Mailing List Archive

Spoofed amazon order email
First, thanks to everyone on the list how has given me a hand over the
past couple of weeks as I get my "sea legs" with spamassassin. It's
working well for me now but I obviously still have more to learn.

For one, I'm still uncertain on the best way to fine tune SA to beat
back some tricky spam. Like this one that comes from a gmail account but
spoofs a fake, expensive order on amazon to try to phish the user.

Return-Path: <gk5751735@gmail.com>
Delivered-To: s@dondley.com
Received: from email.dondley.com
by email.dondley.com with LMTP
id Ev9rGkyheWBeegAAB604Gw
(envelope-from <gk5751735@gmail.com>)
for <s@dondley.com>; Fri, 16 Apr 2021 10:38:04 -0400
Received: by email.dondley.com (Postfix, from userid 115)
id 5EFD521516; Fri, 16 Apr 2021 10:38:04 -0400 (EDT)
Authentication-Results: email.dondley.com;
dkim=pass (2048-bit key; unprotected) header.d=gmail.com
header.i=@gmail.com header.b="Fi/GiyLT";
dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
email.dondley.com
X-Spam-Level:
X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_20,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,GB_FROM_NAME_FREEMAIL,
HTML_MESSAGE,MIME_HTML_MOSTLY,NAME_EMAIL_DIFF,RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS
shortcircuit=no autolearn=no autolearn_force=no version=3.4.2
X-Spam-Language: en
Received-SPF: Pass (mailfrom) identity=mailfrom;
client-ip=209.85.216.54; helo=mail-pj1-f54.google.com;
envelope-from=gk5751735@gmail.com; receiver=<UNKNOWN>
Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com
[209.85.216.54])
by email.dondley.com (Postfix) with ESMTPS id 9DFB9210C1
for <s@dondley.com>; Fri, 16 Apr 2021 10:37:53 -0400 (EDT)
Received: by mail-pj1-f54.google.com with SMTP id
kb13-20020a17090ae7cdb02901503d67f0beso3185770pjb.0
for <s@dondley.com>; Fri, 16 Apr 2021 07:37:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=message-id:date:from:mime-version:subject:to;
bh=tbWgclEtavQLHj3b2u0ycLuH4u7X12CkOv+d/W8zWrs=;

b=Fi/GiyLThBU+Sf1M8Thsh4lWYqGeC2mX1d6uL+5grFufl8EA68jtMePxe1TsIetKPj

oCRdmdkjvxAGFA0Uny2lttK9Xhpmoa38zO0rLmFLN+tzKTHYuKKoiQx6ugByfCpk6A82

QDyDgRp7HpEkA34ztYXqR9Q0MH8eTPPaK7iNTbdq2Sb78PYR+XNX9UVDnWarVSmlQm6N

EwrQKnzaaT4WKuUrmXS8tkGJMLLfWxLQAu0oCxbKwDkjW7yLMVYGl1Zhk7tNjoi2Hk2r

xywZ0v6AyAbSTawCrUN052ps4xjKR/o0CLHrkk+FLbu9wENYbhrDNb/HMRu20aTzEgHn
AvZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;

h=x-gm-message-state:message-id:date:from:mime-version:subject:to;
bh=tbWgclEtavQLHj3b2u0ycLuH4u7X12CkOv+d/W8zWrs=;

b=D4cfDeHF3n8JokVklJNHvyFD04InVRxq/DLHtB+xrMenRQZDQPHMqH5KdJBAgs4hAD

hc1YTl90K8wFUUAicyyzwhAzBTJqqCtmOZJczjjoXj9WXxEBqiJvgB5m2H+UvTejEX/0

AA/Exf6uvfuGP5hsrp7o4i22DBc/FlZDVArJt7wN+u+zjO1+rRFgrfbW6fdWzgYkb6Y2

jV/JTQywhNxSY6XaOSd4AA1i9ZC8LOaqkOLabUy1WI7uEWDOvzaO4MZuBzHi23vmdHlA

weh507+u6rXpN6BarAXZEZxnC+yev86JRqtQjJZL5qTpbjhb2s/1g6wSeRNF1Ri7qIXs
zbfA==
X-Gm-Message-State:
AOAM5322u+9pAxfsMRqYaM8FgbXE+0nBCEZeqd286+mfRDrabuuIhCVe
CLSzPPcNsg+v2Px14I1WF9r5vuoVLtg=
X-Google-Smtp-Source:
ABdhPJw1ixhEhS6bCqFtjizgrTxFo6mCL1fEQPBSzQxIDGkIqIwR7np7Mgjy6ap0Lx6VHje5LfeKwQ==
X-Received: by 2002:a17:90a:5407:: with SMTP id
z7mr10416174pjh.228.1618583872037;
Fri, 16 Apr 2021 07:37:52 -0700 (PDT)
Received: from
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
([104.143.92.92])
by smtp.gmail.com with ESMTPSA id
t15sm5203451pgh.33.2021.04.16.07.37.49
for <s@dondley.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 16 Apr 2021 07:37:51 -0700 (PDT)
Message-ID: <6079a13f.1c69fb81.a9651.e9cb@mx.google.com>
Date: Fri, 16 Apr 2021 07:37:51 -0700 (PDT)
From: "order@amazon.com" <gk5751735@gmail.com>
X-Google-Original-From: "order@amazon.com" <order@amazon.com>
Content-Type: multipart/alternative;
boundary="===============2707982310301423984=="
MIME-Version: 1.0
Subject: IVK-1250703-9254770 | Apple Watch Series 6 Order Now Confirmed
To: s@dondley.com

--===============2707982310301423984==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Hello there, S!

This is a test template...

--===============2707982310301423984==
Content-Type: text/html; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<p style="text-align: center;"><a
href="https://go.pardot.com/unsubscribe/u/272832/9445773a5f7e92b64a4b106d30d12be4ec08e6d19850125ed1a094fe7f00100f/734801457"
target="_blank">List-Unsubscribe</a></p>
</head>
<table class="container" style="margin: auto;" border="0"
cellspacing="0" cellpadding="0" align="center">
<tbody>
<tr>
<td align="center">
<table class="container" style="width: 700px; margin: auto; background:
#fff;" border="0" cellspacing="0" cellpadding="0" align="center">
<tbody>
<tr>
<td>
<table border="0" width="100%" cellspacing="1" cellpadding="20">
<tbody>
<tr>
<td style="text-align: right; margin: 0px; font-family:
Arial,Helvetica,sans-serif; font-size: 16px; color: #000;" valign="top">
<p style="padding: 5px 0 15px 0; margin: 0px;">Your Order&nbsp; | Your
Account | Amazon.com</p>
<p style="padding: 0px 0 10px 0; margin: 0px; font-weight: bold; color:
#d35400;">ORDER NUMBER</p>
<p style="padding: 0px; margin: 0px; font-weight: bold;">#
IVK-1250703-9254770</p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td>
<table border="0" width="100%" cellspacing="1" cellpadding="20">
<tbody>
<tr>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 16px;
color: #000;">
<p style="padding: 0px 0 20px 0; margin: 0px; font-weight: bold;">Dear
S</p>
<p style="padding: 0px 0 20px 0; margin: 0px;">Thank you for shopping
with us. You have ordered the <span style="color: #d35400; font-weight:
bold;">Apple Watch Series 6 Space Gray 44 mm GPS + Cellular</span></p>
<p style="padding: 0px 0 20px 0; margin: 0px;">In-case you require any
change in order or like to cancel we recommend giving us call
immediately at <strong><a style="color: #d35400; font-size: 25px;
text-decoration: none;"
href="tel:18006948073">1-800-694-8073</a></strong></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td>
<table style="background-color: #edecea;" border="0" width="100%"
cellspacing="1" cellpadding="20">
<tbody>
<tr>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 16px;
color: #000;" valign="top" width="70%">
<p style="padding: 0; margin: 0px; font-weight: bold;">Arriving:</p>
<p style="padding: 0; margin: 0px; color: #2ecc71; font-weight:
bold;">Friday, Apr 23</p>
<p style="padding: 0; margin: 0px;">signature is required at
delivery</p>
</td>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 16px;
color: #000;" valign="top">
<p style="padding: 0; margin: 0px; font-weight: bold;">Shipping
Address:</p>
<p style="padding: 0; margin: 0px; color: #2980b9; font-weight:
bold;">288, Star Route</p>
<p style="padding: 0; margin: 0px; color: #2980b9; font-weight:
bold;">Chicago, IL, 60626</p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td>
<table border="0" width="100%" cellspacing="0" cellpadding="20">
<tbody>
<tr>
<td>
<table style="width: 100%;">
<tbody>
<tr>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 14px;
color: #000;" width="50%">Brand</td>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 14px;
color: #000;" width="50%">Apple</td>
</tr>
<tr>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 14px;
color: #000;" width="50%">Color</td>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 14px;
color: #000;" width="50%">Black</td>
</tr>
<tr>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 14px;
color: #000;" width="50%">Model Name</td>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 14px;
color: #000;" width="50%">Apple Watch Series 6 Space Gray 44 mm GPS +
Cellular</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="padding: 20px;">
<table border="0" width="100%" cellspacing="1" cellpadding="0">
<tbody>
<tr>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 16px;
color: #000;" valign="top" width="50%">Item Sub Total</td>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 16px;
color: #000; font-weight: bold;" valign="top" width="50%">$589.0</td>
</tr>
<tr>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 16px;
color: #000;" valign="top" width="50%">Taxes</td>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 16px;
color: #000; font-weight: bold;" valign="top" width="50%">$47.12</td>
</tr>
<tr>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 16px;
color: #000;" valign="top" width="50%">Shipping &amp; Handling
Charges</td>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 16px;
color: #000;" valign="top" width="50%">FREE</td>
</tr>
<tr>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 16px;
color: #d35400; font-weight: bold; padding-top: 15px;" valign="top"
width="50%">Order Total</td>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 16px;
color: #d35400; font-weight: bold; padding-top: 15px;" valign="top"
width="50%">$636.12</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td>
<table border="0" width="100%" cellspacing="1" cellpadding="20">
<tbody>
<tr>
<td style="font-family: Arial,Helvetica,sans-serif; font-size: 16px;
text-align: center;" valign="top">
<p style="padding: 0; margin: 0;">For any support call us at our
Toll-free Number: <a style="color: #d35400; font-size: 25px;
text-decoration: none; font-weight: bold;"
href="tel:18006948073">1-800-694-8073</a></p>
<p style="text-align: center; border-top: 1px solid #EDECEA; padding:
20px 0 0 0; margin: 0; font-size: 13px;">This email was sent from a
customer service address kindly write us back if you have any concern.
<a
href="https://go.pardot.com/unsubscribe/u/272832/9445773a5f7e92b64a4b106d30d12be4ec08e6d19850125ed1a094fe7f00100f/734801457"
target="_blank">Click here to Unsubscribe</a></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</body>
</html>
--===============2707982310301423984==--



My SA score:

Spam detection software, running on the system "email.dondley.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Hello there, S! This is a test template...
List-Unsubscribe


Content analysis details: (1.1 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
-0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20%
[score: 0.1335]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
https://www.dnswl.org/,
no trust
[209.85.216.54 listed in list.dnswl.org]
0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
[209.85.216.54 listed in wl.mailspike.net]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
in digit (gk5751735[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider (gk5751735[at]gmail.com)
0.1 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html
MIME
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from
author\'s domain
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature
from
envelope-from domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
valid
0.9 NAME_EMAIL_DIFF Sender NAME is an unrelated email address
0.0 GB_FROM_NAME_FREEMAIL Freemail spear phish with free mail
0.0 RCVD_IN_MSPIKE_WL Mailspike good senders

And how the hell is google letting this crap flow out of its email
service, anyway?
Re: Spoofed amazon order email [ In reply to ]
On Friday 16 April 2021 at 17:10:14, Steve Dondley wrote:

> First, thanks to everyone on the list how has given me a hand over the
> past couple of weeks as I get my "sea legs" with spamassassin. It's
> working well for me now but I obviously still have more to learn.
>
> For one, I'm still uncertain on the best way to fine tune SA to beat
> back some tricky spam. Like this one that comes from a gmail account but
> spoofs a fake, expensive order on amazon to try to phish the user.

Not an answer to your question, but a piece of advice about asking questions
like this:

Don't paste the (suspect) spam email into what you post to the list:

1. The formatting may get corrupted either by your sending mail client or by
recipients' mail clients, making it hard to read accurately

2. Many people on this list run spam filters (!) meaning that your posting may
not reach them at all, because of its content

Far better to put the suspect mail onto pastebin.com or similar and then
provide a link to that on this list.

Regards,


Antony.

--
Heisenberg, G?del, and Chomsky walk in to a bar.
Heisenberg says, "Clearly this is a joke, but how can we work out if it's
funny or not?"
G?del replies, "We can't know that because we're inside the joke."
Chomsky says, "Of course it's funny. You're just saying it wrong."

Please reply to the list;
please *don't* CC me.
Re: Spoofed amazon order email [ In reply to ]
My advice

realize that you can't block everything

set up TXREP, including outgoing processing

wait until after you have a week of TXREP data because that will
improve scores of legit mail enough, for the most part, that the
tweaks below and the more aggressive scores from KAM will not hurt. I
had misfiling (technically not given the 5.0 points doctrine) from
some of the KAM rules. But with TXREP, they don't cause problems.

tweak scores up or rules that hit on this mail like NAME_EMAIL_DIFF,
GB_FROM_NAME_FREEMAIL, FREEMAIL_FROM, and FREEMAIL_ENVFROM_END_DIGIT

Use the KAM rules, and then be prepared to maybe downweight some if
they cause you issues (e.g. KAM_UNIV at 4.5 is too aggressive for me
as a single rule that has fired on ham, but I'm ok with 3). But with
TXREP trained a little, I'd be surprised if you see real problems.

Probably not for normals, score up MPART_ALT_DIFF because nobody
should be sending mail with a text/plain part that is not semantically
equivalent to the html.


It may be controversial to score up freemail. But I find that if it's
not somebody I correspond with (TXREP helps here), the the probability
of mail from gmail being spam is pretty high. I dont' mean that gmail
emits mostly spam - just that after you set aside mail from people you
deal with, the ratio of "legit mail from a previously unknown
correspondent" to "spam' is not that high.

And I find gmail being in H3 to be wrong, but not my BL to run :-)
This is a difference in view between "very little of the mail is spam"
an "very little of the previously-unknown sender mail is spam".
Re: Spoofed amazon order email [ In reply to ]
Hi Steve,

As Antony just reported, post these spamples to something like
pastebin.com then provide a link so we can view the raw email.

> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on

This is the first issue I see - you're likely missing a lot of
additional features of later versions, as well as regular updates.

> From: "order@amazon.com" <gk5751735@gmail.com>

I believe this mismatch would also be caught with later versions.

> -0.0 BAYES_20               BODY: Bayes spam probability is 5 to 20%

This is the other big issue - you need to train these to recognize this
as spam/phishing. You can also go through your quarantine to find spam
that hasn't been properly trained to use as a corpus.

> And how the hell is google letting this crap flow out of its email
> service, anyway?

Because they're in the email business, not the email security business.

Go here and make sure you're using the KAM channel (as well as the
regular sa-updates channel).
https://mcgrail.com/template/kam.cf_channel

Best,
Dave
Re: Spoofed amazon order email [ In reply to ]
On Friday 16 April 2021 at 17:26:40, Dave Wreski wrote:

> > And how the hell is google letting this crap flow out of its email
> > service, anyway?
>
> Because they're in the email business, not the email security business.

I would add that Google do spam filtering on *inbound* mail, because that means
they can tell their users (customers) that Google is protecting them.

For *outbound* email going to the rest of the world, that's their (rest of
world) lookout.


Antony.

--
I thought I had type A blood, but it turned out to be a typo.

Please reply to the list;
please *don't* CC me.
Re: Spoofed amazon order email [ In reply to ]
On 2021-04-16 17:10, Steve Dondley wrote:

> From: "order@amazon.com" <gk5751735@gmail.com>
> X-Google-Original-From: "order@amazon.com" <order@amazon.com>

wow, google accept it

header LOCAL_AMAZON From:Name ~= /^@amazon.com$/
header LOCAL_GMAIL From:Addr ~= /^@gmail.com$/

meta LOCAL_SPOFFED (LocAL_AMAZON && LOCAL_GMAIL)

untested but just writed as i remember how to :=)

the X-Google-Original-From is silly accept it

i bet there is no real name in this world that includes a @
Re: Spoofed amazon order email [ In reply to ]
On Fri, 16 Apr 2021, Steve Dondley wrote:

> First, thanks to everyone on the list how has given me a hand over the past
> couple of weeks as I get my "sea legs" with spamassassin. It's working well
> for me now but I obviously still have more to learn.
>
> For one, I'm still uncertain on the best way to fine tune SA to beat back
> some tricky spam. Like this one that comes from a gmail account but spoofs a
> fake, expensive order on amazon to try to phish the user.


This is telling:

From: "order@amazon.com" <gk5751735@gmail.com>

...and it's detected:

0.9 NAME_EMAIL_DIFF Sender NAME is an unrelated email address

...but the score is low due to that happening a lot in legit email, so we
need tighter focus.

I'll add this to my sandbox and see how it does:

header __FROM_NAME_AMAZONCOM From:name =~ /\bamazon\.com\b/i
meta POSSIBLE_AMAZON_PHISH_01 (__FROM_NAME_AMAZONCOM && NAME_EMAIL_DIFF)
meta POSSIBLE_AMAZON_PHISH_02 (__FROM_NAME_AMAZONCOM && !__HDR_RCVD_AMAZON)

You are welcome to add it to your local config. Potentially other
variations would be useful.

-0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20%

Train your Bayes...

What is this?

0.0 GB_FROM_NAME_FREEMAIL Freemail spear phish with free mail

Is that local? If not, you might want to increase the score on that a bit.
Giovanni, is that something of yours that's not in your SA sandbox?



--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our politicians should bear in mind the fact that
the American Revolution was touched off by the then-current
government attempting to confiscate firearms from the people.
-----------------------------------------------------------------------
3 days until the 246th anniversary of The Shot Heard 'Round The World
Re: Spoofed amazon order email [ In reply to ]
On Fri, 16 Apr 2021 11:25:19 -0400
Greg Troxel wrote:

> Probably not for normals, score up MPART_ALT_DIFF because nobody
> should be sending mail with a text/plain part that is not
> semantically equivalent to the html.

Unfortunately it's quite common.
Re: Spoofed amazon order email [ In reply to ]
While I haven't received a forged Amazon order email in this exact form,
there is all kinds of stuff here that could be caught with appropriate
rules.

"In-case you require any
change in order or like to cancel we recommend giving us call
immediately at "

"In-case" is unlikely in mail, there should be no dash there.
"giving us call" is missing "a" and is bad grammer, but typical of
non-English speaking spam.
"In case you require any change in order" is also poor phrasing.
The whole "call us immediately to change your order" concept rates 3 points
on my mail system.
No phrase of any similar sort appears in a real Amazon order confirmation.


An actual Amazon order has a subject of the form

Subject: Your Amazon.com order #114-2489974-7888243

The Subject here is

Subject: IVK-1250703-9254770 | Apple Watch Series 6 Order Now Confirmed

The order number is in the wrong format.
The order number is in the wrong place in the subject text
The subject text is in the wrong format.


An actual Amazon order confirmation has the headers, in this order:

From: "Amazon.com" <auto-confirm@amazon.com>
Reply-To: no-reply@amazon.com
To: <target>
Message-ID: <010001774af541dc-d38f4184-621e-4014-a295-c520285ae319-00
00@email.amazonses.com>
Subject: Your Amazon.com order #114-2489974-7888242

This mail has

From: "order@amazon.com" <gk5751735@gmail.com>
X-Google-Original-From: "order@amazon.com" <order@amazon.com>
Content-Type: multipart/alternative;
boundary="===============2707982310301423984=="
MIME-Version: 1.0
Subject: IVK-1250703-9254770 | Apple Watch Series 6 Order Now Confirmed
To: s@dondley.com

The header order is completely different.
There is no Reply-To header
The From address is completely wrong.
There should be no X-Google-* headers.


There should also be a header:

X-AMAZON-MAIL-RELAY-TYPE: notification

A real Amazon order receipt has Content-Type = multipart/alternative, but it
only contains a text/plain part encoded in QP, with no HTML part. This
message has an HTML part and should be getting MPART_ALT_DIFF.



"This email was sent from a
customer service address kindly write us back if you have any concern. "

This is bad grammar and a very unlikely form of robot sending account
notice. A real Amazon order contains

"This email was sent from a notification-only address that cannot accept
inc=
oming email. Please do not reply to this message."

This is a very stasndard phrasing for this sort of notice.


A real Amazon order confirmation does not contain an "unsubscribe" link.
This phish does.


There is a lot of other stuff that could be caught by various rules, but a
trivial set would be something like

#-----------------------------------------------------------------------------------
# 04/16/2021
# A bunch of rules to try to catch fake Amazon order confirmations, based on
a
# message pasted to the SA Users list.

header __LW_SUB_AMZ_ORDER Subject =~ /^Your Amazon\.com order
\#\d{3}-\d{7}-\d{7}\s*$/
header __LW_FROM_AMZ_ORDER From =~
/\"Amazon\.com\"\s+<auto-confirm\@amazon\.com>/
header __LW_REP_AMZ_ORDER Reply-To =~ /^no-reply\@amazon\.com\s*$/
body __LW_BODY_AMZ_ORDER /Amazon.com Order Confirmation/

meta LW_REAL_AMZ_ORDER __LW_SUB_AMZ_ORDER && __LW_FROM_AMZ_ORDER &&
__LW_REP_AMZ_ORDER && __LW_BODY_AMZ_ORDER
score LW_REAL_AMZ_ORDER -2
describe LW_REAL_AMZ_ORDER Amazon order confirmation

header __LW_FROM_AMZ From =~ /\bamazon\b/i
header __LW_SUB_ORDER Subject =~ /\border\b/i

meta LW_FAKE_AMZ_ORDER __LW_FROM_AMZ && __LW_SUB_ORDER && !LW_REAL_AMZ_ORDER
score LW_FAKE_AMZ_ORDER 7
describe LW_FAKE_AMZ_ORDER Amazon order phish

You might also like

body LW_PAYMENT /You\s+sent\s+a\s+Payment\s+of/i
score LW_PAYMENT 0.5
describe LW_PAYMENT You sent someone a payment

body LW_ORDER /\b(?:order|purchase)\s+(?:number|ID|date|description)\b/i
score LW_ORDER 0.5
describe LW_ORDER Contains order information
?
meta LW_FREEMAIL_ORDER FREEMAIL_FROM && (LW_ORDER || LW_PAYMENT)
score LW_FREEMAIL_ORDER 4
describe LW_FREEMAIL_ORDER An order receipt from a free email address
?
Re: Spoofed amazon order email [ In reply to ]
On Fri, 16 Apr 2021, RW wrote:

> On Fri, 16 Apr 2021 11:25:19 -0400
> Greg Troxel wrote:
>
>> Probably not for normals, score up MPART_ALT_DIFF because nobody
>> should be sending mail with a text/plain part that is not
>> semantically equivalent to the html.
>
> Unfortunately it's quite common.

+1 {fume}

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our politicians should bear in mind the fact that
the American Revolution was touched off by the then-current
government attempting to confiscate firearms from the people.
-----------------------------------------------------------------------
3 days until the 246th anniversary of The Shot Heard 'Round The World
Re: Spoofed amazon order email [ In reply to ]
On 16 Apr 2021, at 16:03, John Hardin <jhardin@impsec.org> wrote:
> header __FROM_NAME_AMAZONCOM From:name =~ /\bamazon\.com\b/i
> meta POSSIBLE_AMAZON_PHISH_01 (__FROM_NAME_AMAZONCOM && NAME_EMAIL_DIFF)
> meta POSSIBLE_AMAZON_PHISH_02 (__FROM_NAME_AMAZONCOM && !__HDR_RCVD_AMAZON)

It seems something like this should be built in for sites like amazon.com PayPal.com google.com apple.com citi.com, etc etc.

Not gmail,. Of course, it would fail spectacularly if used for that, but for stores and banks and such, it seems like this is bloody obvious. Probably a score 0.01 for POSSIBLE_AMAZON_PHISH_01, but I don't see anything wrong with a killshot 5.0 for POSSIBLE_AMAZON_PHISH_02. (Not that I am testing it with a 5.0 score, but I sure expect to see a score around there).

--
Hamburgers. The cornerstone of any nutritious breakfast.
Re: Spoofed amazon order email [ In reply to ]
On 16 Apr 2021, at 16:16, RW <rwmaillists@googlemail.com> wrote:
> On Fri, 16 Apr 2021 11:25:19 -0400 Greg Troxel wrote:
>
>> Probably not for normals, score up MPART_ALT_DIFF because nobody
>> should be sending mail with a text/plain part that is not
>> semantically equivalent to the html.
>
> Unfortunately it's quite common.

Yep. Often the plain text part is just a URL to the page containing the html version of the attachment, and this is not a particularly good spam indicator, sadly. In fact, it might be a counter indicator.

--
I can't die, I haven't seen The Jolson Story
Re: Spoofed amazon order email [ In reply to ]
On 16 Apr 2021, at 11:25, Greg Troxel wrote:

> Probably not for normals, score up MPART_ALT_DIFF because nobody
> should be sending mail with a text/plain part that is not semantically
> equivalent to the html.

It seem like a bug that this message didn't match MPART_ALT_DIFF.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Spoofed amazon order email [ In reply to ]
On Fri, 16 Apr 2021 23:49:04 -0400
Bill Cole wrote:

> On 16 Apr 2021, at 11:25, Greg Troxel wrote:
>
> > Probably not for normals, score up MPART_ALT_DIFF because nobody
> > should be sending mail with a text/plain part that is not
> > semantically equivalent to the html.
>
> It seem like a bug that this message didn't match MPART_ALT_DIFF.

The way this works is a bit strange.

It counted the tokens in the rendered HTML and got 101. It then removed
tokens that that occured at least as many times in the plain text and
was left with 98 which is 98.03%.

The definition of the rule is

eval:multipart_alternative_difference('99','100')

which requires 99% to 100% of the HTML tokens to be missing from the
plain text. It's not far off requiring an empty plain text section.