Re: help with phishing email?

Fri, 08 Dec 2017 19:24:51 -0800 


> Tom Hendrikx <t...@whyscream.net> kirjoitti 9.12.2017 kello 0.34:
> 
> On 08-12-17 19:09, AJ Weber wrote:
>> I'm trying to decide the best way to detect something like this.
>> 
>> https://pastebin.com/hCX9MWNg
>> 
>> Looking at the raw headers and body it's pretty easy to tell this is a
>> spoof, but when it shows-up in an inbox, it looks pretty good.
>> 
>> Something specific to Amazon (where this is purported to come from)
>> would be to check if their domain is in the From and Reply-To and at
>> least score that relatively high if it's not correct - but compared to
>> what?  Maybe if From text contains amazon/i and from-address does not
>> end with amazon.com (for me in the US at least)?
>> 
>> That feels forced.  Does anyone have any suggestions to help me out on
>> this fine Friday?
>> 
> 
> Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO
> you can easily whitelist anything from amazon based on that, and then
> subtract some points for everything that has '\bAmazon\b' is the
> from:name. Header.
> 
> Kind regards,
>       Tom

A couple of local rules saved here:

Content analysis details:   (8.2 points, 5.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
2.5 L_SUOMISPAM            RBL: Sender is in #suomispam blocklist
                       [20160519 coinletters1.com]
-0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
                       trust
                       [69.252.207.24 listed in list.dnswl.org]
0.0 SPF_FAIL               SPF: sender does not match SPF record (fail)
[SPF failed: Please see 
http://www.openspf.org/Why?s=mfrom;id=contact%40email.linushonor.co.uk;ip=69.252.207.24;r=gamecock.fredriksson.dy.fi]
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                       domains are different
0.0 T_TVD_MIME_NO_HEADERS  BODY: No description available.
0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                       [score: 0.4998]
1.7 MIME_BASE64_TEXT       RAW: Message text disguised using base64 encoding
1.4 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
1.0 L_FROM_NOT_REPLY       From: and Reply-To: have different domains
0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay lines
0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS

Attachment: signature.asc
Description: Message signed with OpenPGP

Reply via email to