Getting lots of twits sending out phishing emails 'from' twitter.com
(the spam looks good, the only thing they change is the a href in the
email, other than that, its exactly the twitter mail)
Twitter DKIM signs all their emails (and they come from
postmaster.twitter.com, NOT twitter.com)
I thought this rule would only trigger if the email was not properly signed:
(I have a properly dkim signed email. one that SA likes and that hits
rule DKIM_VALID )
but it also hits DKIM_ADSP_DISCARD
I have this rule in place:
adsp_override postmaster.twitter.com
but I thought it only triggers if the email is NOT properly signed.
<http://search.cpan.org/dist/Mail-SpamAssassin/lib/Mail/SpamAssassin/Plugin/DKIM.pm>
" Note that ADSP (published or overridden) is only consulted for
messages which do not contain a valid DKIM signature from the author's
domain."
(its an email from twitter, a real one its signed and it passes!)
and despite the documentation:
"if this argument starts by a "*." (or is a sole "*"), author's domain
matches if it is a subdomain (to one or more levels) of the argument.
Otherwise (with no leading asterisk) the match must be exact (not a
subdomain)."
this
adsp_override *.twitter.com
isn't the same as this:
adsp_override *twitter.com
adsp_override *.twitter.com matches postmaster.twitter.com
*twitter.com doesn't.
Im afraid there is too much information in the 'password reset' email to
post on pastebin.. if I munge it, dkim won't pass.. but if someone I
know wants to look at it, I can tarball it up.
headers: (without the override rule in place)
X-Spam-Status: No, score=4.292 tag=-999 tag2=5 kill=10 tests=[BAYES_50=0.8,
BR_SPAMMER_URI=0.001, DCC_CHECK=1.1, DCC_REPUT_70_89=0.1,
DKIM_SIGNED=1, DKIM_VALID=-1, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_LOW=-0.7, RELAY_COUNTRY_US=0.001, SPF_PASS=-0.001,
ST_CAMPAIGN_ID=1, ST_SFH_TWITTER=2, T_RP_MATCHES_RCVD=-0.01]
autolearn=no
Received: from mx001.twitter.com (mx001.twitter.com [128.121.146.150])
by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 076442B7C6A
for <redac...@secnap.com>; Thu, 22 Apr 2010 14:38:36 -0400 (EDT)
Received: from twitter.com (localhost [127.0.0.1])
by mx001.twitter.com (Postfix) with ESMTP id 0F713846091
for <redac...@secnap.com>; Thu, 22 Apr 2010 18:38:34 +0000 (UTC)
X-DKIM: Sendmail DKIM Filter v2.8.2 mx001.twitter.com 0F713846091
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=twitter.com; s=dkim;
t=1271961514; i...@twitter.com; bh=T4bdOYF1fyVUT+o7vZmkItD4rN8=;
h=Date:From:Reply-To:To:Message-Id:Subject:Mime-Version:
Content-Type;
b=ZQgZWgQ7MccFNX8mC01jMy093HhXafdzm937BCXsOYK/sIYbCWZZtCS80HAPDRRQA
/Nz+UMCN5tuo5W1pnxEvTqkCL/eLBEHxK5SNpg6u3TFziLKJYHwHxwSsTYsWk543Wb
zDGrOHuvU/NpeOuQt7lTBOs6Z0yYLQzbXiEl9Xr8=
X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 mx001.twitter.com
0F713846091
DomainKey-Signature: a=rsa-sha1; s=default; d=twitter.com; c=simple; q=dns;
b=Lp/HK6xAFztfHGVIjE4WPtr5hARDgNocvTbyRktTax/86x5G4sEv2e27prSij0KaB
n8WCyazvCFkae/M3HCaZw==
Date: Thu, 22 Apr 2010 18:38:34 +0000
From: Twitter <twitter-resetpw-twitter=domain....@postmaster.twitter.com>
Reply-To: nore...@postmaster.twitter.com
To: redac...@secnap.com
Message-Id: <4bd097aadfce_30c45526a989198...@mx001.twitter.com.tmail>
Subject: Reset your Twitter password
Mime-Version: 1.0
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
