Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
Phishing from domain present in USER_IN_DEF_SPF_WL
hosting at ezwww
May 23, 2023, 9:08 AM
Post #1 of 2 (117 views)
Permalink
Hi,

we just received phishing spams (Postfinance) from zendesk.com

This domain is present in 60_welcomelist_auth.cf for the rule
USER_IN_DEF_SPF_WL

Can you remove this domain (temporarily or permanently) next update ?

Received: from outbyoip4.pod19.use1.zdsys.com
(outbyoip4.pod19.use1.zdsys.com [192.161.149.4])
     (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NO)
     for <xxxxx>; Tue, 23 May 2023 17:26:00 +0200
Authentication-Results: dmarc=none (p=none dis=none)
header.from=atlys.zendesk.com
Authentication-Results: spf=pass smtp.mailfrom=atlys.zendesk.com
Authentication-Results:
     dkim=pass (2048-bit key) header.d=zendesk.com
header.i=@zendesk.com header.b="Se7nuDiy"
Received: from zendesk.com (unknown [10.219.24.95])
     by outbyoip4.pod19.use1.zdsys.com (Postfix) with ESMTP id xxxxxxxxx
     for <xxxxxx>; Tue, 23 May 2023 15:25:58 +0000 (UTC)
Date: Tue, 23 May 2023 15:25:58 +0000
From: "??stfin?n?? (GmbH)" <support@atlys.zendesk.com>
Reply-To: "??stfin?n?? (GmbH)" <support+id55728@atlys.zendesk.com>
To: xxxxx <xxxxxx>
Message-ID: <6X2430xxxxxxx_sprut@zendesk.com>
In-Reply-To: <6X2430xxxxxx@zendesk.com>
*Subject: Wichtig: Aktualisieren Sie Ihr**
**??stfin?n??-Konto*
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_646cdb0667952_4c4a9c38871";
charset=utf-8
Content-Transfer-Encoding: 7bit
X-Delivery-Context: automatic-answer-1689173234243234
Auto-Submitted: auto-generated
X-Auto-Response-Suppress: All
X-Mailer: Zendesk Mailer
X-Zendesk-From-Account-Id: 83f40dd
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zendesk.com;
q=dns/txt; s=zendesk2; t=1684855558;
bh=hZXuEvY/OemVRfx2BSZkm7AF9OUMlXdBZZugXDZhHF0=;

...


Thierry
Re: Phishing from domain present in USER_IN_DEF_SPF_WL [ In reply to ]
sausers-20150205 at billmail
May 23, 2023, 9:38 AM
Post #2 of 2 (117 views)
Permalink
On 2023-05-23 at 12:08:10 UTC-0400 (Tue, 23 May 2023 18:08:10 +0200)
Thierry <hosting@ezwww.ch>
is rumored to have said:

> Hi,
>
> we just received phishing spams (Postfinance) from zendesk.com
>
> This domain is present in 60_welcomelist_auth.cf for the rule USER_IN_DEF_SPF_WL
>
> Can you remove this domain (temporarily or permanently) next update ?

Yes. I've also seen evidence of what looks like cross-tenant phishing from ZenDesk.


shiny:rules root# svn diff
Index: 60_welcomelist_auth.cf
===================================================================
--- 60_welcomelist_auth.cf (revision 1910020)
+++ 60_welcomelist_auth.cf (working copy)
@@ -439,7 +439,6 @@
def_welcomelist_auth *@*.trulia.com
def_welcomelist_auth *@*.rentalcars.com
def_welcomelist_auth *@recommendedjobs.com
-def_welcomelist_auth *@*.zendesk.com
def_welcomelist_auth *@*.advocareemail.com
def_welcomelist_auth *@*.plenti.com
def_welcomelist_auth *@*.amolatina.com
@@ -1417,7 +1416,6 @@
def_whitelist_auth *@*.trulia.com
def_whitelist_auth *@*.rentalcars.com
def_whitelist_auth *@recommendedjobs.com
-def_whitelist_auth *@*.zendesk.com
def_whitelist_auth *@*.advocareemail.com
def_whitelist_auth *@*.plenti.com
def_whitelist_auth *@*.amolatina.com
shiny:rules root# svn commit -m "Phish reported on user list from/via ZenDesk"
Authentication realm: <https://svn.apache.org:443> ASF Committers
Password for 'billcole': ***************

Sending 60_welcomelist_auth.cf
Transmitting file data .done
Committing transaction...
Committed revision 1910021.




>
> Received: from outbyoip4.pod19.use1.zdsys.com (outbyoip4.pod19.use1.zdsys.com [192.161.149.4])
>      (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
>      for <xxxxx>; Tue, 23 May 2023 17:26:00 +0200
> Authentication-Results: dmarc=none (p=none dis=none) header.from=atlys.zendesk.com
> Authentication-Results: spf=pass smtp.mailfrom=atlys.zendesk.com
> Authentication-Results:
>      dkim=pass (2048-bit key) header.d=zendesk.com header.i=@zendesk.com header.b="Se7nuDiy"
> Received: from zendesk.com (unknown [10.219.24.95])
>      by outbyoip4.pod19.use1.zdsys.com (Postfix) with ESMTP id xxxxxxxxx
>      for <xxxxxx>; Tue, 23 May 2023 15:25:58 +0000 (UTC)
> Date: Tue, 23 May 2023 15:25:58 +0000
> From: "??stfin?n?? (GmbH)" <support@atlys.zendesk.com>
> Reply-To: "??stfin?n?? (GmbH)" <support+id55728@atlys.zendesk.com>
> To: xxxxx <xxxxxx>
> Message-ID: <6X2430xxxxxxx_sprut@zendesk.com>
> In-Reply-To: <6X2430xxxxxx@zendesk.com>
> *Subject: Wichtig: Aktualisieren Sie Ihr**
> **??stfin?n??-Konto*
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="--==_mimepart_646cdb0667952_4c4a9c38871";
> charset=utf-8
> Content-Transfer-Encoding: 7bit
> X-Delivery-Context: automatic-answer-1689173234243234
> Auto-Submitted: auto-generated
> X-Auto-Response-Suppress: All
> X-Mailer: Zendesk Mailer
> X-Zendesk-From-Account-Id: 83f40dd
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zendesk.com;
> q=dns/txt; s=zendesk2; t=1684855558;
> bh=hZXuEvY/OemVRfx2BSZkm7AF9OUMlXdBZZugXDZhHF0=;
>
> ...
>
>
> Thierry


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal