Maybe if From text contains amazon/i and from-address does not
> end with amazon.com (for me in the US at least)?
>
> That feels forced.  Does anyone have any suggestions to help me out on
> this fine Friday?
>
> Thanks,
> AJ

You shouldn't have even received that.  Consider setting up your email as per 
this guide:  
https://arstechnica.com/information-technology/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/

After 3 months, and two major failures setting up email (not to mention 
shattered self-worth), this article series is what finally got me spinning.

Also in /etc/postfix/main.cf add to smtpd_recipient_restrictions = 
...reject_rbl_client zen.spamhaus.org,

Re: help with phishing email?

2017-12-08 Thread David B Funk


On Fri, 8 Dec 2017, John Hardin wrote:


On Fri, 8 Dec 2017, AJ Weber wrote:


I'm trying to decide the best way to detect something like this.

https://pastebin.com/hCX9MWNg


That appears to be corrupt. I downloaded it and ran it through my testbed and 
it wouldn't decode the body.


Don't know if it was the pastbin, but the MIME headers were mangled.
Fixing those (and removing the space at the beginning of the base64 lines) made 
it parse-able.


It's clearly misleading spam, not sure where the phish is. (but then I didn't go 
thru their "survey").


There's a bunch of anomalous things about that message;

 3 Message-ID: headers, one of which tries to look like from outlook.com
 2 Reply-To: headers, one of which has a clearly bogus address: 
 3 Received: from relay167.mysmtp.mobi (relay167.mysmtp.mobi [93.90.117.141])
lines.

 MIME-Version: 4.0

50 blank lines at the start of the message, borked HTML (mismatched  
tags, code after the closing , etc).


That "http://email dot turnaroundbaby dot be" site looks new & bogus, I just 
tossed it in my personal RBL list.


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: help with phishing email?

2017-12-08 Thread John Hardin


On Fri, 8 Dec 2017, AJ Weber wrote:


I'm trying to decide the best way to detect something like this.

https://pastebin.com/hCX9MWNg


That appears to be corrupt. I downloaded it and ran it through my testbed 
and it wouldn't decode the body.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The question of whether people should be allowed to harm themselves
  is simple. They *must*.   -- Charles Murray
---
 7 days until Bill of Rights day

Re: help with phishing email?

2017-12-08 Thread Tom Hendrikx

On 08-12-17 19:09, AJ Weber wrote:
> I'm trying to decide the best way to detect something like this.
> 
> https://pastebin.com/hCX9MWNg
> 
> Looking at the raw headers and body it's pretty easy to tell this is a
> spoof, but when it shows-up in an inbox, it looks pretty good.
> 
> Something specific to Amazon (where this is purported to come from)
> would be to check if their domain is in the From and Reply-To and at
> least score that relatively high if it's not correct - but compared to
> what?  Maybe if From text contains amazon/i and from-address does not
> end with amazon.com (for me in the US at least)?
> 
> That feels forced.  Does anyone have any suggestions to help me out on
> this fine Friday?
> 

Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO
you can easily whitelist anything from amazon based on that, and then
subtract some points for everything that has '\bAmazon\b' is the
from:name. Header.

Kind regards,
Tom




signature.asc
Description: OpenPGP digital signature

Re: help with phishing email?

2017-12-08 Thread Pedro David Marco

AJ,
i cannot see anything with sense... is the pastebin correct? 
-PedroD

Re: help with phishing email?

Re: help with phishing email?

Re: help with phishing email?

Re: help with phishing email?

Re: help with phishing email?

Re: help with phishing email?

Re: help with phishing email?

Re: help with phishing email?

Re: help with phishing email?

Re: help with phishing email?

Re: help with phishing email?

Re: help with phishing email?

Re: help with phishing email?

13 matches

Site Navigation

Mail list logo

Footer information