Re: X-Originating-IP a received header?

On Tue, 23 Feb 2021 13:41:58 -0800 (PST) John Hardin wrote: > On Tue, 23 Feb 2021, Dan Malm wrote: > > > On 2021-02-23 16:29, John Hardin wrote: > >> On Tue, 23 Feb 2021, Dan Malm wrote: > >>> Received: from onecom-webmail1 (service.pub.appspod1-cph3.one.com > >>> [ ]) > >>> by mailrelay3

Re: Phishing campaign using email address to personalize URL

On Tue, 23 Feb 2021, Ricky Boone wrote: Seeing an interesting phishing campaign that appears to be personalizing components of the message and URL endpoints to potentially get around blacklists and other filters. Unfortunately I can't share the exact example publicly without effectively

Re: X-Originating-IP a received header?

On Tue, 23 Feb 2021, Dan Malm wrote: On 2021-02-23 16:29, John Hardin wrote: On Tue, 23 Feb 2021, Dan Malm wrote: On 2021-02-19 16:13, John Hardin wrote: On Fri, 19 Feb 2021, Dan Malm wrote: I have a system that received mail from a webmail product that adds a X-Originating-IP header with

Re: Phishing campaign using email address to personalize URL

On 2021-02-23 20:51, Ricky Boone wrote: * Examples I'm seeing have nearly blank message, and an HTML attachment with a JavaScript window.location.href redirect related to the attacker URL. * Attacker is leveraging SendGrid i have local clamav signature to catch html attachment inspiration

Phishing campaign using email address to personalize URL

Seeing an interesting phishing campaign that appears to be personalizing components of the message and URL endpoints to potentially get around blacklists and other filters. Unfortunately I can't share the exact example publicly without effectively recreating the email, but here's a summary of

Re: X-Originating-IP a received header?

On 2021-02-23 16:14, Dan Malm wrote: X-Originating-IP: 46.30.211.29 User-Agent: One.com webmail 39.4.34 Message-ID: <161373401.26136.389428@webmail1> this ip is not pbl listed if it was i would meta rule it

Re: X-Originating-IP a received header?

On 2021-02-23 16:29, John Hardin wrote: > On Tue, 23 Feb 2021, Dan Malm wrote: > >> On 2021-02-19 16:13, John Hardin wrote: >>> uOn Fri, 19 Feb 2021, Dan Malm wrote: >>> I have a system that received mail from a webmail product that adds a X-Originating-IP header with the IP of the

Re: X-Originating-IP a received header?

On Tue, 23 Feb 2021, Dan Malm wrote: On 2021-02-19 16:13, John Hardin wrote: uOn Fri, 19 Feb 2021, Dan Malm wrote: I have a system that received mail from a webmail product that adds a X-Originating-IP header with the IP of the webmail user. Since Spamassassin for some reason considers that

Re: X-Originating-IP a received header?

On 2021-02-19 16:13, John Hardin wrote: > uOn Fri, 19 Feb 2021, Dan Malm wrote: > >> I have a system that received mail from a webmail product that adds a >> X-Originating-IP header with the IP of the webmail user. >> >> Since Spamassassin for some reason considers that to be a >> Received-header

Re: Catch subtly-different Reply-To domain

On 22/02/2021 15:45, Dominic Raferd wrote: On 22/02/2021 15:05, RW wrote: On Sun, 21 Feb 2021, Dominic Raferd wrote: Michael's suggestion is interesting. There is a github project allowing Levenshtein numbers to be calculated and used in SA, I will see if there is a way to apply it in this