Re: help with phishing email?
On 12/10/2017 11:49 AM, Colony.three wrote: * http://www.postfix.org/POSTSCREEN_README.html with that config and postscreen properly configured you block far more than 90% of junk without risk false positives postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.10/9 dnsbl.sorbs.net=127.0.0.14/9 zen.spamhaus.org=127.0.0.[10;11]/8 dnsbl.sorbs.net=127.0.0.5/7 zen.spamhaus.org=127.0.0.[4..7]/7 b.barracudacentral.org=127.0.0.2/7 zen.spamhaus.org=127.0.0.3/7 dnsbl.inps.de=127.0.0.2/7 hostkarma.junkemailfilter.com=127.0.0.2/4 dnsbl.sorbs.net=127.0.0.7/4 bl.spamcop.net=127.0.0.2/4 bl.spameatingmonkey.net=127.0.0.[2;3]/4 dnsrbl.swinog.ch=127.0.0.3/4 ix.dnsbl.manitu.net=127.0.0.2/4 psbl.surriel.com=127.0.0.2/4 bl.mailspike.net=127.0.0.[10;11;12]/4 bl.mailspike.net=127.0.0.2/4 zen.spamhaus.org=127.0.0.2/3 score.senderscore.com=127.0.4.[0..20]/3 bl.spamcannibal.org=127.0.0.2/3 dnsbl.sorbs.net=127.0.0.6/3 dnsbl.sorbs.net=127.0.0.8/2 hostkarma.junkemailfilter.com=127.0.0.4/2 dnsbl.sorbs.net=127.0.0.9/2 dnsbl-1.uceprotect.net=127.0.0.2/2 all.spamrats.com=127.0.0.38/2 bl.nszones.com=127.0.0.[2;3]/1 dnsbl-2.uceprotect.net=127.0.0.2/1 dnsbl.sorbs.net=127.0.0.2/1 dnsbl.sorbs.net=127.0.0.4/1 score.senderscore.com=127.0.4.[0..69]/1 dnsbl.sorbs.net=127.0.0.3/1 hostkarma.junkemailfilter.com=127.0.1.2/1 dnsbl.sorbs.net=127.0.0.15/1 ips.backscatterer.org=127.0.0.2/1 bl.nszones.com=127.0.0.5/-1 score.senderscore.com=127.0.4.[90..100]/-1 wl.mailspike.net=127.0.0.[18;19;20]/-2 hostkarma.junkemailfilter.com=127.0.0.1*-2 ips.whitelisted.org=127.0.0.2*-2 list.dnswl.org=127.0.[0..255].0*-2 dnswl.inps.de=127.0.[0;1].[2..10]/-2 list.dnswl.org=127.0.[0..255].1/-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 Now that I've had a chance to study this, and despite our history, I'd like to thank you Harald, for this useful information. I am sure that a number of other present are grateful too. This will bring peace to many an Inbox. Postwhite goes perfectly with the above postscreen weighted RBLs to reduce FPs down to zero: https://github.com/stevejenkins/postwhite You will want to setup the special Yahoo exclusions and add any other major/trusted senders (ex. authsmtp.com) based on their SPF record. -- David Jones
Re: help with phishing email?
> - http://www.postfix.org/POSTSCREEN_README.html > > with that config and postscreen properly configured you block far more > than 90% of junk without risk false positives > > postscreen_dnsbl_threshold = 8 > postscreen_dnsbl_action = enforce > postscreen_greet_action = enforce > postscreen_dnsbl_sites = > dnsbl.sorbs.net=127.0.0.109 > dnsbl.sorbs.net=127.0.0.149 > zen.spamhaus.org=127.0.0.[10;11]8 > dnsbl.sorbs.net=127.0.0.57 > zen.spamhaus.org=127.0.0.[4..7]7 > b.barracudacentral.org=127.0.0.27 > zen.spamhaus.org=127.0.0.37 > dnsbl.inps.de=127.0.0.27 > hostkarma.junkemailfilter.com=127.0.0.24 > dnsbl.sorbs.net=127.0.0.74 > bl.spamcop.net=127.0.0.24 > bl.spameatingmonkey.net=127.0.0.[2;3]4 > dnsrbl.swinog.ch=127.0.0.34 > ix.dnsbl.manitu.net=127.0.0.24 > psbl.surriel.com=127.0.0.24 > bl.mailspike.net=127.0.0.[10;11;12]4 > bl.mailspike.net=127.0.0.24 > zen.spamhaus.org=127.0.0.23 > score.senderscore.com=127.0.4.[0..20]3 > bl.spamcannibal.org=127.0.0.23 > dnsbl.sorbs.net=127.0.0.63 > dnsbl.sorbs.net=127.0.0.82 > hostkarma.junkemailfilter.com=127.0.0.42 > dnsbl.sorbs.net=127.0.0.92 > dnsbl-1.uceprotect.net=127.0.0.22 > all.spamrats.com=127.0.0.382 > bl.nszones.com=127.0.0.[2;3]1 > dnsbl-2.uceprotect.net=127.0.0.21 > dnsbl.sorbs.net=127.0.0.21 > dnsbl.sorbs.net=127.0.0.41 > score.senderscore.com=127.0.4.[0..69]1 > dnsbl.sorbs.net=127.0.0.31 > hostkarma.junkemailfilter.com=127.0.1.21 > dnsbl.sorbs.net=127.0.0.151 > ips.backscatterer.org=127.0.0.21 > bl.nszones.com=127.0.0.5-1 > score.senderscore.com=127.0.4.[90..100]-1 > wl.mailspike.net=127.0.0.[18;19;20]-2 > hostkarma.junkemailfilter.com=127.0.0.1*-2 > ips.whitelisted.org=127.0.0.2*-2 > list.dnswl.org=127.0.[0..255].0*-2 > dnswl.inps.de=127.0.[0;1].[2..10]-2 > list.dnswl.org=127.0.[0..255].1-3 > list.dnswl.org=127.0.[0..255].2*-4 > list.dnswl.org=127.0.[0..255].3*-5 Now that I've had a chance to study this, and despite our history, I'd like to thank you Harald, for this useful information. I am sure that a number of other present are grateful too. This will bring peace to many an Inbox.
Re: help with phishing email?
On 12/09/2017 05:40 AM, Rupert Gallagher wrote: ... On Sat, Dec 9, 2017 at 04:24, Jari Fredriksson> wrote: 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) I would recommend setting the score for SPF_FAIL to a point or two these days. Major mail hosting providers like Google would have put this email into the Spam/Junk folder because of the SPF failure. /etc/mail/spamassassin/local.cf (or zz_scores.cf to make sure it loads last): score SPF_FAIL 2.0 I have it score much higher on my SA platform due to other local meta rules that amplify some good and bad rules. -- David Jones
Re: help with phishing email?
... On Sat, Dec 9, 2017 at 04:24, Jari Fredrikssonwrote: > 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) @whyscream.net>
Re: help with phishing email?
wow... depending on your geolocation, the phishing text changes and, at least in Spanish, it is totally correct!! sometimes i have to take my hat off... -PedroD
Re: help with phishing email?
> first: before you call me again a fascist just because i don't agree > with your opinions backed by 10 years professional mailadmin better > don't give half thought advises! > > Am 09.12.2017 um 03:50 schrieb Colony.three: > >> Also in /etc/postfix/main.cf add to smtpd_recipient_restrictions = >> ...reject_rbl_client zen.spamhaus.org >> >> this is a completly wrong and dangerous Oh? Why didn't you say anything three days ago when another member of this listserv recommended it, Harald?
Re: help with phishing email?
> Tom Hendrikxkirjoitti 9.12.2017 kello 0.34: > > On 08-12-17 19:09, AJ Weber wrote: >> I'm trying to decide the best way to detect something like this. >> >> https://pastebin.com/hCX9MWNg >> >> Looking at the raw headers and body it's pretty easy to tell this is a >> spoof, but when it shows-up in an inbox, it looks pretty good. >> >> Something specific to Amazon (where this is purported to come from) >> would be to check if their domain is in the From and Reply-To and at >> least score that relatively high if it's not correct - but compared to >> what? Maybe if From text contains amazon/i and from-address does not >> end with amazon.com (for me in the US at least)? >> >> That feels forced. Does anyone have any suggestions to help me out on >> this fine Friday? >> > > Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO > you can easily whitelist anything from amazon based on that, and then > subtract some points for everything that has '\bAmazon\b' is the > from:name. Header. > > Kind regards, > Tom A couple of local rules saved here: Content analysis details: (8.2 points, 5.0 required) pts rule name description -- -- 2.5 L_SUOMISPAMRBL: Sender is in #suomispam blocklist [20160519 coinletters1.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [69.252.207.24 listed in list.dnswl.org] 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=contact%40email.linushonor.co.uk;ip=69.252.207.24;r=gamecock.fredriksson.dy.fi] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 T_TVD_MIME_NO_HEADERS BODY: No description available. 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4998] 1.7 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding 1.4 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) 1.0 L_FROM_NOT_REPLY From: and Reply-To: have different domains 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS signature.asc Description: Message signed with OpenPGP
Re: help with phishing email?
> Tom Hendrikxkirjoitti 9.12.2017 kello 0.34: > > On 08-12-17 19:09, AJ Weber wrote: >> I'm trying to decide the best way to detect something like this. >> >> https://pastebin.com/hCX9MWNg >> >> Looking at the raw headers and body it's pretty easy to tell this is a >> spoof, but when it shows-up in an inbox, it looks pretty good. >> >> Something specific to Amazon (where this is purported to come from) >> would be to check if their domain is in the From and Reply-To and at >> least score that relatively high if it's not correct - but compared to >> what? Maybe if From text contains amazon/i and from-address does not >> end with amazon.com (for me in the US at least)? >> >> That feels forced. Does anyone have any suggestions to help me out on >> this fine Friday? >> > > Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO > you can easily whitelist anything from amazon based on that, and then > subtract some points for everything that has '\bAmazon\b' is the > from:name. Header. > > Kind regards, > Tom A couple of local rules saved here: Content analysis details: (8.2 points, 5.0 required) pts rule name description -- -- 2.5 L_SUOMISPAMRBL: Sender is in #suomispam blocklist [20160519 coinletters1.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [69.252.207.24 listed in list.dnswl.org] 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=contact%40email.linushonor.co.uk;ip=69.252.207.24;r=gamecock.fredriksson.dy.fi] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 T_TVD_MIME_NO_HEADERS BODY: No description available. 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4998] 1.7 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding 1.4 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) 1.0 L_FROM_NOT_REPLY From: and Reply-To: have different domains 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS signature.asc Description: Message signed with OpenPGP
Re: help with phishing email?
> I'm trying to decide the best way to detect something like this. > > https://pastebin.com/hCX9MWNg > > Looking at the raw headers and body it's pretty easy to tell this is a > spoof, but when it shows-up in an inbox, it looks pretty good. > > Something specific to Amazon (where this is purported to come from) > would be to check if their domain is in the From and Reply-To and at > least score that relatively high if it's not correct - but compared to > what? Maybe if From text contains amazon/i and from-address does not > end with amazon.com (for me in the US at least)? > > That feels forced. Does anyone have any suggestions to help me out on > this fine Friday? > > Thanks, > AJ You shouldn't have even received that. Consider setting up your email as per this guide: https://arstechnica.com/information-technology/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/ After 3 months, and two major failures setting up email (not to mention shattered self-worth), this article series is what finally got me spinning. Also in /etc/postfix/main.cf add to smtpd_recipient_restrictions = ...reject_rbl_client zen.spamhaus.org,
Re: help with phishing email?
On Fri, 8 Dec 2017, John Hardin wrote: On Fri, 8 Dec 2017, AJ Weber wrote: I'm trying to decide the best way to detect something like this. https://pastebin.com/hCX9MWNg That appears to be corrupt. I downloaded it and ran it through my testbed and it wouldn't decode the body. Don't know if it was the pastbin, but the MIME headers were mangled. Fixing those (and removing the space at the beginning of the base64 lines) made it parse-able. It's clearly misleading spam, not sure where the phish is. (but then I didn't go thru their "survey"). There's a bunch of anomalous things about that message; 3 Message-ID: headers, one of which tries to look like from outlook.com 2 Reply-To: headers, one of which has a clearly bogus address:3 Received: from relay167.mysmtp.mobi (relay167.mysmtp.mobi [93.90.117.141]) lines. MIME-Version: 4.0 50 blank lines at the start of the message, borked HTML (mismatched tags, code after the closing , etc). That "http://email dot turnaroundbaby dot be" site looks new & bogus, I just tossed it in my personal RBL list. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: help with phishing email?
On Fri, 8 Dec 2017, AJ Weber wrote: I'm trying to decide the best way to detect something like this. https://pastebin.com/hCX9MWNg That appears to be corrupt. I downloaded it and ran it through my testbed and it wouldn't decode the body. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 7 days until Bill of Rights day
Re: help with phishing email?
On 08-12-17 19:09, AJ Weber wrote: > I'm trying to decide the best way to detect something like this. > > https://pastebin.com/hCX9MWNg > > Looking at the raw headers and body it's pretty easy to tell this is a > spoof, but when it shows-up in an inbox, it looks pretty good. > > Something specific to Amazon (where this is purported to come from) > would be to check if their domain is in the From and Reply-To and at > least score that relatively high if it's not correct - but compared to > what? Maybe if From text contains amazon/i and from-address does not > end with amazon.com (for me in the US at least)? > > That feels forced. Does anyone have any suggestions to help me out on > this fine Friday? > Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO you can easily whitelist anything from amazon based on that, and then subtract some points for everything that has '\bAmazon\b' is the from:name. Header. Kind regards, Tom signature.asc Description: OpenPGP digital signature
Re: help with phishing email?
AJ, i cannot see anything with sense... is the pastebin correct? -PedroD