Mailing List Archive

Alex skrev den 2023-01-15 20:47:
> Hi,
>
> X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
> tests=[.BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
> DKIM_VALID_AU=-0.1,
> DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
> FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
> LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01,
> LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1,
> RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
> RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1,
> RELAYCOUNTRY_US=0.01,
> SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166]
> autolearn=disabled
>
> I'm reporting it to spamcop and training bayes, but does anyone have
> any other ideas?
>
> Is this just someone using their sharepoint account to send a phish?
> Perhaps account takeover?
>
> https://pastebin.com/2CJ3SLf2



Content analysis details: (3.1 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
0.7 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?s=mfrom;id=no-reply%40sharepointonline.com;ip=199.199.178.197;r=localhost.junc.eu]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.0 ARC_VALID Message has a valid ARC signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.0 ARC_SIGNED Message has a ARC signature
0.1 DKIM_INVALID DKIM or DK signature exists, but is not
valid
0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with
Strict
Alignment
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
2.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
message and
the domain has a DMARC reject policy
0.1 DMARC_REJECT DMARC reject policy


it gets neutral score since its maillist of some kind imho ?

reject it by dkim valid, one of the signers is valid, if not just arc,
if only arc is then do setup AuthRes plugin in spamassassin 4.x.x

i dont know how, but i belive spammers die slowly in 2023

RBL checks for FQDN not just domains would be a good idea...
Pedro.

>On Sunday, January 15, 2023 at 08:47:59 PM GMT+1, Alex <mysqlstudent@gmail.com> wrote:

>Hi,

>X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
 >tests=[.BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 >DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
 >FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
 >LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01,
 >LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1,
 >RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
 >RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1, RELAYCOUNTRY_US=0.01,
 >SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166] autolearn=disabled

>'m reporting it to spamcop and training bayes, but does anyone have any other ideas?
>Is this just someone using their sharepoint account to send a phish? Perhaps account takeover? 
>https://pastebin.com/2CJ3SLf2

Hello All,

> RBL checks for FQDN not just domains would be a good idea...

> >X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
> >tests=[.BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
> >DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
> >FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
> >LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01,
> >LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1,
> >RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
> >RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1, RELAYCOUNTRY_US=0.01,
> >SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166] autolearn=disabled

I assume you are not running SA4. That does this. (And the sharepoint
domain you have in your mail is listed on SURBL.... )

uniabujaedung-my[.]sharepoint[.]com[.]multi[.]surbl[.]org
has address 127.0.0.64

Meaning its lised in ABUSE.

Thanks! Raymond

Hi,

> RBL checks for FQDN not just domains would be a good idea...
>
...

>
> I assume you are not running SA4. That does this. (And the sharepoint
> domain you have in your mail is listed on SURBL.... )
>

Yes, I am running SA4 and have been for probably more than a year. What am
I doing wrong that RBL checks wouldn't be checking the FQDN?

uniabujaedung-my[.]sharepoint[.]com[.]multi[.]surbl[.]org
> has address 127.0.0.64
>
> Meaning its lised in ABUSE.
>

I suspect then that I received it prior to it being listed there. Any way
to correlate those dates (if it's even worth it)?

Thanks! Raymond
>

Thank you :-)

Hi!

> Yes, I am running SA4 and have been for probably more than a year. What
> am I doing wrong that RBL checks wouldn't be checking the FQDN?

Could be several reasons but will contact you offlist.

> uniabujaedung-my[.]sharepoint[.]com[.]multi[.]surbl[.]org
> has address 127.0.0.64

> Meaning its lised in ABUSE.
>
> I suspect then that I received it prior to it being listed there. Any
> way to correlate those dates (if it's even worth it)?

And sure we can do that.

Thanks! Raymond

Message-Id: <odspmicro-Share-4b8d8ca0-90e0-6000-0144-913b0eedffcf-56ad3112-ea16-4350-a633-caf11bb97baf-4124a7b4-04ed-467a-986a-6c6468a46df1@DAEB5AAE0CFE>

Read RFC 822, pp. 44-46.

If your answer is that the latest RFC allows for it, the my reply is: my mail, my rules, so I apply the most stringent rules.

-------- Original Message --------
On 15 Jan 2023, 20:47, Alex wrote:

> Hi,
>
> X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
> tests=[.BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
> DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
> FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
> LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01,
> LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1,
> RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
> RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1, RELAYCOUNTRY_US=0.01,
> SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166] autolearn=disabled
>
> I'm reporting it to spamcop and training bayes, but does anyone have any other ideas?
>
> Is this just someone using their sharepoint account to send a phish? Perhaps account takeover?
>
> https://pastebin.com/2CJ3SLf2