Phising Emails

[rojoblandino]

If you want to block any FAKE MAIL the REGEX should be:

"[\w-\.]+@([\w-]+\.)+[\w-]{2,4}" <[\w-\.]+@([\w-]+\.)+[\w-]{2,4}>

Then this will block any From with two emails in following pattern: "xxx@xxx" <xxx@xxx>

This will be blocked:

"secretaria@clientdomain.com" <doaa.shaban@ten.tv>

And this will be allowed:

"USER NAME" <username@domain>

But there are valid mails with malformed "USER NAME" that users on Outlook use their mail as username, then this kind of mails will be blocked.

I recommend to do a NOTIFY ONLY to ADMIN and WATCH all notifications, in this case you can do a preemptive action, or send them to QUARANTINE and answer to thoses users to fix their mail client configuration.

There is another situation. A mail answering with a header

FROM: "user1" <user1@domain>

a mail that has a forward or answer using

FROM: "user@domain" <user@domain>

will be match too, so before getting something nasty firs i recommend to only notify those match rules.

Something sane like this for example:





If after a while you get that is what you decire, add the action to "QUARANTINE" to retain all activity mal formed or fake mails.

 

[rojoblandino]

I am still working to find a way to tell the regex to say true when on FROM the @domain, is repeated more than once and differ.

The rule must fit only on From headers with two mails and both may differ.

It should not match:

From: "user1@domain1" <user1@domain1>
From: "user" <user@domain>
From: user@domain

It should match:

From: "user1@domain1" <user2@domain2>

REMEMBER: Any regex you test, do not block it or apply any action that may cause a lose of mails. Always apply only a notification action to ensure what the rule is matching and if it fits your desires.

 

[killmasta93]

@rojoblandino thanks for the info im going to try it out and post back how it goes

 

[killmasta93]

@rojoblandino hi there quick question not sure if this filter also captures the following? Currently today i got this email im attaching the raw headers
its odd because the email came from ccl2srcv.com but on outlook it appeared as mydomain.com it was trying to fake the email and trick the user to reply.

Return-Path: <www-data@vmi433318.contaboserver.net>
Received: from mail.mydomain.com (LHLO mail.mydomain.com)
 (192.168.3.170) by mail.mydomain.com with LMTP; Wed, 11 Nov 2020
 10:48:51 -0500 (COT)
Received: from mail.mydomain.com (unknown [192.168.3.169])
    by mail.mydomain.com (Postfix) with ESMTPS id 7E8C136931D7
    for <contabilidad@mydomain.com>; Wed, 11 Nov 2020 10:48:51 -0500 (-05)
Received: from mail.mydomain.com (localhost.localdomain [127.0.0.1])
    by mail.mydomain.com (Proxmox) with ESMTP id 6EFF13C1651
    for <contabilidad@mydomain.com>; Wed, 11 Nov 2020 10:48:51 -0500 (-05)
Received-SPF: temperror (vmi433318.contaboserver.net: Time-out on DNS 'TXT' lookup of 'vmi433318.contaboserver.net') receiver=mail.mydomain.com; identity=mailfrom; envelope-from="www-data@vmi433318.contaboserver.net"; helo=vmi433318.contaboserver.net; client-ip=173.249.38.177
Received: from vmi433318.contaboserver.net (vmi433318.contaboserver.net [173.249.38.177])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
     key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
    (No client certificate requested)
    by mail.mydomain.com (Proxmox) with ESMTPS id 39D8C3C1617
    for <contabilidad@mydomain.com>; Wed, 11 Nov 2020 10:48:48 -0500 (-05)
Received: by vmi433318.contaboserver.net (Postfix, from userid 33)
    id 3B9E11000BD4; Wed, 11 Nov 2020 16:48:39 +0100 (CET)
To: contabilidad@mydomain.com
Subject: kpmg
MIME-Version: 1.0
Content-type:text/html;charset=UTF-8
From: User Name  Mesa <username@mydomain.com>
Reply-To: User Name<email@ccl2srv.com>
Message-Id: <20201111154840.3B9E11000BD4@vmi433318.contaboserver.net>
Date: Wed, 11 Nov 2020 16:48:39 +0100 (CET)
X-SPAM-LEVEL: Spam detection results:  0
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    HEADER_FROM_DIFFERENT_DOMAINS  0.249 From and EnvelopeFrom 2nd level mail domains are different
    HTML_MESSAGE            0.001 HTML included in message
    HTML_MIME_NO_HTML_TAG   0.377 HTML-only message, but there is no HTML tag
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    T_SPF_TEMPERROR          0.01 SPF: test of record failed (temperror)

<p>Buenos d&iacute;as,</p>

<p>&nbsp;<br />
Te ha contactado el xxxx por la ma&ntilde;ana?</p>

<p>&nbsp;<br />
Saludos,</p>

<p>User Name&nbsp;</p>

<p><br />
Enviado desde mi dispositivo m&oacute;vil</p>

 

[killmasta93]

@rojoblandino also out of curisotiy how could i replicate the fake email so i can trigger the rule haven't got any alerts yet so far

 

[InGenetic]

Setup a filter rules to filter out the actual domain @cavalieridellarcadellalleanza.it or use regex for all domain that end with .it.
You can set to block or quarantine. It work for me and make sure the filter rules is at top priority.

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.it(\W|$)

Hi, hata_ph,

please let me know how to add / use this regex on proxmox mail gateway, because I have the same problem. Receive alot of spam email which look like from our internal email users .

 

[hata_ph]

Hi, hata_ph,

please let me know how to add / use this regex on proxmox mail gateway, because I have the same problem. Receive alot of spam email which look like from our internal email users .

Who object -> regular expression. Then create a mail filter rules using the object to block/quarantine email.

 

[InGenetic]

Who object -> regular expression. Then create a mail filter rules using the object to block/quarantine email.

View attachment 40381

Hi hata_ph,

thanks for you reply , it's done now.
btw , there's some case on my user mail server, get spam like this :
they received the email from their email too, for ex :
email from : james@yyy.com to james@yyy.com
but i'm sure is not from them.

how to mark this kind of email as spam and quarantine this kind of email on proxmox mail gateway ?

please advice

 

[hata_ph]

@InGenetic, pls provide the spam mail in raw format.