Re: FORGED_GMAIL_RCVD via IMAP.

On 10.05.2018 22:23, Reindl Harald wrote: Am 10.05.2018 um 21:11 schrieb Reio Remma: Apparently it happens only if I use my Gmail account via IMAP, but not when I mailed from their webmail for testing. you don't send with IMAP - it's SMTP Indeed, I realized my mistake right after posting. By

Re: FORGED_GMAIL_RCVD via IMAP.

Reio Remma skrev den 2018-05-10 21:11: I just noticed if I mail myself via my Gmail account, I'm hitting FORGED_GMAIL_RCVD. Apparently it happens only if I use my Gmail account via IMAP, but not when I mailed from their webmail for testing. Should that be so? I suspect it's the following that

Re: FORGED_GMAIL_RCVD via IMAP.

On 05/10/18 21:11, Reio Remma wrote: > Hello! > > I just noticed if I mail myself via my Gmail account, I'm hitting > FORGED_GMAIL_RCVD. > > Apparently it happens only if I use my Gmail account via IMAP, but not when I > mailed from their webmail for testing. > > Should that be so? I suspect

Re: Invoice phish

On 05/10/2018 01:32 PM, RW wrote: On Thu, 10 May 2018 09:55:00 -0500 David Jones wrote: On 05/10/2018 09:39 AM, RW wrote: Microsoft has a list of domains it hosts and a list of hosted domains (and/or its own addresses) tied to each account. Given how much reliance MS place on DMARC's

FORGED_GMAIL_RCVD via IMAP.

Hello! I just noticed if I mail myself via my Gmail account, I'm hitting FORGED_GMAIL_RCVD. Apparently it happens only if I use my Gmail account via IMAP, but not when I mailed from their webmail for testing. Should that be so? I suspect it's the following that trips it: Return-Path:

Re: Invoice phish

On Thu, 10 May 2018 09:55:00 -0500 David Jones wrote: > On 05/10/2018 09:39 AM, RW wrote: > > Microsoft has a list of domains it hosts and a list of hosted > > domains (and/or its own addresses) tied to each account. Given how > > much reliance MS place on DMARC's preventing spoofing, and how

Re: training bayes database

On Thu, 10 May 2018, John Hardin wrote: On Thu, 10 May 2018, Matthew Broadhead wrote: On 09/05/18 20:43, David Jones wrote: On 05/09/2018 01:29 PM, Matthew Broadhead wrote: On 09/05/18 16:37, Reindl Harald wrote: quoting URIBL_BLOCKED is a joke - setup a *recursion* *non-forwarding*

Re: training bayes database

On Thu, 10 May 2018, Matthew Broadhead wrote: On 09/05/18 20:43, David Jones wrote: On 05/09/2018 01:29 PM, Matthew Broadhead wrote: On 09/05/18 16:37, Reindl Harald wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: it looks like it is working.  so maybe it is just not flagging or

Re: Invoice phish

On 10/05/2018, 15:54, "David Jones" wrote: They do. I saw an example a few weeks ago. >Paul Stead claims to have seen it, but it's important to positively >identify it as spoofing and not hacking. Not sure what the difference is from a mail filtering

Re: Invoice phish

On 05/10/2018 09:39 AM, RW wrote: On Thu, 10 May 2018 13:49:15 + (UTC) Pedro David Marco wrote: David Jones wrote:>It's not only compromised well-established accounts.  Based on the odd domain names I have seen, I am pretty sure that Microsoft allows trials of O365 so spammers are

Re: Invoice phish

On Thu, 10 May 2018 13:49:15 + (UTC) Pedro David Marco wrote: > > David Jones wrote:>It's not only compromised well-established > accounts.  Based on the odd > >domain names I have seen, I am pretty sure that Microsoft allows > >trials of O365 so spammers are signing up and blasting out >

Re: training bayes database

On 10.05.18 15:23, David Jones wrote: On 05/10/2018 07:12 AM, Reio Remma wrote: On 10.05.18 15:08, David Jones wrote: On 05/10/2018 07:02 AM, Reio Remma wrote: On a slightly related note. We're running a PFSense firewall with DNS Forwarder (dnsmasq) in front of our mail server. From what I've

Re: Invoice phish

David Jones wrote:>It's not only compromised well-established accounts.  Based on the odd >domain names I have seen, I am pretty sure that Microsoft allows trials >of O365 so spammers are signing up and blasting out junk/phishing emails >until they are discovered.  These spammers can spoof

Re: Invoice phish

On Thu, 10 May 2018 12:48:29 + Paul Stead wrote: > On 10/05/2018, 13:46, "David Jones" wrote: > > >Do you have a reason to think that that's possible? > >It doesn't seem very likely, but there are some default whitelist > >entries that should go if it is. > >

Re: Invoice phish

On 10/05/2018, 13:46, "David Jones" wrote: >Do you have a reason to think that that's possible? >It doesn't seem very likely, but there are some default whitelist >entries that should go if it is. Which part is possible? The trial accounts blasting spam or

Re: Invoice phish

On 05/10/2018 07:37 AM, RW wrote: On Thu, 10 May 2018 06:50:46 -0500 David Jones wrote: I am pretty sure that Microsoft allows trials of O365 so spammers are signing up and blasting out junk/phishing emails until they are discovered. These spammers can spoof anyone on O365 like toysrus.com

Re: Invoice phish

On Thu, 10 May 2018 06:50:46 -0500 David Jones wrote: > I am pretty sure that Microsoft allows > trials of O365 so spammers are signing up and blasting out > junk/phishing emails until they are discovered. These spammers can > spoof anyone on O365 like toysrus.com and the SPF checks will pass.

Re: training bayes database

On 05/10/2018 07:12 AM, Reio Remma wrote: On 10.05.18 15:08, David Jones wrote: On 05/10/2018 07:02 AM, Reio Remma wrote: On 10.05.18 14:58, Matus UHLAR - fantomas wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: i guess my dns is set to use my isp's dns server.  do i need to set up

Re: training bayes database

Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should qualify for the free lookup? On 09/05/18 20:43,

Re: training bayes database

On 10.05.18 15:08, David Jones wrote: On 05/10/2018 07:02 AM, Reio Remma wrote: On 10.05.18 14:58, Matus UHLAR - fantomas wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my

Re: training bayes database

On 05/10/2018 07:02 AM, Reio Remma wrote: On 10.05.18 14:58, Matus UHLAR - fantomas wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: i guess my dns is set to use my isp's dns server.  do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more

Re: training bayes database

On 10.05.18 14:58, Matus UHLAR - fantomas wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should

Re: training bayes database

Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: i guess my dns is set to use my isp's dns server.  do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should qualify for the free lookup? On 09/05/18 20:43,

Re: Invoice phish

On 05/10/2018 05:16 AM, Rupert Gallagher wrote: On Thu, May 10, 2018 at 00:54, David B Funk > wrote:  4) Less technical sophistication of the server side filtering VS google Both Google and Microsoft deliver a product for

Re: Invoice phish

On Tue, 8 May 2018 16:02:32 -0400 Alex wrote: > Hi, > Does anyone have any special techniques for catching these invoice > phish emails? > > https://pastebin.com/raw/TfvhUu0X I think this may be worth a try: uri_detail INSECURE_INVOICE_LINK text =~ /\binvoices?\b/i cleaned=~ /http:/i It's

Re: Invoice phish

On Thu, May 10, 2018 at 00:54, David B Funk wrote: > 4) Less technical sophistication of the server side filtering VS google Both Google and Microsoft deliver a product for the masses. They are a mcdonald after all: you get the quality that you pay for. Google

Re: training bayes database

On 09/05/18 20:43, David Jones wrote: On 05/09/2018 01:29 PM, Matthew Broadhead wrote: On 09/05/18 16:37, Reindl Harald wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: it looks like it is working.  so maybe it is just not flagging or moving the spam? in a differnt post you showed