Mailing List Archive

netflix phishing emails forwarded via sendgrid
i have added urls to phishtank

if its could be added rules to spamassassin to detect it better i can
send sample to sa pmc members

X-Spam-Status: Yes, score=8.9, required=5.0, Autolearn=no
autolearn_force=no,
LastExt=149.72.91.245
X-Spam-Rules_score:
DATE_IN_PAST_03_06=1.076,DKIM_SIGNED=-0.1,DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_IMAGE_ONLY_32=0.001,
HTML_MESSAGE=0.1,KAM_NUMSUBJECT=0.5,KAM_REALLYHUGEIMGSRC=0.5,
KAM_SENDGRID=1.5,RCVD_IN_BRUKALAI_BLACK=2,SENDGRID_REDIR=0.932,
SPF_HELO_NONE=3,SPF_PASS=-0.1,TXREP=-0.187,UNPARSEABLE_RELAY=0.001

mx relay is sendgrid, but enveloppe sender is not sendgrid

https://phishtank.com/phish_detail.php?phish_id=6927641
https://phishtank.com/phish_detail.php?phish_id=6927893
Re: netflix phishing emails forwarded via sendgrid [ In reply to ]
Since it's already hitting 8.9, why do more?

On 1/19/2021 9:07 PM, Benny Pedersen wrote:
> i have added urls to phishtank
>
> if its could be added rules to spamassassin to detect it better i can
> send sample to sa pmc members
>
> X-Spam-Status: Yes, score=8.9, required=5.0, Autolearn=no
> autolearn_force=no,
>     LastExt=149.72.91.245
> X-Spam-Rules_score:
> DATE_IN_PAST_03_06=1.076,DKIM_SIGNED=-0.1,DKIM_VALID=-0.1,
>     DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_IMAGE_ONLY_32=0.001,
>     HTML_MESSAGE=0.1,KAM_NUMSUBJECT=0.5,KAM_REALLYHUGEIMGSRC=0.5,
>     KAM_SENDGRID=1.5,RCVD_IN_BRUKALAI_BLACK=2,SENDGRID_REDIR=0.932,
>     SPF_HELO_NONE=3,SPF_PASS=-0.1,TXREP=-0.187,UNPARSEABLE_RELAY=0.001
>
> mx relay is sendgrid, but enveloppe sender is not sendgrid
>
> https://phishtank.com/phish_detail.php?phish_id=6927641
> https://phishtank.com/phish_detail.php?phish_id=6927893

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: netflix phishing emails forwarded via sendgrid [ In reply to ]
On 2021-02-02 03:25, Kevin A. McGrail wrote:
> Since it's already hitting 8.9, why do more?

too much phishing in winter half year to my taste

i just google report urls now, and still add to phishtank, hopefully
phishers get a real life

you can safely add 1.5 more to KAM_SENDGRID, if it continues i do it
localy

no need to argue http://multirbl.valli.org/lookup/149.72.91.245.html :-)

>
> On 1/19/2021 9:07 PM, Benny Pedersen wrote:
>> i have added urls to phishtank
>>
>> if its could be added rules to spamassassin to detect it better i can
>> send sample to sa pmc members
>>
>> X-Spam-Status: Yes, score=8.9, required=5.0, Autolearn=no
>> autolearn_force=no,
>>     LastExt=149.72.91.245
>> X-Spam-Rules_score:
>> DATE_IN_PAST_03_06=1.076,DKIM_SIGNED=-0.1,DKIM_VALID=-0.1,
>>     DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_IMAGE_ONLY_32=0.001,
>>     HTML_MESSAGE=0.1,KAM_NUMSUBJECT=0.5,KAM_REALLYHUGEIMGSRC=0.5,
>>     KAM_SENDGRID=1.5,RCVD_IN_BRUKALAI_BLACK=2,SENDGRID_REDIR=0.932,
>>     SPF_HELO_NONE=3,SPF_PASS=-0.1,TXREP=-0.187,UNPARSEABLE_RELAY=0.001
>>
>> mx relay is sendgrid, but enveloppe sender is not sendgrid
>>
>> https://phishtank.com/phish_detail.php?phish_id=6927641
>> https://phishtank.com/phish_detail.php?phish_id=6927893
Re: netflix phishing emails forwarded via sendgrid [ In reply to ]
Does anyone have a copy of the netflix phishing that they could forward to me at amitchell@isipp.com, including the body of it?

TIA!

Anne

> On Feb 2, 2021, at 1:04 AM, Benny Pedersen <me@junc.eu> wrote:
>
> On 2021-02-02 03:25, Kevin A. McGrail wrote:
>> Since it's already hitting 8.9, why do more?
>
> too much phishing in winter half year to my taste
>
> i just google report urls now, and still add to phishtank, hopefully phishers get a real life
>
> you can safely add 1.5 more to KAM_SENDGRID, if it continues i do it localy
>
> no need to argue http://multirbl.valli.org/lookup/149.72.91.245.html :-)
>
>> On 1/19/2021 9:07 PM, Benny Pedersen wrote:
>>> i have added urls to phishtank
>>> if its could be added rules to spamassassin to detect it better i can send sample to sa pmc members
>>> X-Spam-Status: Yes, score=8.9, required=5.0, Autolearn=no autolearn_force=no,
>>> LastExt=149.72.91.245
>>> X-Spam-Rules_score: DATE_IN_PAST_03_06=1.076,DKIM_SIGNED=-0.1,DKIM_VALID=-0.1,
>>> DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HTML_IMAGE_ONLY_32=0.001,
>>> HTML_MESSAGE=0.1,KAM_NUMSUBJECT=0.5,KAM_REALLYHUGEIMGSRC=0.5,
>>> KAM_SENDGRID=1.5,RCVD_IN_BRUKALAI_BLACK=2,SENDGRID_REDIR=0.932,
>>> SPF_HELO_NONE=3,SPF_PASS=-0.1,TXREP=-0.187,UNPARSEABLE_RELAY=0.001
>>> mx relay is sendgrid, but enveloppe sender is not sendgrid
>>> https://phishtank.com/phish_detail.php?phish_id=6927641
>>> https://phishtank.com/phish_detail.php?phish_id=6927893
Re: netflix phishing emails forwarded via sendgrid [ In reply to ]
On 2021-02-02 03:25, Kevin A. McGrail wrote:
> Since it's already hitting 8.9, why do more?

got one more today

http://multirbl.valli.org/lookup/167.89.112.86.html

envelope sender is not sendgrid.net

spamurls to the phishing is sendgrid redir to hide all detalts of spam
domain

why is so many uribl not blocking phish attemps better ?

i can send sample on request to pmc members
Re: netflix phishing emails forwarded via sendgrid [ In reply to ]
On Tue, Feb 09, 2021 at 10:03:57PM +0100, Benny Pedersen wrote:
> On 2021-02-02 03:25, Kevin A. McGrail wrote:
> > Since it's already hitting 8.9, why do more?
>
> got one more today
>
> http://multirbl.valli.org/lookup/167.89.112.86.html
>
> envelope sender is not sendgrid.net
>
> spamurls to the phishing is sendgrid redir to hide all detalts of spam
> domain
>
> why is so many uribl not blocking phish attemps better ?
>
> i can send sample on request to pmc members
Please send me spamples, I will take a look at them.

Giovanni
Re: netflix phishing emails forwarded via sendgrid [ In reply to ]
On 2/9/21 10:03 PM, Benny Pedersen wrote:
> On 2021-02-02 03:25, Kevin A. McGrail wrote:
>> Since it's already hitting 8.9, why do more?
>
> got one more today
>
> http://multirbl.valli.org/lookup/167.89.112.86.html
>
> envelope sender is not sendgrid.net
>
> spamurls to the phishing is sendgrid redir to hide all detalts of spam domain
>
> why is so many uribl not blocking phish attemps better ?
>
With the updated Esp plugin[¹] just committed to trunk you could use Sendgrid files downloaded from Invaluement as well as local generated files.
Local files can be generated by looking at the Return-path of the offending email.
Return-Path: <bounces+1234-567-foo@example.com>
In this case "1234" is the id you are interested in.

Giovanni

[¹] https://github.com/bigio/spamassassin-esp/releases/tag/esp-v1.2
Re: netflix phishing emails forwarded via sendgrid [ In reply to ]
On 2021-02-11 12:46, Giovanni Bechis wrote:

> With the updated Esp plugin[¹] just committed to trunk you could use
> Sendgrid files downloaded from Invaluement as well as local generated
> files.

this files do work if sendgrid did not allow non sendgrid.net envelope
senders :(

KAM_SENDGRID_REDIR is best defence now, local scored at 10 here

fun can continue as long sendgrid is major whitelisted :(

> Local files can be generated by looking at the Return-path of the
> offending email.

> Return-Path: <bounces+1234-567-foo@example.com>
> In this case "1234" is the id you are interested in.

good to know if building local blacklists

> [¹] https://github.com/bigio/spamassassin-esp/releases/tag/esp-v1.2

there is lint error in line 249
Re: netflix phishing emails forwarded via sendgrid [ In reply to ]
On Thu, 11 Feb 2021, Giovanni Bechis wrote:

> On 2/9/21 10:03 PM, Benny Pedersen wrote:
>> On 2021-02-02 03:25, Kevin A. McGrail wrote:
>>> Since it's already hitting 8.9, why do more?
>>
>> got one more today
>>
>> http://multirbl.valli.org/lookup/167.89.112.86.html
>>
>> envelope sender is not sendgrid.net
>>
>> spamurls to the phishing is sendgrid redir to hide all detalts of spam domain
>>
>> why is so many uribl not blocking phish attemps better ?
>>
> With the updated Esp plugin[¹] just committed to trunk you could use Sendgrid files downloaded from Invaluement as well as local generated files.
> Local files can be generated by looking at the Return-path of the offending email.
> Return-Path: <bounces+1234-567-foo@example.com>
> In this case "1234" is the id you are interested in.

I have a script that generates a static rule based on sendgrid sender ids
in local corpora + the invaluement download if (for some reason) you don't
want to / can't use the plugin.

https://www.impsec.org/~jhardin/antispam/make_sendgrid_rule.sh


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Tomorrow: Abraham Lincoln's and Charles Darwin's 212th Birthdays
Re: netflix phishing emails forwarded via sendgrid [ In reply to ]
On Thu, 11 Feb 2021, Benny Pedersen wrote:

> On 2021-02-11 12:46, Giovanni Bechis wrote:
>
>> With the updated Esp plugin[¹] just committed to trunk you could use
>> Sendgrid files downloaded from Invaluement as well as local generated
>> files.
>
> this files do work if sendgrid did not allow non sendgrid.net envelope
> senders :(

Try the script generator I posted, it isn't domain-specific.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Tomorrow: Abraham Lincoln's and Charles Darwin's 212th Birthdays
Re: netflix phishing emails forwarded via sendgrid [ In reply to ]
On 2021-02-11 14:56, John Hardin wrote:
> On Thu, 11 Feb 2021, Benny Pedersen wrote:
>
>> On 2021-02-11 12:46, Giovanni Bechis wrote:
>>
>>> With the updated Esp plugin[¹] just committed to trunk you could use
>>> Sendgrid files downloaded from Invaluement as well as local generated
>>> files.
>>
>> this files do work if sendgrid did not allow non sendgrid.net envelope
>> senders :(
>
> Try the script generator I posted, it isn't domain-specific.

good and tested now, it works

if Invaluement want data to add i would like to share my local id file
now