how do you guys handle spear phising?
Question asked by Heimir Eidskrem - September 18, 2017 at 4:15 PM
Unanswered
Anyone got some good ideas on how to block this stuff?
We have several clients getting them.
One fell for it and transferred $17,000 to a bank account but they caught it fast so it got reversed.
 
All suggestions welcomed.
 

7 Replies

Reply to Thread
4
Would definitely like an ST response to this.
1
Hi Heimir. Can you send me the header from the message that made it through? I think I may have a solution for you, but I need to see the header to be sure. Once I confirm the solution, I will post it here for everyone. You can send the header directly to me at linda.pagillo@mailsbestfriend.com. Thanks.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606

Authorized Reseller of SmarterTools Products
Authorized Reseller of Message Sniffer
2
Hi Linda, here's a header to see if you have a solution. This message isn't from a local domain, but it's similar in that there is some serious spam + fraud + phishing going on that needs to be stopped.
 
Look at all the big domains in this message -- Adobe.com, WebMD, Sam's Club, and even Earthlink.net in the Message-ID -- but none of them match the Return-Path (sending server).  Isn't there some kind of check that can be done to warn the user that this is totally fake?
Return-Path: <TLYAf6MNj1ZEA7nBPa@fce.oralshopup.com>
Received: from fce.oralshopup.com (fce.oralshopup.com [204.12.226.195]) by mail.smartermail15.com with SMTP;
   Thu, 28 Sep 2017 08:27:54 -0400
Received: from localhost (127.0.0.1) by fce.oralshopup.com id pgb97mg8bgcs for <user@smartermail15.com>; Thu, 28 Sep 2017 08:11:38 -0400 (envelope-from <lPIUI7fjMIl2hIA5qi@health.webmd.com>)
Subject: Get a $100 SamsClub Gift Card!
from: SurpriseReward <lPIUI7fjMIl2hIA5qi@demo.adobe.com>
Reply-To: "Hope" <lPIUI7fjMIl2hIA5qi@messages.webmd.com>
Date: Thu, 28 Sep 2017 08:11:38 -0400
To: user@smartermail15.com
Message-ID: <5731685.1118002939152.JavaMail.root@wamui-norfolk.atl.sa.earthlink.net>
MIME-Version: 1.0
Would really like it if SmarterMail could just reject the message entirely because it's so bogus.
 
Thanks,
Kevin
1
Thanks for the sample, Kevin. Is this the entire header? What score did SM give this message?
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606

Authorized Reseller of SmarterTools Products
Authorized Reseller of Message Sniffer
2
Thanks. I understand. I really can't do much about the verification checks, but we can write filters to stop this kind of thing. SmarterMail already marked this as a weight 20 which is pretty high. If you would like some filters, I can help. As for the verification checks, yes, SM would need to do something about that.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606

Authorized Reseller of SmarterTools Products
Authorized Reseller of Message Sniffer
4
Right, this message went to Junk which is better than the Inbox.  But that relies on blacklists and Commtouch. Sometimes, those things don't happen and it gets delivered to Inbox. The user looks at the message, thinks it legit, and gets phished.
 
My point is that SM should run checks on the From address in the message (SPF, compare to envelope From, Auth for local domains, etc.) to protect users from spoofing. This is common in other email systems and SM staff agrees:
It would be extremely valuable to have a check that verifies the From: header vs the Mail From: passed during the SMTP session.  --SmarterTools
More info here:
Thanks for looking into this!
0
I'm trying to get DKIM going to try to stop this and see if that works. Has anyone been successful with that?

Reply to Thread