The email below slipped through my spam filter.
It has malicious content attached which purports to be a voicemail from
comcast (I've snipped the attachment from the example) but it is
actually a phishing attack. The attachment contains a link that goes to
a web page at an obscure domain that prompts you to log into your
comcast account.
As you can see by the headers, this email was well-trusted by SA with a
score of -2.7.
I don't think I can rely much on bayes filtering for these kinds of
emails since the body has so little text (or do I make a bad assumption
here?). And to my untrained eye, the only thing that looks suspicious is
line 40 which says: "smtprelay.hostedemail.com".
So what's the giveaway that this is spam and what rule can I add to get
SA to recognize it as such? And what is the best way for me to learn how
to analyze the headers so I can recognize spam myself? Any good
tutorials for this?
1 Return-Path: <[email protected]>
2 Delivered-To: [email protected]
3 Received: from email.example.org
4 by email.example.org with LMTP
5 id EkqVDIVdYGCceQAAW5pcLQ
6 (envelope-from
<[email protected]>)
7 for <[email protected]>; Sun, 28 Mar 2021 06:42:13 -0400
8 Received: by email.example.org (Postfix, from userid 115)
9 id 2489422533; Sun, 28 Mar 2021 06:42:13 -0400 (EDT)
10 Authentication-Results: email.example.org;
11 dkim=pass (2048-bit key; secure) header.d=comcast.net
[email protected] header.b="PSvQlJTc";
12 dkim-atps=neutral
13 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
email.example.org
14 X-Spam-Level:
15 X-Spam-Status: No, score=-2.7 required=4.0
tests=BAYES_50,DKIM_SIGNED,
16
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,INVALID_MSGID,
17 MSGID_FROM_MTA_HEADER,OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_HI,
18 RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
autolearn=unavailable
19 autolearn_force=no version=3.4.2
20 Received-SPF: Pass (mailfrom) identity=mailfrom;
client-ip=96.114.154.164; helo=resqmta-po-05v.sys.comcast.net;
[email protected];
receiver=<UNKNOWN>
21 Received: from resqmta-po-05v.sys.comcast.net
(resqmta-po-05v.sys.comcast.net [96.114.154.164])
22 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
(256/256 bits))
23 (No client certificate requested)
24 by email.example.org (Postfix) with ESMTPS id F22E6215BD
25 for <[email protected]>; Sun, 28 Mar 2021 06:42:11 -0400
(EDT)
26 Received: from resimta-po-42v.sys.comcast.net ([96.114.154.212])
27 by resqmta-po-05v.sys.comcast.net with ESMTP
28 id QSrxlUJdvoWleQSrxlMdfB; Sun, 28 Mar 2021 10:42:09 +0000
29 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net;
30 s=20190202a; t=1616928129;
31 bh=vkwV5ud3feChWZLQsYrnwAqC5q/gOtq5c2+sZwvKGUI=;
32
h=Received:Received:Message-ID:Received:Received:From:Subject:To:
33 Content-Type:MIME-Version:Date;
34
b=PSvQlJTcBWsdJnqw5X2ghcFhFC/KDs9orh5uzVOpepDAf2rxUTc3bG03diY25hkLB
35
fKraMiHrMsG0UjujPtZPBZ10Wvs+b/pCliySBbDhG4hPak0kJwkoe8INCCabIiNkCc
36
8LcCU2x8x5mK0WrbPxGQatIXplKMnAjK7Tr/v27aGvxFxfBjkeDL7DrG6AHNvjtv+P
37
N8/WmgYIX2MldH9NM5DFb1OIsENAGdRT2SQnBW+t67wJ9JvIl6D8ZpAXLK0Ra8rrZw
38
GbL3gsz49PAoDxAJTuMpWnvmef6J7o/xwV98mMj9s0Dyk3Y+IF2xtoz6CVzDjK/nHy
39 7YHOQjMWIrXJQ==
40 Received: from smtprelay.hostedemail.com ([216.40.44.63])
41 by resimta-po-42v.sys.comcast.net with ESMTP
42 id QSrwlZX7FX3qEQSrwlyoxt; Sun, 28 Mar 2021 10:42:08 +0000
43 X-Xfinity-VAAS:
gggruggvucftvghtrhhoucdtuddrgeduledrudehiedgfeduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhinecuuegrihhlohhuthemuceftddunecuogfntfdquehouhhnugdqtfefvdculdehmdenucfjughrpefhuffvtgggffesmhdttdertddttdenucfhrhhomhepfdgiqdfhlhfplhfvjggtohhmtggrshhtvhhoihgtvghmrghilhgprhgvfhdrnhhotddujfffufestghomhgtrghsthdrnhgvthdfuceoigdqhfhlpfhlvfgjtghomhgtrghsthhvohhitggvmhgrihhlpghrvghfrdhnohdtudfjfffusegtohhmtggrshhtrdhnvgh
tqeenucggtffrrghtthgvrhhnpeduvddtkeduleehvdejkeeludfhhffghefhgeegjeefgeejveeiuedtgfeitdelieenucfkphepvdduiedrgedtrdeggedrieefpdeivddrudekvddrleelrdelgeenucevlhhushhtvghrufhiiigvpeefnecurfgrrhgrmhephhgvlhhopehsmhhtphhrvghlrgihrdhhohhsthgvuggvmhgrihhlrdgtohhmpdhinhgvthepvdduiedrgedtrdeggedrieefpdhmrghilhhfrhhomhepgidqfhhlnhhlthihtghomhgtrghsthhvohhitggvmhgrihhlpghrvghfrdhnohdtudhhughssegtohhmtggrshhtrdhnvghtpdhrtghpthhtohepihgsvgifgeehheestghomhgtrg
hsthdrnhgvthdprhgtphhtthhopehofhhfihgtvgesihgsvgifgeehhedrohhrgh
44 X-Xfinity-VMeta: sc=5.00;st=legit
45 X-Xfinity-Message-Heuristics: IPv6:N;TLS=1;SPF=4;DMARC=F
46 Message-ID:
qsrwlzx7fx3qeqsrwlyoxt.1616928128.bcb9cc98f861a2c7a8b119d18ed7fa74.missin...@comcast.net
47 Received: from omf14.hostedemail.com (clb03-v110.bra.tucows.net
[216.40.38.60])
48 by smtprelay03.hostedemail.com (Postfix) with ESMTP id
03D8F837F24D
49 for <[email protected]>; Sun, 28 Mar 2021 10:42:08 +0000
(UTC)
50 Received: from DESKTOP-TNPBEGP (unknown [62.182.99.94])
51 (Authenticated sender: [email protected])
52 by omf14.hostedemail.com (Postfix) with ESMTPA id
332FB268E40
53 for <[email protected]>; Sun, 28 Mar 2021 10:42:06 +0000
(UTC)
54 From: "[email protected]"
55 <[email protected]>
56 Subject: Re:
57 To: [email protected]
58 Content-Type: multipart/mixed;
boundary="3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0"
59 MIME-Version: 1.0
60 Date: Sun, 28 Mar 2021 11:42:06 +0100
61 X-Antivirus: avast! (VPS 200331-6, 03/31/2020), Outbound message
62 X-Antivirus-Status: Clean
63 X-Rspamd-Server: rspamout03
64 X-Rspamd-Queue-Id: 332FB268E40
65 X-Stat-Signature: srieurr5dxcfhswsun6zh94m7jszub5d
66 X-HE-Tag: 1616928126-260672
67
68 This is a multi-part message in MIME format
69
70 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0
71 Content-Type: multipart/alternative;
72 boundary="3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA1"
73
74 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA1
75 Content-Type: text/plain
76 Content-Transfer-Encoding: quoted-printable
77
78 - This mail is in HTML. Some elements may be ommited in plain text.
-
79
80 You have voicemail. Transcript attached. "View" it
81
82 ---March 28---
83
84 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA1
85 Content-Type: text/html
86 Content-Transfer-Encoding: quoted-printable
87
88 <HTML><HEAD></HEAD>
89 <BODY>
90 <P>You have voicemail. Transcript attached. "View" it </P>
91 <P> </P>
92 <P>---March 28---</P></BODY></HTML>
93
94 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA1--
95
96 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0
97 Content-Type: application/octet-stream;
98 name="Xf.txt"
99 Content-Transfer-Encoding: base64
100 Content-Disposition: attachment;
101 filename="Xf.txt"
102
103
RGVhciB1c2VyLA0KDQpZb3VyIHZvaWNlbWFpbCBpcyBpbnNpZGUgdGhlIG90aGVyIGF0dGFjaG1l
104 bnQuDQoNClRoYW5rIHlvdSwNClhmaW5pdHkgTWFuYWdlbWVudA==
105
106 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0
107 Content-Type: application/octet-stream;
108 name="Mar-28 Voicemail.eml"
109 Content-Transfer-Encoding: base64
110 Content-Disposition: attachment;
111 filename="Mar-28 Voicemail.eml"
112
113 <SNIP>
