Phising Emails

Discussion in 'Mail Gateway: Installation and configuration' started by dthompson, Nov 16, 2018.

Tags:
  1. dthompson

    dthompson Member

    Joined:
    Nov 23, 2011
    Messages:
    41
    Likes Received:
    0
    I am trying to figure out why some emails are not getting stopped by the spam filter and am looking for some help and guidance from the community.

    We have some emails from a domain: unitecreative.ca who’s been complaining about phishing scams getting through roughly once to twice a day.

    The email looks something like this, with a .doc file attachment, but changes over time (language, content):
    ==========================================================================
    From:
    David Niemela <user@unitecreative.ca> <moiz@supremeuniversal.in>
    Date: November 15, 2018 at 10:35:02 PM EST
    To: user1@unitecreative.ca
    Subject: Your David Niemela Statement

    Good Afternoon,

    I have sent email to you confirming last invoice.

    Best Regards,
    -
    David Niemela
    user@unitecreative.ca
    ==========================================================================

    That being said, they are getting emails from “themselves” at least that is in the From Address.

    So for instance, David Niemela, who is an employee of unitecreative.ca is the “from” on emails, even though the actual sender is: "moiz@supremeuniversal.in" for example.

    The PMG doesn’t think this is a problem and sends the message through with the attachment to the end user, which is someone else at unitecreative.ca

    mx1 pmg-smtp-filter[23992]: 2D0235BEE3AF1A3F2E: SA score=0/5 time=1.403 bayes=4.9960036108132e-16 autolearn=no autolearn_force=no hits=BAYES_00,DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_NONE,SPF_PASS

    My question is how do I configure the server to reject these types of emails since they are frustrating to the person receiving them?

    Currently my Block Spam is at a level of 5. Should I turn this down more to 4 or 3? I don’t want to block legitimate email though at the same time, so before I modify that section, I’m looking at pointers from anyone whose seen this similar type of spam getting through.

    Thanks for any help you can provide!
     
  2. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,523
    Likes Received:
    402
    Please check the email header (check the header via your email client), you should see the detailed score of each test. This helps for analysis.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. dthompson

    dthompson Member

    Joined:
    Nov 23, 2011
    Messages:
    41
    Likes Received:
    0
    Thanks for the quick reply.

    Here is one of the headers from one of the phsishing emails:
    What exactly am I looking for here in order to increase blocking these types of emails from arriving?


    Return-Path: <moiz@supremeuniversal.in>
    X-Spam-Status: No, hits=0.0 required=8.5
    tests=TOTAL_SCORE: 0.000
    X-Spam-Level:
    Received: from mx1.digidns.ca ([192.168.11.5])
    by hc1.digidns.ca (Kerio Connect 9.2.7 patch 3) with ESMTPS
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
    for user1@unitecreative.ca;
    Thu, 15 Nov 2018 22:35:15 -0500
    Received: from mx1.digidns.ca (localhost.localdomain [127.0.0.1])
    by mx1.digidns.ca (Proxmox) with ESMTP id 6916F2D024
    for <user1@unitecreative.ca>; Thu, 15 Nov 2018 22:35:15 -0500 (EST)
    Received-SPF: pass (supremeuniversal.in: 103.24.200.152 is authorized to use 'moiz@supremeuniversal.in' in 'mfrom' identity (mechanism 'mx' matched)) receiver=mx1.digidns.ca; identity=mailfrom; envelope-from="moiz@supremeuniversal.in";
    helo=saturnnew.worldindia.in; client-ip=103.24.200.152
    Received: from saturnnew.worldindia.in (saturn.worldindia.com [103.24.200.152])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mx1.digidns.ca (Proxmox) with ESMTPS id 7B4162D021
    for <user1@unitecreative.ca>; Thu, 15 Nov 2018 22:35:12 -0500 (EST)
    DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=supremeuniversal.in; s=default; h=Content-Type:MIME-Version:Subject:
    Message-ID:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:
    Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
    Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
    List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=DAPgCfudbeMB6GJ5CGZZmelDgBK1m2XztObRzKUCzuE=; b=P3rkvzAQQHqRjxzSYep1C+Poj
    O1T66aaoHhtJpG9JdPQ7ayAPVY4JtmgCJkzQ1k6p/kUuJY18BkAt7BEOTtrMqnyrnY6IU3umXljaL
    1BCmNnZO6aR5cMzpNHnRUqzu41ZpkS2VL+J2Uzzp9Kugz6Bbb6l4ALQBN0XMfzYXJ+f9AGSfqT+lD
    /KYN5zNLoKE5HwBHfKjlsW/5z6WLZ04DCT+XvSsRZUgTMAUeR65W55G+oMlAH8SbK4fDgEg2p1oky
    oWofRZCCzhKHO9QbCeBqdB38CL+xeETxGJHN9PAa6/1RZRakzO4Z+nhlMOkaKB9wkYS4aajQedTeQ
    BaEXQrQfw==;
    Received: from [187.131.233.87] (port=14982 helo=10.14.14.3)
    by saturnnew.worldindia.in with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
    (Exim 4.91)
    (envelope-from <moiz@supremeuniversal.in>)
    id 1gNUuH-00017n-9J
    for user1@unitecreative.ca; Fri, 16 Nov 2018 09:04:59 +0530
    Date: Thu, 15 Nov 2018 20:35:02 -0700
    From: David Niemela <user@unitecreative.ca> <moiz@supremeuniversal.in>
    To: user1@unitecreative.ca
    Message-ID: <38916456115078217946.0013B0B3ECBDAD52@unitecreative.ca>
    Subject: Your David Niemela Statement
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="----=_Part_53170_1211169914.23711279722654273795"
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - saturnnew.worldindia.in
    X-AntiAbuse: Original Domain - unitecreative.ca

    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - supremeuniversal.in
    X-Get-Message-Sender-Via: saturnnew.worldindia.in: authenticated_id: moiz@supremeuniversal.in
    X-Authenticated-Sender: saturnnew.worldindia.in: moiz@supremeuniversal.in
    X-SPAM-LEVEL: Spam detection results: 0
    BAYES_00 -1.9 Bayes spam probability is 0 to 1%
    DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid
    DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
    HEADER_FROM_DIFFERENT_DOMAINS 0.001 From and EnvelopeFrom 2nd level mail domains are different
    RCVD_IN_DNSWL_NONE -0.0001 Sender listed at http://www.dnswl.org/, no trust
    SPF_PASS -0.001 SPF: sender matches SPF record


    Thank you very much!!
     
  4. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    431
    Likes Received:
    16
    Try using these DNSBL sites on your config helps alots

    Code:
    zen.spamhaus.org bl.spamcop.net psbl.surriel.com spamrbl.imp.ch noptr.spamrats.com escalations.dnsbl.sorbs.net bl.score.senderscore.com bl.spameatingmonkey.net rbl.realtimeblacklist.com dnsbl.dronebl.org ix.dnsbl.manitu.net b.barracudacentral.org truncate.gbudb.net bl.blocklist.de dnswl.spfbl.net dnswl.org
     
  5. dthompson

    dthompson Member

    Joined:
    Nov 23, 2011
    Messages:
    41
    Likes Received:
    0

    Thank you very much. I will give those a shot!
     
  6. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    605
    Likes Received:
    153
    Ehm, there are whitelists as well in this list, you may use weights to weight out blacklists on how good they work for you and subtract white lists, otherwise you block on whitelists as well
     
  7. dthompson

    dthompson Member

    Joined:
    Nov 23, 2011
    Messages:
    41
    Likes Received:
    0
    Can you explain to me how I do this? Also how do I tell which are whitelists and which are not?

    Sorry for my lack of intelligence here.
     
  8. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    605
    Likes Received:
    153
    you need to add *x after each entry, where *2 e.g. means to add 2 for a match on this list *1 means to add 1 for a match on this list and *-x, e.g. *-1 means to substract 1 for a match on this list or *-2 to substract -2 for a match on this list. So for whitelists you use -x and for blacklists you use x. You then also set the threshold level in the GUI, so at which score to reject a message. If you set to e.g. 2 it just needs one 2 list or 2 1 lists and no substraction at all. You can look out at my advanced thread for more information on how to optimize PMG. I also won’t recommend whitelists, as they are not as such good as been expected.
     
  9. Robson Rissato

    Robson Rissato New Member

    Joined:
    Aug 15, 2018
    Messages:
    18
    Likes Received:
    0

    exemple :
    zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com*2,spamrbl.imp.ch*2,noptr.spamrats.com*2,escalations.dnsbl.sorbs.net*2,bl.score.senderscore.com*2,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com*2,dnsbl.dronebl.org*2,ix.dnsbl.manitu.net,b.barracudacentral.org,db.wpbl.info,truncate.gbudb.net,bl.blocklist.de,xxx,xxx24
     
  10. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    431
    Likes Received:
    16
    o snap i did not know about the *2. also did not know that the whitelist would also be considered as blacklist?
     
  11. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    605
    Likes Received:
    153
    yes, the entry is dns(r)bl, so it‘s about blacklists/blocklists based on dns checks. So if you set in this entry also whitelists, any hit of this ones will be considered as to block as postfix doesn’t know, that it’s a whitelist and also won’t check the fqdn of the list. Combined lists you may be able by f.q.d.n=IP to choose IP entries, which are for black- or blocklisting to only reject on this ones. So the „trick“ on whitelists (and I don‘t know any other way on how to use them) is the weighted ranking with postscreen (there should also be some recent milter addons, which also allowed weights) and a treshold then, so you can use the whitelists with minus/negative multiplier to substract scores again and then you check the whole score against the threshold. However, recently there were great statistics at inps.de and you may still find some in the Waybackmachine, but this site is gone (because of GDPR as stated by the owner). But you can also check your spam mails coming through, some are on whitelist, valid mail often isn’t, so the idea because of IPv6 to deprecate blacklists and replace by whitelists, failed similar to SPF and DKIM because of worse adoption on legit infrastructures, meanwhile brighter adoption on spammers side as some admins relay on this information. That’s the reason, why I don’t use whitelists to weight my handchoosen blacklists out. I weight them based on a multiple week check on false-positives as you can see in my blacklist optimization thread by adding them with log entry on each hit and then check the logs weekly for a reasonable timeframe, if they don’t already fell through by having too much false-positives already after days. Score 2 have no false-positives for weeks, Score 1 some rare ones, all others are out, also ones, who don’t show any hits at all. I check once with my private mail test installation as well as with my commercial test installation.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice