how do you guys handle spear phising?
Question asked by Heimir Eidskrem - September 18, 2017 at 4:15 PM
Unanswered
Anyone got some good ideas on how to block this stuff?
We have several clients getting them.
One fell for it and transferred $17,000 to a bank account but they caught it fast so it got reversed.
 
All suggestions welcomed.
 

14 Replies

Reply to Thread
0
kevind Replied
This is a known issue. Hoping SM will fix this vulnerability, first posted in April 2016, that allows a spear phisherman to spoof a mailbox on a local domain.
https://portal.smartertools.com/community/a87739/local-domains-being-spoofed.aspx

4
Paul Blank Replied
Would definitely like an ST response to this.
1
Hi Heimir. Can you send me the header from the message that made it through? I think I may have a solution for you, but I need to see the header to be sure. Once I confirm the solution, I will post it here for everyone. You can send the header directly to me at linda.pagillo@mailsbestfriend.com. Thanks.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606

Authorized Reseller of SmarterTools Products
Authorized Reseller of Message Sniffer
2
kevind Replied
Hi Linda, here's a header to see if you have a solution. This message isn't from a local domain, but it's similar in that there is some serious spam + fraud + phishing going on that needs to be stopped.
 
Look at all the big domains in this message -- Adobe.com, WebMD, Sam's Club, and even Earthlink.net in the Message-ID -- but none of them match the Return-Path (sending server).  Isn't there some kind of check that can be done to warn the user that this is totally fake?
Return-Path: <TLYAf6MNj1ZEA7nBPa@fce.oralshopup.com>
Received: from fce.oralshopup.com (fce.oralshopup.com [204.12.226.195]) by mail.smartermail15.com with SMTP;
   Thu, 28 Sep 2017 08:27:54 -0400
Received: from localhost (127.0.0.1) by fce.oralshopup.com id pgb97mg8bgcs for <user@smartermail15.com>; Thu, 28 Sep 2017 08:11:38 -0400 (envelope-from <lPIUI7fjMIl2hIA5qi@health.webmd.com>)
Subject: Get a $100 SamsClub Gift Card!
from: SurpriseReward <lPIUI7fjMIl2hIA5qi@demo.adobe.com>
Reply-To: "Hope" <lPIUI7fjMIl2hIA5qi@messages.webmd.com>
Date: Thu, 28 Sep 2017 08:11:38 -0400
To: user@smartermail15.com
Message-ID: <5731685.1118002939152.JavaMail.root@wamui-norfolk.atl.sa.earthlink.net>
MIME-Version: 1.0
Would really like it if SmarterMail could just reject the message entirely because it's so bogus.
 
Thanks,
Kevin
0
Sorry Linda but I did not see your response. I do not have access to the header. The email address used was not one of theirs but the name used matched employee names. Thank you for taking the time to respond. I really appreciate you and all your help.
1
Thanks for the sample, Kevin. Is this the entire header? What score did SM give this message?
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606

Authorized Reseller of SmarterTools Products
Authorized Reseller of Message Sniffer
0
My pleasure Heimir. Kevin provided me with a header from a similar situation. I'm going to work with it to see if I can help you guys.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606

Authorized Reseller of SmarterTools Products
Authorized Reseller of Message Sniffer
0
kevind Replied
I cut off the bottom 5 lines of the header as I didn't think it mattered.

MIME-Version: 1.0
Content-Type: text/html
X-SmarterMail-Spam: SPF_Pass, X, Y, Bayesian Filtering, Commtouch 10 [value: Confirmed], DKIM_None, Custom Rules []
X-CTCH-RefId: str=0001.0A020201.59CD28F2.00C4,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=0
X-SmarterMail-TotalSpamWeight: 20

I realize we might be able to stop this with more/better blacklists, but I think the point of this thread is that there is no verification or checking on the From address in the message body.
2
Thanks. I understand. I really can't do much about the verification checks, but we can write filters to stop this kind of thing. SmarterMail already marked this as a weight 20 which is pretty high. If you would like some filters, I can help. As for the verification checks, yes, SM would need to do something about that.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606

Authorized Reseller of SmarterTools Products
Authorized Reseller of Message Sniffer
4
kevind Replied
Right, this message went to Junk which is better than the Inbox.  But that relies on blacklists and Commtouch. Sometimes, those things don't happen and it gets delivered to Inbox. The user looks at the message, thinks it legit, and gets phished.
 
My point is that SM should run checks on the From address in the message (SPF, compare to envelope From, Auth for local domains, etc.) to protect users from spoofing. This is common in other email systems and SM staff agrees:
It would be extremely valuable to have a check that verifies the From: header vs the Mail From: passed during the SMTP session.  --SmarterTools
More info here:
Thanks for looking into this!
0
You're welcome and I agree with you 100%.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606

Authorized Reseller of SmarterTools Products
Authorized Reseller of Message Sniffer
0
echoDreamz Replied
Hmmm.... Cyren gave it a "Confirmed" score. For us, we reject / delete on Cyren "Confirmed". We've had really decent performance with their system.

http://multirbl.valli.org/lookup/204.12.226.195.html no blacklist would have helped here - they are not listed on any good ones, with the exception of having a poor sender score. Which we also check against and score based on the senderscore reputation, we've found this to work well too.

That is the one and only thing I liked about Declude was the ability to create your own custom filters and spam check processes, I'd sell my kids for SmarterTools to add-in some sort of spam API where developers could write custom spam checks.

Christopher

0
kevind Replied
Sure, a spam API would be nice.

But when you receive an email from someone on your own domain and there's NO Verification and NO Authentication, that's ridiculous. This feature needs to be baked into SmarterMail.

0
I'm trying to get DKIM going to try to stop this and see if that works. Has anyone been successful with that?

Reply to Thread