Back to Community Threads
7
how do you guys handle spear phising?
Question asked by Heimir Eidskrem - 9/18/2017 at 4:15 PM
Unanswered
Anyone got some good ideas on how to block this stuff?
We have several clients getting them.
One fell for it and transferred $17,000 to a bank account but they caught it fast so it got reversed.
 
All suggestions welcomed.
 

14 Replies

Reply to Thread
0
kevind Replied
9/19/2017 at 6:25 AM
This is a known issue. Hoping SM will fix this vulnerability, first posted in April 2016, that allows a spear phisherman to spoof a mailbox on a local domain.
https://portal.smartertools.com/community/a87739/local-domains-being-spoofed.aspx
4
Paul Blank Replied
9/19/2017 at 11:59 AM
Would definitely like an ST response to this.
1
Linda Pagillo Replied
9/21/2017 at 6:00 AM
Hi Heimir. Can you send me the header from the message that made it through? I think I may have a solution for you, but I need to see the header to be sure. Once I confirm the solution, I will post it here for everyone. You can send the header directly to me at linda.pagillo@mailsbestfriend.com. Thanks.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Office: 703.988.3606 Authorized Reseller of SmarterTools Products Authorized Reseller of Message Sniffer
2
kevind Replied
9/28/2017 at 6:55 AM
Hi Linda, here's a header to see if you have a solution. This message isn't from a local domain, but it's similar in that there is some serious spam + fraud + phishing going on that needs to be stopped.
 
Look at all the big domains in this message -- Adobe.com, WebMD, Sam's Club, and even Earthlink.net in the Message-ID -- but none of them match the Return-Path (sending server).  Isn't there some kind of check that can be done to warn the user that this is totally fake?
Return-Path: <TLYAf6MNj1ZEA7nBPa@fce.oralshopup.com>
Received: from fce.oralshopup.com (fce.oralshopup.com [204.12.226.195]) by mail.smartermail15.com with SMTP;
   Thu, 28 Sep 2017 08:27:54 -0400
Received: from localhost (127.0.0.1) by fce.oralshopup.com id pgb97mg8bgcs for <user@smartermail15.com>; Thu, 28 Sep 2017 08:11:38 -0400 (envelope-from <lPIUI7fjMIl2hIA5qi@health.webmd.com>)
Subject: Get a $100 SamsClub Gift Card!
from: SurpriseReward <lPIUI7fjMIl2hIA5qi@demo.adobe.com>
Reply-To: "Hope" <lPIUI7fjMIl2hIA5qi@messages.webmd.com>
Date: Thu, 28 Sep 2017 08:11:38 -0400
To: user@smartermail15.com
Message-ID: <5731685.1118002939152.JavaMail.root@wamui-norfolk.atl.sa.earthlink.net>
MIME-Version: 1.0
Would really like it if SmarterMail could just reject the message entirely because it's so bogus.
 
Thanks,
Kevin
0
Heimir Eidskrem Replied
9/28/2017 at 7:42 AM
Sorry Linda but I did not see your response. I do not have access to the header. The email address used was not one of theirs but the name used matched employee names. Thank you for taking the time to respond. I really appreciate you and all your help.
1
Linda Pagillo Replied
9/28/2017 at 7:49 AM
Thanks for the sample, Kevin. Is this the entire header? What score did SM give this message?
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Office: 703.988.3606 Authorized Reseller of SmarterTools Products Authorized Reseller of Message Sniffer
0
Linda Pagillo Replied
9/28/2017 at 10:53 AM
My pleasure Heimir. Kevin provided me with a header from a similar situation. I'm going to work with it to see if I can help you guys.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Office: 703.988.3606 Authorized Reseller of SmarterTools Products Authorized Reseller of Message Sniffer
0
kevind Replied
9/28/2017 at 12:26 PM
I cut off the bottom 5 lines of the header as I didn't think it mattered.

MIME-Version: 1.0
Content-Type: text/html
X-SmarterMail-Spam: SPF_Pass, X, Y, Bayesian Filtering, Commtouch 10 [value: Confirmed], DKIM_None, Custom Rules []
X-CTCH-RefId: str=0001.0A020201.59CD28F2.00C4,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=0
X-SmarterMail-TotalSpamWeight: 20

I realize we might be able to stop this with more/better blacklists, but I think the point of this thread is that there is no verification or checking on the From address in the message body.
2
Linda Pagillo Replied
9/29/2017 at 6:29 AM
Thanks. I understand. I really can't do much about the verification checks, but we can write filters to stop this kind of thing. SmarterMail already marked this as a weight 20 which is pretty high. If you would like some filters, I can help. As for the verification checks, yes, SM would need to do something about that.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Office: 703.988.3606 Authorized Reseller of SmarterTools Products Authorized Reseller of Message Sniffer
4
kevind Replied
9/29/2017 at 7:16 AM
Right, this message went to Junk which is better than the Inbox.  But that relies on blacklists and Commtouch. Sometimes, those things don't happen and it gets delivered to Inbox. The user looks at the message, thinks it legit, and gets phished.
 
My point is that SM should run checks on the From address in the message (SPF, compare to envelope From, Auth for local domains, etc.) to protect users from spoofing. This is common in other email systems and SM staff agrees:
It would be extremely valuable to have a check that verifies the From: header vs the Mail From: passed during the SMTP session.  --SmarterTools
More info here:
Thanks for looking into this!
0
Linda Pagillo Replied
9/29/2017 at 8:29 AM
You're welcome and I agree with you 100%.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Office: 703.988.3606 Authorized Reseller of SmarterTools Products Authorized Reseller of Message Sniffer
0
echoDreamz Replied
9/29/2017 at 9:39 AM
Hmmm.... Cyren gave it a "Confirmed" score. For us, we reject / delete on Cyren "Confirmed". We've had really decent performance with their system.

http://multirbl.valli.org/lookup/204.12.226.195.html no blacklist would have helped here - they are not listed on any good ones, with the exception of having a poor sender score. Which we also check against and score based on the senderscore reputation, we've found this to work well too.

That is the one and only thing I liked about Declude was the ability to create your own custom filters and spam check processes, I'd sell my kids for SmarterTools to add-in some sort of spam API where developers could write custom spam checks.
0
kevind Replied
10/2/2017 at 6:50 AM
Sure, a spam API would be nice.

But when you receive an email from someone on your own domain and there's NO Verification and NO Authentication, that's ridiculous. This feature needs to be baked into SmarterMail.
0
Matthew Shepard Replied
11/7/2017 at 7:34 AM
I'm trying to get DKIM going to try to stop this and see if that works. Has anyone been successful with that?
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Calendars - SmarterMail vs ExchangeSmarterMail > Desktop and Mobile Synchronization
Email Clients and SmarterMail Language SettingsSmarterMail > Desktop and Mobile Synchronization
Moving SmarterMail to a New Hosting CompanySmarterMail > Domain/User Configuration and Management
Configure Perfmon to capture Disk IO activity and potential Disk Issues.SmarterMail > Troubleshooting