Mailing List Archive: Gift Card Scam

Gift Card Scam

Jan 4, 2024, 1:19 PM

Post #1 of 8 (171 views)

I'm wondering if anyone has any good ideas to catch gift card scam
emails. This latest version came from Gmail, and has valid DKIM records
and the IPs are whitelisted.

Thanks,
Kirk

Here's the hits from SpamAssassin:

X-Spam-Status: No, score=0.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
T_SCC_BODY_TEXT_LINE autolearn=disabled version=3.4.6

And here's the body:

It’s incredible to see you all consistently pushing the bar to
greatness. The outcomes you've all achieved are remarkable, especially
in light of the difficult circumstances we're in. I am so grateful to
have everyone as a member of the team, and I really value your great
skills. My words can never express how much I appreciate what you do;
the effort and skill you contribute consistently go above and beyond
what I had anticipated. I'm grateful.

Most times, a simple THANK YOU is what every employee wants to get from
their "big boss" for their hard work. This is why I'm planning on
recognizing the efforts of some staff and appreciating them with a
little surprise gesture. I believe I can count on you to help get this
little appreciation surprise done in a discreet manner.

What do you think would be the ideal gift for such a celebration? I'm
considering gift cards like Visa or Mastercard, given their universal
acceptance and functionality. I believe this would cater to the diverse
tastes of our staff, allowing them to use the gift as they prefer
without being limited to specific stores or locations. I would
appreciate your help in making these purchases on my behalf, and I need
you to check what store we have around to make this purchase from.

Indeed, you all have been great assets to the organization and really
deserve this recognition.

Kind Regards,

The Boss
Executive Director
Victim Company

Sent from my iPhone

END

Re: Gift Card Scam [ In reply to ]

sausers-20150205 at billmail

Jan 4, 2024, 1:46 PM

Post #2 of 8 (171 views)

On 2024-01-04 at 16:19:28 UTC-0500 (Thu, 4 Jan 2024 13:19:28 -0800)
Kirk Ismay <kirk@ismay.ca>
is rumored to have said:

> I'm wondering if anyone has any good ideas to catch gift card scam
> emails. This latest version came from Gmail, and has valid DKIM
> records and the IPs are whitelisted.

First step: don't whitelist those IPs or any others used by a major
retail mailbox provider. The RCVD_IN_MSPIKE_WL rule probably needs a
default zero score... (That is just my personal opinion)

I have had success with adding a subrule for the phrase "gift card" (and
related phrases) and a meta combining that with FREEMAIL_FROM for Very
Big Points.

That may not be usable for you if your users use their work email for
non-work matters and you don't have the freedom to tell them to pound
sand when they whine about something non-business caught in spam
filters.

>
> Thanks,
> Kirk
>
> Here's the hits from SpamAssassin:
>
> X-Spam-Status: No, score=0.3 required=5.0
> tests=DKIM_SIGNED,DKIM_VALID,
> DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
> RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
> T_SCC_BODY_TEXT_LINE autolearn=disabled version=3.4.6
>
> And here's the body:
>
> It’s incredible to see you all consistently pushing the bar to
> greatness. The outcomes you've all achieved are remarkable, especially
> in light of the difficult circumstances we're in. I am so grateful to
> have everyone as a member of the team, and I really value your great
> skills. My words can never express how much I appreciate what you do;
> the effort and skill you contribute consistently go above and beyond
> what I had anticipated. I'm grateful.
>
> Most times, a simple THANK YOU is what every employee wants to get
> from their "big boss" for their hard work. This is why I'm planning on
> recognizing the efforts of some staff and appreciating them with a
> little surprise gesture. I believe I can count on you to help get this
> little appreciation surprise done in a discreet manner.
>
> What do you think would be the ideal gift for such a celebration? I'm
> considering gift cards like Visa or Mastercard, given their universal
> acceptance and functionality. I believe this would cater to the
> diverse tastes of our staff, allowing them to use the gift as they
> prefer without being limited to specific stores or locations. I would
> appreciate your help in making these purchases on my behalf, and I
> need you to check what store we have around to make this purchase
> from.
>
> Indeed, you all have been great assets to the organization and really
> deserve this recognition.
>
>
> Kind Regards,
>
> The Boss
> Executive Director
> Victim Company
>
> Sent from my iPhone
>
> END

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Gift Card Scam [ In reply to ]

mnalis-sa-list at voyager

Jan 4, 2024, 1:57 PM

Post #3 of 8 (171 views)

body GIFT_CARD /gift card/i
score GIFT_CARD 1.5

meta FREEMAIL_GIFTCARDS GIFT_CARD && (FREEMAIL_FROM || !DKIM_VALID)
score FREEMAIL_GIFTCARDS 6.0

If you're not big on gift cards.

Also, you might want to enable and train Bayes...

On Thu, Jan 04, 2024 at 01:19:28PM -0800, Kirk Ismay wrote:
> I'm wondering if anyone has any good ideas to catch gift card scam emails.
> This latest version came from Gmail, and has valid DKIM records and the IPs
> are whitelisted.
>
> Thanks,
> Kirk
>
> Here's the hits from SpamAssassin:
>
> X-Spam-Status: No, score=0.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
> DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
> RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
> T_SCC_BODY_TEXT_LINE autolearn=disabled version=3.4.6
>
> And here's the body:
>
> It’s incredible to see you all consistently pushing the bar to greatness.
> The outcomes you've all achieved are remarkable, especially in light of the
> difficult circumstances we're in. I am so grateful to have everyone as a
> member of the team, and I really value your great skills. My words can never
> express how much I appreciate what you do; the effort and skill you
> contribute consistently go above and beyond what I had anticipated. I'm
> grateful.
>
> Most times, a simple THANK YOU is what every employee wants to get from
> their "big boss" for their hard work. This is why I'm planning on
> recognizing the efforts of some staff and appreciating them with a little
> surprise gesture. I believe I can count on you to help get this little
> appreciation surprise done in a discreet manner.
>
> What do you think would be the ideal gift for such a celebration? I'm
> considering gift cards like Visa or Mastercard, given their universal
> acceptance and functionality. I believe this would cater to the diverse
> tastes of our staff, allowing them to use the gift as they prefer without
> being limited to specific stores or locations. I would appreciate your help
> in making these purchases on my behalf, and I need you to check what store
> we have around to make this purchase from.
>
> Indeed, you all have been great assets to the organization and really
> deserve this recognition.
>
>
> Kind Regards,
>
> The Boss
> Executive Director
> Victim Company
>
> Sent from my iPhone
>
> END
>

--
Opinions above are GNU-copylefted.

Re: Gift Card Scam [ In reply to ]

noeldude at gmail

Jan 4, 2024, 1:59 PM

Post #4 of 8 (171 views)

On 1/4/2024 3:19 PM, Kirk Ismay wrote:
> I'm wondering if anyone has any good ideas to catch gift card scam
> emails. This latest version came from Gmail, and has valid DKIM
> records and the IPs are whitelisted.
>
> Thanks,
> Kirk
>
> Here's the hits from SpamAssassin:
>
> X-Spam-Status: No, score=0.3 required=5.0
> tests=DKIM_SIGNED,DKIM_VALID,
> DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
> RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
> T_SCC_BODY_TEXT_LINE autolearn=disabled version=3.4.6
>
> And here's the body:
>
(link to the body in a paste bin next time)

I catch the vast majority of these in postfix header_checks that
look for the boss' name and a few minor variants in From: and reject
if the sending address isn't the right one. This works well enough
for us since there are a limited number of $boss targets here. This
has also cut down on the "send a payment to" and other social
engineering scams that claim to be from the boss.

You could do the same thing in SA if you don't have too many $boss
targets.

I've not had much success with generalized rules - too many folks
here talk about gift cards in legit mail, some of it actually
business-related.

Good luck.

-- Noel Jones

Re: Gift Card Scam [ In reply to ]

Jan 4, 2024, 2:18 PM

Post #5 of 8 (170 views)

On 2024-01-04 1:57 p.m., Matija Nalis wrote:
> body GIFT_CARD /gift card/i
> score GIFT_CARD 1.5
>
> meta FREEMAIL_GIFTCARDS GIFT_CARD && (FREEMAIL_FROM || !DKIM_VALID)
> score FREEMAIL_GIFTCARDS 6.0
>
> If you're not big on gift cards.
>
> Also, you might want to enable and train Bayes...
>

Thanks!

I'll add these rules to my other "VIP rules". I actually want to have
a couple rules that can work in tandem, so that I don't have to have
everything riding on just one.

I've given GIFT_CARD a score of 0.5, and the FREEMAIL_GIFTCARDS a score
of 1.5. I have a "Not Boss" rule, but I hadn't revised it for
$newboss. That has a score of 4, so all rules combined gives us a
score of 6.

Works for me. Will look at bayes next.

Kirk

Re: Gift Card Scam [ In reply to ]

uhlar at fantomas

Jan 5, 2024, 12:06 AM

Post #6 of 8 (163 views)

On 04.01.24 22:57, Matija Nalis wrote:
>body GIFT_CARD /gift card/i
>score GIFT_CARD 1.5
>
>meta FREEMAIL_GIFTCARDS GIFT_CARD && (FREEMAIL_FROM || !DKIM_VALID)

shouldn't that be !DKIM_VALID_AU ?

valid DKIM signature means nothing by itself

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.

Re: Gift Card Scam [ In reply to ]

Jan 5, 2024, 5:52 AM

Post #7 of 8 (163 views)

Matus UHLAR - fantomas skrev den 2024-01-05 09:06:
> On 04.01.24 22:57, Matija Nalis wrote:
>> body GIFT_CARD /gift card/i
>> score GIFT_CARD 1.5
>>
>> meta FREEMAIL_GIFTCARDS GIFT_CARD && (FREEMAIL_FROM ||
>> !DKIM_VALID)
>
> shouldn't that be !DKIM_VALID_AU ?
>
> valid DKIM signature means nothing by itself

pointless comment, reason valid_au is not used here is that its still
valid, be carefull

!foo means its not pass, take fokus next time

Re: Gift Card Scam [ In reply to ]

uhlar at fantomas

Jan 5, 2024, 10:01 AM

Post #8 of 8 (163 views)

>>On 04.01.24 22:57, Matija Nalis wrote:
>>>body GIFT_CARD /gift card/i
>>>score GIFT_CARD 1.5
>>>
>>>meta FREEMAIL_GIFTCARDS GIFT_CARD && (FREEMAIL_FROM ||
>>>!DKIM_VALID)

>Matus UHLAR - fantomas skrev den 2024-01-05 09:06:
>>shouldn't that be !DKIM_VALID_AU ?
>>
>>valid DKIM signature means nothing by itself

On 05.01.24 14:52, Benny Pedersen wrote:
>pointless comment, reason valid_au is not used here is that its still
>valid, be carefull
>
>!foo means its not pass, take fokus next time

!DKIM_VALID produces true if there's no valid DKIM signature

!DKIM_VALID_AU produces true if there is no valid signature, OR if there is
valid signature, but not from domain in header From:

so, !DKIM_VALID_AU is a superset of !DKIM_VALID thus should produce more
hits.

The question is, if we want this.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)