Phising Emails

Thanks for the reply, so not possible to have a regex filter to block any email that hides behind the alias?
 
Thanks for the reply, so not possible to have a regex filter to block any email that hides behind the alias?

Not that I know of. You can try search internet again.
But how do you know which/what alias spammers will use in their email? There could be thousand of posibilities...
 
Hi,

Thanks for the reply, sorry for not being clear.
What i meant does this filter block also emails that try to mask the sender?
ex: from:client@domain.com <fakeemail@domain.com>

filter to block any email that tries to mask the email with another email.
Thank you

there is a thread (german) which discussed your request.

Create a What Object:
* Type: Match Field
* Field: From
* Value: ^.*<.*>.*<.*>.*$

if the From address is encoded you can create a second object with:
* Value: ^.*UTF-8.*<.*>.*$

I'm also using this, and it works great.

Greetz
 
Last edited:
Hi,



there is a thread (german) which discussed your request.

Create a What Object:
* Type: Match Field
* Field: From
* Value: ^.*<.*>.*<.*>.*$

if the From address is encoded you can create a second object with:
* Value: ^.*UTF-8.*<.*>.*$

I'm also using this, and it works great.

Greetz

Good info. Thanks.
 
Would checking SPF work here? It should catch the mail is not really from @abc.com.

SPF and DKIM may not work any more as some spam mail are going throught legit mail server or domain.

Delivered-To: jessica@xxx.com
Return-Path: Salman.agha@icecreamlab.ae
Received-SPF: pass (icecreamlab.ae: Sender is authorized to use 'salman.agha@icecreamlab.ae' in 'mfrom' identity (mechanism 'include:spf.protection.outlook.com' matched)) receiver=pmg.xxx.com; identity=mailfrom; envelope-from="salman.agha@icecreamlab.ae"; helo=eur03-am5-obe.outbound.protection.outlook.com; client-ip=40.107.3.42
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30042.outbound.protection.outlook.com [40.107.3.42])
by pmg.xxx.com (Proxmox) with ESMTP id 115FC411A1
for <jessicatang@xxx.com>; Wed, 20 Nov 2019 16:47:21 +0800 (+08)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=VpsogTtTlalHALBBjfVOCeCAwMY7LaU0KES1p7PNSCUS9o5+r8AFjoim8QuD3LktNtkG6NwMeKaJK0WArETj68ygeNwdQVmD21zMpsLKNwOeO8pTbmmlZUMe+m099O/SteLh03Vj+ghYkKYwhFS7tAm5BSd0x8MkuuEk5MmJO432JAxdGzIrUbRSmVXpf+OXd96quAcgHRFKj0c5H3fOjXj7LOJ1jQf+XRUjdi8YSS3LMFDbLR1UQDoxrlviMS69jYsnF8ly3F+m1mvW7BPWLsN75ZILMwvckOfJ2urA9T9V7Z2mg508vJVCvn7FYimT3PDAxy67dkMvcbkRU0r4JQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=eg+yZnbdmwooFnm/9MMI/mpvNrDtAVPAMrFtlF5EeX4=;
b=AiFFWBOQKskzs51j1PwYdYKS+j3HdNeuRRe2jw98Vs26na6lf88wVw1nFswRey6cHzG0gwBlv3Q01xOPMcFRLV8P33ZFB9yiUihvxAU04D08Db03rm7OicP7UPM//I6C6I0qARTvX0Z5jWdivTYZYrtoPuK5YhmcQVDXl9+I9JkrU5BBMUyRon+F0a37sq1WiqvSqr0mwHsSYGWXOJr23Ajax7qZQWibIs6kEFJbT419YoBgvZRMRg+WBnSITAitdZ9kovO2q76M6g6IDqmZPaSjOrVgraZng2NoKSOjP3myttEjJakBrJNIkh3np6/0jzOsEIdoEQw6VO/gg8MPfg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=icecreamlab.ae; dmarc=pass action=none
header.from=icecreamlab.ae; dkim=pass header.d=icecreamlab.ae; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=Eminencegroupme.onmicrosoft.com;
s=selector2-Eminencegroupme-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=eg+yZnbdmwooFnm/9MMI/mpvNrDtAVPAMrFtlF5EeX4=;
b=iFXD+bUqc8DXTczoyy4KGpwdv9nksrabI/V6ozJ37SIvHhUSxt7fAfBNWbpwk6nmlgAoV4CAN5NyS6fZHHY78BXCXCTG5SMrsRDHS/8Fta45s5GkiQHIUQBJMxkdDMU0zF3YIxZGwIPmKTHiDDjSnXfIrHjV+2ps4fywIHCbpX8=
Received: from AM0PR08MB3780.eurprd08.prod.outlook.com (20.178.82.216) by
AM0PR08MB3283.eurprd08.prod.outlook.com (52.134.94.28) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.2474.16; Wed, 20 Nov 2019 08:47:12 +0000
Received: from AM0PR08MB3780.eurprd08.prod.outlook.com
([fe80::9c13:1a60:7a69:c1a4]) by AM0PR08MB3780.eurprd08.prod.outlook.com
([fe80::9c13:1a60:7a69:c1a4%5]) with mapi id 15.20.2474.015; Wed, 20 Nov 2019
08:47:12 +0000
From: Salman Agha <Salman.agha@icecreamlab.ae>
 
Hi,



there is a thread (german) which discussed your request.

Create a What Object:
* Type: Match Field
* Field: From
* Value: ^.*<.*>.*<.*>.*$

if the From address is encoded you can create a second object with:
* Value: ^.*UTF-8.*<.*>.*$

I'm also using this, and it works great.

Greetz

Thanks for the reply not sure if i did this correct see picture

Screenshot from 2019-11-21 23-46-47.png
 
just to want to post back i think the rule is not working these are the headers lucky for me i have macros blocked
as you see my clientdomain seemed that got compromised but its sending from ten.tv which is the bad domain

Code:
Delivered-To: jvelez@mydomain.com
Return-Path: doaa.shaban@ten.tv
Received: from email.ten.tv (email.ten.tv [41.33.58.242])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by ares.audeinfo.local (Proxmox) with ESMTPS id 6691D5011EC
    for <jvelez@mydomain.com>; Wed, 11 Dec 2019 08:10:29 -0500 (-05)
Received: from localhost (localhost [127.0.0.1])
    by email.ten.tv (Postfix) with ESMTP id 4799266A38AA
    for <jvelez@mydomain.com>; Wed, 11 Dec 2019 00:46:40 +0200 (EET)
X-Virus-Scanned: by amavisd-new-2.10.1 (20141025) (Debian) at ten.tv
Received: from email.ten.tv ([127.0.0.1])
    by localhost (email.ten.tv [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id UiKjvyunT200 for <jvelez@mydomain.com>;
    Wed, 11 Dec 2019 00:46:39 +0200 (EET)
Received: from [185.4.41.153] (h153.onetel185.4.41.onetelecom.od.ua [185.4.41.153])
    by email.ten.tv (Postfix) with ESMTPSA id 361BF6673297
    for <jvelez@mydomain.com>; Tue, 10 Dec 2019 19:57:19 +0200 (EET)
Date: Tue, 10 Dec 2019 19:52:26 +0200
From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>
To: "jvelez@mydomain.com" <jvelez@mydomain.com>
Subject: =?UTF-8?B?UkU6IEpPWUFOR0VMIC0gUmVjZXBjaW9uIGRlIGRvY3VtZW50YWNpw7NuIGNvbnRhYmxl?=
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--57747118643092912315370841403274648"
X-Proxmox-VInfo: Heuristics.OLE2.ContainsMacros (clamav)


----57747118643092912315370841403274648
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
 
just to want to post back i think the rule is not working these are the headers lucky for me i have macros blocked
as you see my clientdomain seemed that got compromised but its sending from ten.tv which is the bad domain

Code:
Delivered-To: jvelez@mydomain.com
Return-Path: doaa.shaban@ten.tv
Received: from email.ten.tv (email.ten.tv [41.33.58.242])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by ares.audeinfo.local (Proxmox) with ESMTPS id 6691D5011EC
    for <jvelez@mydomain.com>; Wed, 11 Dec 2019 08:10:29 -0500 (-05)
Received: from localhost (localhost [127.0.0.1])
    by email.ten.tv (Postfix) with ESMTP id 4799266A38AA
    for <jvelez@mydomain.com>; Wed, 11 Dec 2019 00:46:40 +0200 (EET)
X-Virus-Scanned: by amavisd-new-2.10.1 (20141025) (Debian) at ten.tv
Received: from email.ten.tv ([127.0.0.1])
    by localhost (email.ten.tv [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id UiKjvyunT200 for <jvelez@mydomain.com>;
    Wed, 11 Dec 2019 00:46:39 +0200 (EET)
Received: from [185.4.41.153] (h153.onetel185.4.41.onetelecom.od.ua [185.4.41.153])
    by email.ten.tv (Postfix) with ESMTPSA id 361BF6673297
    for <jvelez@mydomain.com>; Tue, 10 Dec 2019 19:57:19 +0200 (EET)
Date: Tue, 10 Dec 2019 19:52:26 +0200
From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>
To: "jvelez@mydomain.com" <jvelez@mydomain.com>
Subject: =?UTF-8?B?UkU6IEpPWUFOR0VMIC0gUmVjZXBjaW9uIGRlIGRvY3VtZW50YWNpw7NuIGNvbnRhYmxl?=
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--57747118643092912315370841403274648"
X-Proxmox-VInfo: Heuristics.OLE2.ContainsMacros (clamav)


----57747118643092912315370841403274648
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

What is your current rules now?
What is the spam email spam score?

PMG use spamassassin to check spam mail.
Depend on your spam filter spam score, spammer can easily bypass it by create low spam score email.
One of the good option is to enable DNSBL to detect blacklisted sender IP but also cannot 100% detect/prevent all spam mail.
My recommendation is to block/quarantine the spam sender domain or part of the sender domain using regex.
 
Thanks for the reply, here are the rules as the blocking by regex using the above rules to block double email address in the same line i think is not working. that rule is called block fake email
Screenshot from 2019-12-13 23-07-32.pngScreenshot from 2019-12-13 23-08-25.png
 
The rules can only catch From: email follow below patern.

From: Test2 Test <t2.test@test.de> <libreria@fce.com.co>
From: =?UTF-8?B?QkJCIFJlY2h0c2Fud8OkbHRlIDxrYW56bGVpQGJiYi1yYS5kZT4=?= <test@test.de>

To block From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>, use below regex.

^.*".*".*<.*>.*$

or like I say block/quarantine domain @ten.tv or all domain end with .tv.

Thanks for the reply, but if i understood correctly from that pattern is if someone tries to put an email with 2 address on the "from" would block it?

or did i misunderstand
so from the above email example that came 2 days ago
Code:
To block From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>, use below regex.
so does it mean that secretaria@clientdomain.com was hacked ( the client) by doaa.shaban@ten.tv and was sending it though another domain? so it wasn't masking 2 email address?

Thank you
 
Thanks for the reply, but if i understood correctly from that pattern is if someone tries to put an email with 2 address on the "from" would block it?

or did i misunderstand
so from the above email example that came 2 days ago
Code:
To block From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>, use below regex.
so does it mean that secretaria@clientdomain.com was hacked ( the client) by doaa.shaban@ten.tv and was sending it though another domain? so it wasn't masking 2 email address?

Thank you

Regex pattern ^.*".*".*<.*>.*$ will catch any From: with xxx "xxx" <xxx@xxx> format. You can read more about how regex work https://regex101.com/.

Spammer can easily forge any email address or domain as they want. They can mix display name and actual email address to trick receiver to open the spam mail.

https://askleo.com/why_are_email_addresses_sometimes_in_anglebrackets/
 
Thank you for the reply, correct me if i understood correctly,
Regex pattern ^.*".*".*<.*>.*$ will catch any From: with xxx "xxx" <xxx@xxx> format.
so this filter rule i have on PMG will block if someone email something like this
Code:
mr smith "robot" <bad@email.com>

so i gues my question what pattern would it be to block something like this, so in theory the secretaria@clientdomain.com is the display name of the email and the real email is doaa.shaban@ten.tv?
Code:
"secretaria@clientdomain.com" <doaa.shaban@ten.tv>
 
Thank you for the reply, correct me if i understood correctly,

so this filter rule i have on PMG will block if someone email something like this
Code:
mr smith "robot" <bad@email.com>

so i gues my question what pattern would it be to block something like this, so in theory the secretaria@clientdomain.com is the display name of the email and the real email is doaa.shaban@ten.tv?
Code:
"secretaria@clientdomain.com" <doaa.shaban@ten.tv>

1. Use the mail filter test string option to test your rules. You might want to becareful using regex as it could detect/block other legit email sender.

Capture11.JPG

2. Yes.
 
  • Like
Reactions: killmasta93
Thanks for the reply, but if i understood correctly from that pattern is if someone tries to put an email with 2 address on the "from" would block it?

or did i misunderstand
so from the above email example that came 2 days ago
Code:
To block From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>, use below regex.
so does it mean that secretaria@clientdomain.com was hacked ( the client) by doaa.shaban@ten.tv and was sending it though another domain? so it wasn't masking 2 email address?

Thank you
Of course was the account was hacked.

This kind of attack is called email spoofing, the hacker use a hacked email and us a known email from your known list , then they send a email you recognize as your friends, with an attachment but coming from another email.

Generally the users does not check the original message or does not suspect anything because the lack of training about security, so they open the attachement and "BINGO!" they are hacked too with a trojan.

There are steps before the hacker do this attack, first the attacker must look for your known friend email list. He can search for every known destiny mail you have sent and if they success to hack them they send you a email with a valid hacked email with a part of a conversation you have done with your friends but is coming like this:

Code:
From: "yourfriendname@yourfrienddomain" <usermailhacked@domainuserhacked>

In other words the hacker try to say is your friend sending you an attached file saying something like: "This is the file you asked" "I have send you the quoted", the message is adjusted according the conversation the hacker has stolen from your friend and you.

Then is easy to make the victim to be taken down with the trojan being open by the end user.
 
Last edited:
  • Like
Reactions: killmasta93

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!