Suggestions on how to stop a spoof, with from name and then matching domains?

[MiamiJack]

Hello All,

This isn't a typical scenario, but I think it's common.

An email comes in from Joe Smith<JoeSmith237@Gmail.com>, now Joe is CEO of a company and the message says wire transfer money to this address.
Many times people don't look at the from email address and thus can make a critical mistake.

My Question is what is the best way to take the from Name "Joe Smith" and then validate it against a list of allowed email address, if it's not from those addresses, then quarantine it to a specific quarantine address?

Lets say valid addresses are JoeSmith@Company1.com, Joe@Company2.com etc.

Any suggestions or examples appreciated.

Thanks

 

[hata_ph]

This is my own opinions/experiences.

1. Use DNSBL. It will block a lot of blacklisted sources IP.
2. Use SPF checking. It will help to detect if sending sources IP is not from allowed sources.
3. Study the spam email raw header and contents. Use PMG's mail filter and spamassassin's custom rules to quarantine/block spam mails.

Dec 17 23:12:57 pmg postfix/postscreen[25790]: NOQUEUE: reject: RCPT from [37.49.225.154]:63626: 550 5.7.1 Service unavailable; client [37.49.225.154] blocked using zen.spamhaus.org; from=<user1@mydomain.com>, to=<user1@mydomain.com>, proto=ESMTP, helo=<mydomain.com>

Dec 19 07:54:25 pmg postfix/smtpd[11296]: warning: hostname exabytes-1942867.mschosting.org does not resolve to address 103.18.244.112: Name or service not known
Dec 19 07:54:25 pmg postfix/smtpd[11296]: connect from unknown[103.18.244.112]
Dec 19 07:54:25 pmg postfix/smtpd[11296]: NOQUEUE: reject: RCPT from unknown[103.18.244.112]: 554 5.7.1 <user1@mydomain.com>: Recipient address rejected: Rejected by SPF: 103.18.244.112 is not a designated mailserver for admin%40keel.com.tw (context mfrom, on pmg.mydomain.com); from=<admin@keel.com.tw> to=<user1@mydomain.com> proto=ESMTP helo=<H375390184669VM.home>
Dec 19 07:54:25 pmg postfix/smtpd[11296]: disconnect from unknown[103.18.244.112] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

Delivered-To: user1@mydomain.com
Return-Path: creditmanagement@sender.com
Received-SPF: none (sender.com: No applicable sender policy available) receiver=pmg.emydomain.com; identity=mailfrom; envelope-from="creditmanagement@sender.com"; helo=nttbulkgw01.sender.com; client-ip=203.82.70.51
Received: from nttbulkgw01.sender.com (unknown [203.82.70.51])
    by pmg.mydomain.com (Proxmox) with ESMTP
    for <user1@mydomain.com>; Fri, 18 Dec 2020 23:47:04 +0800 (+08)
X-AuditID: 0a05861c-a39ff7000000123b-9a-5fdcce93d040
Received: from m2m-up01 (Unknown_Domain [10.204.232.4])
    by nttbulkgw01.sender.com (Symantec Messaging Gateway) with SMTP id EE.72.04667.39ECCDF5; Fri, 18 Dec 2020 23:45:23 +0800 (MYT)
Date: Fri, 18 Dec 2020 23:45:23 +0800 (MYT)
From: creditmanagement@sender.com
To: user1@mydomain.com
Cc: user2@sender.com
Message-ID: <1024517550.229601608306323494.JavaMail.nportal@m2m-up01>
Subject: M2M Connected Services : YOUR BILL IS READY
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_Part_45920_1116809482.1608306323489"
X-SPAM-LEVEL: Spam detection results:  2
    AWL                     0.200 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    DEAR_SOMETHING          1.973 Contains 'Dear (something)'
    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery methods
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    RDNS_NONE               0.793 Delivered to internal network by a host with no rDNS
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_NONE                0.001 SPF: sender does not publish an SPF Record

 

[MiamiJack]

Hello,

I do use all of the methods you mentioned.
The key is the spammers signs it as "Bob Smith"<BobSmith@gmail.com>
So SPF is good because it comes from a gmail server, DNSBL and other RBL's are good because Google won't get easily blacklisted.

I think spamassasin may be my only path.
Something where if it's from "BobSmith" and from x,y,z domains, then it's good otherwise, quarantine or reject.

 

[hata_ph]

Mail filter can do subject filtering.

 

[MiamiJack]

The subject changes, it would be "Display Name" if it matches, then check the sender email address, if that passes, it's good to be delivered, if not quarantine.

 

[Roberto Blandino IBW]

The subject changes, it would be "Display Name" if it matches, then check the sender email address, if that passes, it's good to be delivered, if not quarantine.

It would be a path to analyze all incoming domains, and storage the source ip and from domain, then after the day or when an spoofed email is detected, mark the domain and ip and then apply a rule to only allow the right domain and right ip.

For example on all day i got following info:

domain1 ip1
domain2 ip2
domain3 ip3
domain1 ip4
domain1 ip5
domain1 ip1
domain1 ip1


For example, it can be saved on a mysql db or plantext and by using sorts and unified methods you can detect a domain with many ips [ip1, ip4, ip5], the next step at the end of the day is to send a message advertising about the spoofed mails, then is our task to analyze the right ip ip1 or ip4 or ip5 it is identified byt using dig tools analyzing TXT SPF Registry, suposing that domain1 should always come from ip1, then make a rule to allow always and only all match domain from domain1 and from ip1, else deny unmatches.

This is a long but possible manual solution to avoid massive and unstopable spoofed and phishing attacks.

It will not stop a spoofed address coming from same domain1 for example, the spammers evolve and we need to evolve with them.

It would be grate a learning tool on proxmox to help on this to set a third database server and send all stats there and use it for IA mailing stats.

 

[bbrendon]

@MiamiJack Did you figure this out?

 

[MiamiJack]

We will just keep focusing on SPF & DKIM to hopefully accomplish it, but there was no extra function we could do to stop it from happening.

 

[bbrendon]

@MiamiJack The best I could come up with is to automatically quarantine emails from people that have the same name as someone in the company. People would then have to basically white list email addresses to bypass the Quarantine. You can build out this rule using the GUI but if you have a lot of people, you would have to probably come up with some kind of script.

Also, it might be better to only have this rule apply to high value targets, CEO, accounting, etc. But I didn't take it that far.

 

[MiamiJack]

@MiamiJack The best I could come up with is to automatically quarantine emails from people that have the same name as someone in the company. People would then have to basically white list email addresses to bypass the Quarantine. You can build out this rule using the GUI but if you have a lot of people, you would have to probably come up with some kind of script.

Also, it might be better to only have this rule apply to high value targets, CEO, accounting, etc. But I didn't take it that far.

I do have some SA rules that are making sure the key names match what I call the legitimate email addresses, that does help with some fakes, but the problem is Joe.Smith@Domain.com can send a message even though his SPF doesn't match, and it didn't originate from a legitimate source.

 

[Shotgun Teddy]

@MiamiJack The best I could come up with is to automatically quarantine emails from people that have the same name as someone in the company. People would then have to basically white list email addresses to bypass the Quarantine. You can build out this rule using the GUI but if you have a lot of people, you would have to probably come up with some kind of script.

Also, it might be better to only have this rule apply to high value targets, CEO, accounting, etc. But I didn't take it that far.

I do have some SA rules that are making sure the key names match what I call the legitimate email addresses, that does help with some fakes, but the problem is Joe.Smith@Domain.com can send a message even though his SPF doesn't match, and it didn't originate from a legitimate source.

Hey would one of you guys be willing to demonstrate/explain how you did this? I'm trying to do the same thing. My company gets hit by a bunch of well crafted phishing emails, where the From always spoofs an actual user at my job. I'm also trying to build some type of validation that checks the users display name to his actual email address, and block emails that don't match or quarantine.

 

[MiamiJack]

I created a spamassasin rule the defines the LEGIT email from address.
Now this ONLY works when the From has "Joe RealJoe" showing that the spammer is trying to look like it comes from the key people, but then they send the email from an email address not defined in our rule.
So "Joe RealJoe <some@other.com>" would fail and get the full score of 10.
This is different than SPF/DKim which also should be used.

#Joe RealJoe Phishing Rule  03-30-2023
header __PHISH_NAME_JR From:name =~ /Joe RealJoe|Joe.RealJoe/i
header __PHISH_ADDR_JR From:addr =~/Joe.RealJoe\@RealEmail.com|J.RealJoe\@MyOtherLegitemail.com/i
meta   PHISH_JR  __PHISH_NAME_JR && !__PHISH_ADDR_JR
score  PHISH_JR 10