Mailing List Archive

Crap getting through
I'm getting obvious phishing attempts. This one was made to look like it
was from Wells Fargo with an obvious spoofed email address. However, when
I examined the headers, the From Address was this garbage:
*=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= *

I received another one that was meant to be an Amazon Prime Membership
failure. How can I block these? The last time I inquired about phishing,
it was suggested to install KAM, which I did, but this crap is still
getting through. Any other suggestions?

Thank you.

Daryl
Re: Crap getting through [ In reply to ]
Daryl,

Can you please post a copy of the raw email message - with headers -
perhaps with your own user's email address (and name?) masked out
(change to "XXXXXXXX") - to pastebin, or to a similar site - then reply
here with the link. It is difficult to give specific suggestions without
having the raw underlying text of the message (w/headers). But please
try to avoid pasting that directly to this list. Thanks!

Rob McEwen


On 11/8/2020 5:00 PM, Daryl Rose wrote:
> I'm getting obvious phishing attempts. This one was made to look like
> it was from Wells Fargo with an obvious spoofed email address. 
> However, when I examined the headers, the From Address was this
> garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= *
>
> I received another one that was meant to be an Amazon Prime Membership
> failure.   How can I block these?  The last time I inquired about
> phishing, it was suggested to install KAM, which I did, but this crap
> is still getting through.  Any other suggestions?
>
> Thank you.
>
> Daryl
>
>
>

--
Rob McEwen, invaluement
Re: Crap getting through [ In reply to ]
Daryl Rose skrev den 2020-11-08 23:00:
> I'm getting obvious phishing attempts.

report to https://phishtank.com/ then

> This one was made to look like
> it was from Wells Fargo with an obvious spoofed email address.

so what did spamassassin say about that ?

> However, when I examined the headers, the From Address was this
> garbage: =?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?=

nice trick to avoid testing ?

developpers of sa, utf-8 and qp is basicly fucked everywhere :/

but this one is base64

> I received another one that was meant to be an Amazon Prime Membership
> failure.

maybe amazon prime hands out to many free accounts ? :-)

> How can I block these?

if you like me to answer that i could give next weeks lotto numbers in
return :-)

> The last time I inquired about
> phishing, it was suggested to install KAM,

now it seems you need to build corpus without rescoreing anything in
kam.cf

make a DR.cf to build localy on you self control

> which I did, but this crap
> is still getting through. Any other suggestions?

without any samples no one can help

you have all that is needed to make DR.cf ?
Re: Crap getting through [ In reply to ]
On Sun, 8 Nov 2020, Daryl Rose wrote:

> I'm getting obvious phishing attempts. This one was made to look like it
> was from Wells Fargo with an obvious spoofed email address. However, when
> I examined the headers, the From Address was this garbage:
> *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= *

Easy enough to write a "FUZZY_WELLSFARGO" rule for that, but it probably
won't pass masscheck and get published because there are probably few
examples of that in the corpus.

Added to my sandbox:

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FUZZY_WELLSFARGO_BODY /<W>(?!ells[-\s]?Fargo)<E><L><L><S>[-\s]?<F><A><R><G><O>/i
replace_rules __FUZZY_WELLSFARGO_BODY
header __FUZZY_WELLSFARGO_FROM From:name =~ /<W>(?!ells[-\s]?Fargo)<E><L><L><S>[-\s]?<F><A><R><G><O>/i
replace_rules __FUZZY_WELLSFARGO_FROM
meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
endif

Do you have something like this in place?

whitelist_auth *@wellsfargo.com
blacklist_from *@wellsfargo.com
whitelist_auth *@*.wellsfargo.com
blacklist_from *@*.wellsfargo.com
whitelist_auth *@bankofamerica.com
blacklist_from *@bankofamerica.com
whitelist_auth *@*.bankofamerica.com
blacklist_from *@*.bankofamerica.com



--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Sheep have only two speeds: graze and stampede. -- LTC Grossman
-----------------------------------------------------------------------
Tomorrow: The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: Crap getting through [ In reply to ]
Sorry, I deleted it right away. I normally delete that crap as soon as it
comes in. I'll remember to keep it next time I get something so I can
post the headers.

Daryl

On Sun, Nov 8, 2020 at 6:49 PM Rob McEwen <rob@invaluement.com> wrote:

> Daryl,
>
> Can you please post a copy of the raw email message - with headers -
> perhaps with your own user's email address (and name?) masked out (change
> to "XXXXXXXX") - to pastebin, or to a similar site - then reply here with
> the link. It is difficult to give specific suggestions without having the
> raw underlying text of the message (w/headers). But please try to avoid
> pasting that directly to this list. Thanks!
>
> Rob McEwen
>
>
> On 11/8/2020 5:00 PM, Daryl Rose wrote:
>
> I'm getting obvious phishing attempts. This one was made to look like it
> was from Wells Fargo with an obvious spoofed email address. However, when
> I examined the headers, the From Address was this garbage:
> *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= *
>
> I received another one that was meant to be an Amazon Prime Membership
> failure. How can I block these? The last time I inquired about phishing,
> it was suggested to install KAM, which I did, but this crap is still
> getting through. Any other suggestions?
>
> Thank you.
>
> Daryl
>
>
>
>
> --
> Rob McEwen, invaluement
>
>
Re: Crap getting through [ In reply to ]
On 09.11.20 05:07, Daryl Rose wrote:
>Sorry, I deleted it right away. I normally delete that crap as soon as it
>comes in. I'll remember to keep it next time I get something so I can
>post the headers.

i keep spam ans phishes in special mail directories for later examination


>On Sun, Nov 8, 2020 at 6:49 PM Rob McEwen <rob@invaluement.com> wrote:
>> Can you please post a copy of the raw email message - with headers -
>> perhaps with your own user's email address (and name?) masked out (change
>> to "XXXXXXXX") - to pastebin, or to a similar site - then reply here with
>> the link. It is difficult to give specific suggestions without having the
>> raw underlying text of the message (w/headers). But please try to avoid
>> pasting that directly to this list. Thanks!

>> On 11/8/2020 5:00 PM, Daryl Rose wrote:
>>
>> I'm getting obvious phishing attempts. This one was made to look like it
>> was from Wells Fargo with an obvious spoofed email address. However, when
>> I examined the headers, the From Address was this garbage:
>> *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= *


this is not garbage, this is mime-encoded string:

> *W?lls?argo Bank *

...and that is a garbage.
But should be quite easily catched.


>> I received another one that was meant to be an Amazon Prime Membership
>> failure. How can I block these? The last time I inquired about phishing,
>> it was suggested to install KAM, which I did, but this crap is still
>> getting through. Any other suggestions?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe.
Re: Crap getting through [ In reply to ]
On Sun, 8 Nov 2020 19:49:20 -0500
Rob McEwen wrote:

> Daryl,
>
> Can you please post a copy of the raw email message - with headers -
> perhaps with your own user's email address (and name?) masked out
> (change to "XXXXXXXX")

It's best to leave it syntactically correct and with self-consistent
obfuscation, so it can be run though SA without having to be edited a
send time.
Re: Crap getting through [ In reply to ]
On Mon, 9 Nov 2020 12:44:04 +0000
RW wrote:

> On Sun, 8 Nov 2020 19:49:20 -0500
> Rob McEwen wrote:
>
> > Daryl,
> >
> > Can you please post a copy of the raw email message - with headers
> > - perhaps with your own user's email address (and name?) masked out
> > (change to "XXXXXXXX")
>
> It's best to leave it syntactically correct and with self-consistent
> obfuscation, so it can be run though SA without having to be edited a
> send time.

second time