Stopping Phishing attacks with proper name but wrong email address

dthompson

Well-Known Member
Nov 23, 2011
146
15
58
Canada
www.digitaltransitions.ca
I have a domain thats currently under attack by way of a phishing attack.

The attack has the proper persons name (either current or a previous employee), but the email address isn't correct.

This is causing confusion amongst the employees and quite a few are getting through.

How would I go about stopping this on the PMG side?

Incoming would be:
From: David Thompson <john@sometotherdomain.net>

I can block based on subject, but the subject is actually one that one of the employees sends out every week to customers so if they were to reply, it would either be rejected, dropped, or quarantined depending on how I setup the filter. Not ideal.
 
Here you go. Thanks!

MAIL LOG:
Oct 21 10:50:02 swarmx1 postfix/smtpd[552650]: connect from localhost[127.0.0.1]
Oct 21 10:50:02 swarmx1 postfix/smtpd[552650]: E4BC3602A6: client=localhost[127.0.0.1], orig_client=mx1.visualedgedesign.com[184.173.49.130]
Oct 21 10:50:02 swarmx1 postfix/cleanup[552935]: E4BC3602A6: message-id=<20201021145002.E4BC3602A6@swarmx1.mailhive.ca>
Oct 21 10:50:02 swarmx1 postfix/qmgr[514]: E4BC3602A6: from=<rauchwellness@wellnessspeakers.org>, size=134700, nrcpt=1 (queue active)
Oct 21 10:50:02 swarmx1 postfix/smtpd[552650]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Oct 21 10:50:02 swarmx1 pmg-smtp-filter[553165]: 802E05F904A9A6662D: accept mail to <info@realdomain.com> (E4BC3602A6) (rule: default-accept)
Oct 21 10:50:02 swarmx1 postfix/smtp[551418]: Trusted TLS connection established to 192.168.11.221[192.168.11.221]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Oct 21 10:50:02 swarmx1 pmg-smtp-filter[553165]: 802E05F904A9A6662D: processing time: 0.524 seconds (0.354, 0.135, 0)
Oct 21 10:50:02 swarmx1 postfix/lmtp[552812]: 11C7E60276: to=<info@realdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.2, delays=0.66/0/0/0.53, dsn=2.5.0, status=sent (250 2.5.0 OK (802E05F904A9A6662D))
Oct 21 10:50:02 swarmx1 postfix/qmgr[514]: 11C7E60276: removed
Oct 21 10:50:02 swarmx1 pmg-smtp-filter[553196]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE .*xyz$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct 21 10:50:02 swarmx1 pmg-smtp-filter[553196]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE .*.guru$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct 21 10:50:02 swarmx1 pmg-smtp-filter[553196]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE .*.buzz$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct 21 10:50:02 swarmx1 pmg-smtp-filter[553196]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE .*cyou$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct 21 10:50:02 swarmx1 pmg-smtp-filter[553196]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE .ezpopsy.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct 21 10:50:02 swarmx1 pmg-smtp-filter[553196]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE .*seaexposervice.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct 21 10:50:03 swarmx1 postfix/smtp[551418]: E4BC3602A6: to=<info@realdomain.com>, relay=192.168.11.221[192.168.11.221]:25, delay=0.13, delays=0.01/0/0.04/0.07, dsn=2.0.0, status=sent (250 Mail queued for delivery)
Oct 21 10:50:03 swarmx1 postfix/qmgr[514]: E4BC3602A6: removed

RAW HEADERS:
Received: from swarmx1.mailhive.ca (192.168.11.218) by colony (Axigen)
with (ECDHE-RSA-AES128-GCM-SHA256 encrypted) ESMTPS id 3FEB99;
Wed, 21 Oct 2020 10:50:05 -0400
Received: from swarmx1.mailhive.ca (localhost [127.0.0.1])
by swarmx1.mailhive.ca (Proxmox) with ESMTP id A6CF5602A6
for <info@realdomain.com>; Wed, 21 Oct 2020 10:50:05 -0400 (EDT)
Received-SPF: pass (wellnessspeakers.org: Sender is authorized to use
'rauchwellness@wellnessspeakers.org' in 'mfrom' identity (mechanism
'include:visualedgedesign.com' matched)) receiver=swarmx1.mailhive.ca;
identity=mailfrom; envelope-from="rauchwellness@wellnessspeakers.org";
helo=mx1.visualedgedesign.com; client-ip=184.173.49.130
Received: from mx1.visualedgedesign.com (mx1.visualedgedesign.com
[184.173.49.130])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
(No client certificate requested) by swarmx1.mailhive.ca (Proxmox)
with ESMTPS id E0EA060276 for <info@realdomain.com>;
Wed, 21 Oct 2020 10:50:04 -0400 (EDT)
X-SmarterMail-Authenticated-As: rauchwellness@wellnessspeakers.org
Received: from [141.237.86.199] (ppp141237086199.access.hol.gr
[141.237.86.199]) by mx1.visualedgedesign.com with SMTP;
Wed, 21 Oct 2020 09:50:03 -0500
Date: Wed, 21 Oct 2020 17:50:01 +0200
From: "Tamar Bitton" <rauchwellness@wellnessspeakers.org>
To: "Office" <info@realdomain.com>
Subject: Re: On Call Schedule September 15-16
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--2419711761043113293242287898918186"
X-Declude-Sender: rauchwellness@wellnessspeakers.org [141.237.86.199]
X-Declude-Spoolname: 37832265.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Outgoing Score [0] at 09:50:05 on 21 Oct 2020
X-Declude-Tests: None
X-Country-Chain:
X-Declude-Code: 0
X-HELO: [141.237.86.199]
X-Identity: 141.237.86.199 | | realdomain.com
X-SPAM-LEVEL: Spam detection results: 0
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
HTML_MESSAGE 0.001 HTML included in message
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
Alignment
KAM_NUMSUBJECT 0.5 Subject ends in numbers excluding current years
MIME_BOUND_DD_DIGITS 1.373 Spam tool pattern in MIME boundary
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
MISSING_MID 0.497 Missing Message-Id: header
RCVD_IN_MSPIKE_H3 0.001 Good reputation (+3)
RCVD_IN_MSPIKE_WL 0.001 Mailspike good senders
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Message-Id: <20201021145005.A6CF5602A6@swarmx1.mailhive.ca>
X-AXIGEN-DK-Result: No records
DomainKey-Status: no signature
X-AXIGEN-DKIM-Result: No records
DKIM-Status: no signature
 
Thanks. The problem with the IP's is they come from all over when other servers are sending the attacks. The other problem and I thought about the body to filter, but the organization actually sends out communications with whats in the body, so if they sent out an email to a customer and the customer replied, the body filter would catch the return reply and reject / discard the message and the customer would never get the email reply.
 
The spam contain valid email contents also?
Yes it does believe it or not. Its the most advanced phishing I've ever seen. It contains real previously sent emails, but the dates are from the past.
It looks similar to below:


Re: On Call Schedule September 15-16

Password: D30HcQK


T Bitton
email@realdomain.com

:)

T Bitton
Student-at-Law

This E-mail contains legally privileged and confidential information intended only for the individual or entity named in the message. If the reader of this message is not the intended recipient, or the agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited. If this communication was received in error, please notify the sender by reply E-mail and delete the original message.

On Sep 14, 2018, at 6:14 PM, S White <email@realdomain.com> wrote:

Oh lucky us!

C. S WHITE
Real Domain,
criminal lawyers
Office: <phone>
Mobile: <phone>
Fax: <phone>
swhite@realdomain.com

This e-mail contains legally privileged and confidential information intended only for the individual or entity named in the message. If the reader of this message is not the intended recipient, or the agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited. If this communication was received in error, please notify the sender by reply e-mail and delete the original message.

On Sep 14, 2018, at 4:21 PM, V Logan-White <lwhite@realdomain.com> wrote:

Happy Friday! S White and T Bitton are on call this weekend, have a fabulous weekend.
<h08B0A8BF>
 
Last edited:
Maybe a spamassassin custom rule to score password keyboard in the email body?

Code:
body         test1    /password/i
describe     test1    test1
score         test1     0.5
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!