On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote:
Hai!
I dont understand why they would match your spf record either. Are they sended
out by a IP adres you 'approved' ??
SPF does not fail , because they use a different envelope address..
which may pass SPF
The end recipient does not check the envelope anyway
Thanks,
Raymond Dijkxhoorn
Op 28 jun. 2016 om 03:27 heeft jdebert <jdeb...@garlic.com> het volgende
geschreven:
On Mon, 27 Jun 2016 18:41:04 +0530
Ram <r...@netcore.co.in> wrote:
I am seeing messages that appear to come from the MD or the CEO of
the company to the accounts department asking people to transfer
money to some fake account
These messages were initially few and I ignored. But now this has
become a problem.
I know these are not spam messages so catching them will be out of
scope for a spam filter.
These messages have different envelope ids so SPF checks always pass.
The header from is properly formatted exactly how it will be in a
normal mail
What measures do you take for such spear phishing
Thanks
Ram
You're not using the proper tools. you cannot expect spamassassin to
magically prevent all such messages. Just because spamassassin or any
other filter passes such a message does not mean it is valid. To use
spamassassin and filters to block such messages gives a false sense
of security and leads to false assumptions of authenticity. Your company
must enforce strict AP controls to prevent payouts based on such
messages and the controls must apply to everyone, including the CEO. Those are
the proper tools.
Given that these messages are appearing more frequently, it may be that
some have already been successful. I suggest you consider an AP audit
to ensure that this is not the case
