On Thu, 2010-09-23 at 17:55 -0500, Chris wrote: > http://pastebin.com/ypiHcyvK > > The above phish for my ISP came in this morning, it triggered the short > circuit 'ham' rule. Is it because I have this in my local.cf and the > message has a dkim signature? > > def_whitelist_from_dkim *...@embarqmail.com > > DKIM-Signature: v=1; a=rsa-sha1; d=embarqmail.com; s=s012408; > c=relaxed/simple; q=dns/txt; i...@embarqmail.com; t=1285235699; > h=From:Subject:Date:To:MIME-Version:Content-Type; > bh=9FOJPKqN2Ht/0QapcfDg7uQayg4=; > b=WMoex2VshAez5cqfiXbdykBskGnhCxMtG4ojE3+VaHxS2tB466/bZ2YjLuY3afkV > gSsc8wS1MU8RdOVs2AcIrWmIz/h8RQHuuN1hl2tPSHiN9vCBRbx5qEKa3qpTlnAy; > > Do I have def_whitelist_from_dkim configured incorrectly? > > Chris > Got this from my ISP today:
The phishing email was from a compromised user account. Some foreign entity had logged onto to our outbound email server with a customer's stolen credentials and sent out phishing emails. This is quite a desirable scenario for phishers as their email goes out through a valid server when they have pilfered ISP user accounts. This causes a couple of issues. The phishing emails are more likely to be accepted from a trusted SMTP server. After such an attack is detected, the formerly trusted SMTP server is soon subject to blocking based on the smear to its reputation. -- Chris KeyID 0xE372A7DA98E6705C
signature.asc
Description: This is a digitally signed message part
