Internal Phishing

K

KatyComputer

Well-Known Member
Sep 26, 2019
193
16
58
61
St Louis
katycomputer.com
We are seeing Phishing attacks where the email appears to be from one staff member (employee) to another staff member (accountant), the domain is properly configured with SPF/DKIM records, I was baffled until I looked at the headers. The evil-doer is using authentic (but evil) Return-Path: X-Sender: & Reply-To: headers to phish our clients.

Anyone have clever tricks to block this effort:
Code: 
Delivered-To: morgan.accountant@customer.com
Return-Path: gwen@gwendolynw.com
Received-SPF: none (gwendolynw.com: No applicable sender policy available) receiver=mx.security.com; identity=mailfrom; envelope-from="gwen@gwendolynw.com"; helo=p3plwbeout27-06.prod.phx3.secureserver.net; client-ip=216.69.139.56
Received: from p3plwbeout27-06.prod.phx3.secureserver.net (p3plsmtp27-06-2.prod.phx3.secureserver.net [216.69.139.56])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mx.security.com (KatyComputer) with ESMTPS
    for <morgan.accountant@customer.com>; Mon, 14 Nov 2022 13:09:48 -0600 (CST)
Received: from p3plgemwbe27-01.prod.phx3.secureserver.net ([10.36.136.31])
    by :WBEOUT: with SMTP
    id ueiKoJDwYK9TnueiKoySZl; Mon, 14 Nov 2022 12:01:48 -0700
X-CMAE-Analysis: v=2.4 cv=eKHWMFl1 c=1 sm=1 tr=0 ts=6372909c
 a=wyIkHV4v9QDcqtJhzmByXA==:117 a=O0uf6D4JcKgA:10 a=snqOvnsXdMYA:10
 a=IkcTkHD0fZMA:10 a=9xFQ1JgjjksA:10 a=PTQOsGrJGsurKYCY8JMA:9
 a=_W_S_7VecoQA:10 a=QEXdDO2ut3YA:10
X-SECURESERVER-ACCT: gwen@gwendolynw.com
X-SID: ueiKoJDwYK9Tn
Received: (qmail 31827 invoked by uid 99); 14 Nov 2022 19:01:48 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 205.185.209.22
User-Agent: Workspace Webmail 6.12.11
Message-Id: <20221114120146.51f2b9cedf4b782d679da89b590aca66.5368824cee.wbe@email27.godaddy.com>
From: "Michelle employee" <michelle.employee@customer.com>
X-Sender: gwen@gwendolynw.com
Reply-To: "Michelle employee" <michelle.employee@direckto.pics>
To: "morgan.accountant@customer.com" <morgan.accountant@customer.com>
subject: SPAM: ALTERNATION OF PAYCHECK/DD DETAILS
Date: Mon, 14 Nov 2022 12:01:46 -0700
 
Can you post logs from proxmox mail gateway tracking center for this message? Headers from this email do not help us much...
 
  • Like
Reactions: Stoiko Ivanov
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back