On Tue, May 8, 2018 at 22:02, Alex wrote:
>Hi, Does anyone have any special techniques for catching these invoice phish
>emails? https://pastebin.com/raw/TfvhUu0X I've added a few body rules, and
>even despite training previous similar messages as spam, they continue.
This
Hi,
>> https://pastebin.com/raw/Fv5NKRAP
>>
>> Anyone able to take a look and provide ideas on how to block them? It
>> passes with DKIM_VALID_AU, RCVD_IN_SENDERSCORE_90_100 and SPF_PASS.
>>
>> It's missing headers, and I've written a rule to account for that, but
>> it would be great to have some
On 15 May 2018, at 20:27, Alex wrote:
Hi,
We received another of those phishes as a result of a compromised O365
account.
https://pastebin.com/raw/Fv5NKRAP
Anyone able to take a look and provide ideas on how to block them? It
passes with DKIM_VALID_AU, RCVD_IN_SENDERSCORE_90_100 and SPF_PAS
On Tue, 15 May 2018, David B Funk wrote:
On Tue, 15 May 2018, Alex wrote:
[snip..]
Train bayes, look for custom URIBL lists that might hit that powned
website.
I wasn't referring to the site that was the source of the message but the
website that was hosting that PHISH login page.
(EG that
On 05/15/2018 08:26 PM, David B Funk wrote:
On Tue, 15 May 2018, Alex wrote:
Hi,
We received another of those phishes as a result of a compromised O365
account.
https://pastebin.com/raw/Fv5NKRAP
Anyone able to take a look and provide ideas on how to block them? It
passes with DKIM_VALID_AU
Alex skrev den 2018-05-16 02:27:
https://pastebin.com/raw/Fv5NKRAP
reduce whitelist scores
raise scores on spam, for the remaining tags
put into corpus testing, to hope scores will begin to score it as spam
On Tue, 15 May 2018, Alex wrote:
Hi,
[snip..]
Train bayes, look for custom URIBL lists that might hit that powned website.
The IP (216.32.180.23) is listed on sorbs, but that's it, and the
domain (peabodyenergy.com) is not listed anywhere.
I wasn't referring to the site that was the sour
Hi,
On Tue, May 15, 2018 at 9:26 PM, David B Funk
wrote:
> On Tue, 15 May 2018, Alex wrote:
>
>> Hi,
>>
>> We received another of those phishes as a result of a compromised O365
>> account.
>>
>> https://pastebin.com/raw/Fv5NKRAP
>>
>> Anyone able to take a look and provide ideas on how to block
On Tue, 15 May 2018, Alex wrote:
Hi,
We received another of those phishes as a result of a compromised O365 account.
https://pastebin.com/raw/Fv5NKRAP
Anyone able to take a look and provide ideas on how to block them? It
passes with DKIM_VALID_AU, RCVD_IN_SENDERSCORE_90_100 and SPF_PASS.
It'
Hi,
We received another of those phishes as a result of a compromised O365 account.
https://pastebin.com/raw/Fv5NKRAP
Anyone able to take a look and provide ideas on how to block them? It
passes with DKIM_VALID_AU, RCVD_IN_SENDERSCORE_90_100 and SPF_PASS.
It's missing headers, and I've written
On 05/10/2018 01:32 PM, RW wrote:
On Thu, 10 May 2018 09:55:00 -0500
David Jones wrote:
On 05/10/2018 09:39 AM, RW wrote:
Microsoft has a list of domains it hosts and a list of hosted
domains (and/or its own addresses) tied to each account. Given how
much reliance MS place on DMARC's preven
On Thu, 10 May 2018 09:55:00 -0500
David Jones wrote:
> On 05/10/2018 09:39 AM, RW wrote:
> > Microsoft has a list of domains it hosts and a list of hosted
> > domains (and/or its own addresses) tied to each account. Given how
> > much reliance MS place on DMARC's preventing spoofing, and how ea
On 10/05/2018, 15:54, "David Jones" wrote:
They do. I saw an example a few weeks ago.
>Paul Stead claims to have seen it, but it's important to positively
>identify it as spoofing and not hacking.
Not sure what the difference is from a mail filtering perspective. From
Mi
On 05/10/2018 09:39 AM, RW wrote:
On Thu, 10 May 2018 13:49:15 + (UTC)
Pedro David Marco wrote:
David Jones wrote:>It's not only compromised well-established
accounts. Based on the odd
domain names I have seen, I am pretty sure that Microsoft allows
trials of O365 so spammers are signi
On Thu, 10 May 2018 13:49:15 + (UTC)
Pedro David Marco wrote:
>
> David Jones wrote:>It's not only compromised well-established
> accounts. Based on the odd
> >domain names I have seen, I am pretty sure that Microsoft allows
> >trials of O365 so spammers are signing up and blasting out
> >
David Jones wrote:>It's not only compromised well-established accounts. Based
on the odd
>domain names I have seen, I am pretty sure that Microsoft allows trials
>of O365 so spammers are signing up and blasting out junk/phishing emails
>until they are discovered. These spammers can spoof an
On Thu, 10 May 2018 12:48:29 +
Paul Stead wrote:
> On 10/05/2018, 13:46, "David Jones" wrote:
>
> >Do you have a reason to think that that's possible?
> >It doesn't seem very likely, but there are some default whitelist
> >entries that should go if it is.
>
> Anyone on O365
On 10/05/2018, 13:46, "David Jones" wrote:
>Do you have a reason to think that that's possible?
>It doesn't seem very likely, but there are some default whitelist
>entries that should go if it is.
Which part is possible? The trial accounts blasting spam or the
toysrus.com
On 05/10/2018 07:37 AM, RW wrote:
On Thu, 10 May 2018 06:50:46 -0500
David Jones wrote:
I am pretty sure that Microsoft allows
trials of O365 so spammers are signing up and blasting out
junk/phishing emails until they are discovered. These spammers can
spoof anyone on O365 like toysrus.com an
On Thu, 10 May 2018 06:50:46 -0500
David Jones wrote:
> I am pretty sure that Microsoft allows
> trials of O365 so spammers are signing up and blasting out
> junk/phishing emails until they are discovered. These spammers can
> spoof anyone on O365 like toysrus.com and the SPF checks will pass.
On 05/10/2018 05:16 AM, Rupert Gallagher wrote:
On Thu, May 10, 2018 at 00:54, David B Funk
mailto:dbf...@engineering.uiowa.edu>> wrote:
4) Less technical sophistication of the server side filtering VS google
Both Google and Microsoft deliver a product for the masses. They are a
mcdonald
On Tue, 8 May 2018 16:02:32 -0400
Alex wrote:
> Hi,
> Does anyone have any special techniques for catching these invoice
> phish emails?
>
> https://pastebin.com/raw/TfvhUu0X
I think this may be worth a try:
uri_detail INSECURE_INVOICE_LINK text =~ /\binvoices?\b/i cleaned=~
On Thu, May 10, 2018 at 00:54, David B Funk
wrote:
> 4) Less technical sophistication of the server side filtering VS google
Both Google and Microsoft deliver a product for the masses. They are a mcdonald
after all: you get the quality that you pay for.
Google rejects messages with either fai
On Wed, 9 May 2018, Vincent Fox wrote:
I see an interesting dichotomy.
Students are on Google, fac/staff on O365 now.
Guess which group is phished most often?
If you said students, bzzzt.
It’s the O365 users, by a large margin. Faculty and staff should be best
trained. Also protected by
I see an interesting dichotomy.
Students are on Google, fac/staff on O365 now.
Guess which group is phished most often?
If you said students, bzzzt.
It’s the O365 users, by a large margin. Faculty and staff should be best
trained. Also protected by “Advanced Threat Protection”.
Sent from m
So "free" here refers to something else than paid for service. What does it
refer to then? Perhaps FREEMAIL is best renamed as CAMP, for Commonly Abused
Mail Provider.
On Wed, May 9, 2018 at 13:37, David Jones wrote:
> On 05/09/2018 03:03 AM, Rupert Gallagher wrote: > Is O365 freemail now? Fre
On 05/09/2018 12:39 PM, Alex wrote:
Hi,
header __RCVD_OFFICE365Received =~
/\.outbound\.protection\.outlook\.com \[/
header __RCVD_OFFICE365_PROXY X-ClientProxiedBy =~
/\.outlook\.com
\(/
header __OFFICE365_TRUST_ORG X-OriginatorOrg =~
/^(ena\.com|example\.com)/
You've
Hi,
>>> header __RCVD_OFFICE365Received =~
>>> /\.outbound\.protection\.outlook\.com \[/
>>> header __RCVD_OFFICE365_PROXY X-ClientProxiedBy =~
>>> /\.outlook\.com
>>> \(/
>>>
>>> header __OFFICE365_TRUST_ORG X-OriginatorOrg =~
>>> /^(ena\.com|example\.com)/
>>
>>
>> You've s
On 05/09/2018 10:59 AM, Alex wrote:
Hi,
https://pastebin.com/raw/TfvhUu0X
...
What I have had to do is basically increase the score on all invoice emails
to try to block the bad ones and then whitelist the good ones.
That email was BCC'd which is another suspicious trait which is why I bump
On Wed, 9 May 2018, Alex wrote:
Hi,
Hi,
Does anyone have any special techniques for catching these invoice phish
emails?
https://pastebin.com/raw/TfvhUu0X
I've added a few body rules, and even despite training previous
similar messages as spam, they continue. These emails very cl
David Jones wrote:
One more thing. I have expanded my definition of FREEMAIL to any Google
and Office 365 senders like this:
header __RCVD_YAHOO Received =~ /\.yahoo\.com \[/
header __RCVD_HOTMAIL Received =~ /\.hotmail\.com \[/
header __RCVD_GOO
Hi,
>> Hi,
>> Does anyone have any special techniques for catching these invoice phish
>> emails?
>>
>> https://pastebin.com/raw/TfvhUu0X
>>
>> I've added a few body rules, and even despite training previous
>> similar messages as spam,
Hi,
>> https://pastebin.com/raw/TfvhUu0X
>>
...
> What I have had to do is basically increase the score on all invoice emails
> to try to block the bad ones and then whitelist the good ones.
>
> That email was BCC'd which is another suspicious trait which is why I bump
> up the score for MISSING H
On 05/09/2018 10:02 AM, Alex wrote:
Hi,
One more thing. I have expanded my definition of FREEMAIL to any Google and
Office 365 senders like this:
header __RCVD_YAHOOReceived =~ /\.yahoo\.com \[/
header __RCVD_HOTMAIL Received =~ /\.hotmail\.com \[/
heade
Hi,
> One more thing. I have expanded my definition of FREEMAIL to any Google and
> Office 365 senders like this:
>
> header __RCVD_YAHOOReceived =~ /\.yahoo\.com \[/
> header __RCVD_HOTMAIL Received =~ /\.hotmail\.com \[/
> header __RCVD_GOOGLE
On 05/09/2018 03:03 AM, Rupert Gallagher wrote:
Is O365 freemail now? Free from Microsoft is an oxymoron.
If you look at the comments in the rule files (20_freemail_domains.cf)
you will find that FREEMAIL is actually any mail provider that is
commonly abused and often sends spam. O365 does f
Is O365 freemail now? Free from Microsoft is an oxymoron.
On 05/08/2018 03:47 PM, David Jones wrote:
On 05/08/2018 03:02 PM, Alex wrote:
Hi,
Does anyone have any special techniques for catching these invoice
phish emails?
https://pastebin.com/raw/TfvhUu0X
I've added a few body rules, and even despite training previous
similar messages as
On 05/08/2018 03:02 PM, Alex wrote:
Hi,
Does anyone have any special techniques for catching these invoice phish emails?
https://pastebin.com/raw/TfvhUu0X
I've added a few body rules, and even despite training previous
similar messages as spam, they continue. These emails very closely
res
On 05/08/2018 03:02 PM, Alex wrote:
Hi,
Does anyone have any special techniques for catching these invoice phish emails?
https://pastebin.com/raw/TfvhUu0X
I've added a few body rules, and even despite training previous
similar messages as spam, they continue. These emails very closely
res
On Tue, 8 May 2018, Alex wrote:
Hi,
Does anyone have any special techniques for catching these invoice phish emails?
https://pastebin.com/raw/TfvhUu0X
I've added a few body rules, and even despite training previous
similar messages as spam, they continue. These emails very closely
res
Hi,
Does anyone have any special techniques for catching these invoice phish emails?
https://pastebin.com/raw/TfvhUu0X
I've added a few body rules, and even despite training previous
similar messages as spam, they continue. These emails very closely
resemble legitimate email regarding inv
42 matches
Mail list logo
