"Your invoice attached" Spam/Phish
Question asked by Matthew Titley - 11/30/2018 at 8:14 AM
Hi all,

I know it's more of an annoyance than anything but has anyone managed to deploy a filter or screen to reduce these getting through? I'm using Commtouch Antispam, Barracuda RBL, SpamAssassin-based pattern matching. Clam is enabled but I don't have much confidence that it does much of anything. I was using Declude in addition but had to disable it due to an overly long spool delay period (based upon feedback from customers.) This was long enough ago that I don't recall if it was helping block these things.

However, feedback from customers now tells me that many are worried about one of their employees opening these payload laden word docs, as there is always the chance that it will get around end point malware protection.

So, any additional ideas would be appreciated. Thanks!


6 Replies

Reply to Thread
Matthew Titley Replied
Forgot to state v15.7.6754.
Paul Blank Replied
I have been using Symantec email security.cloud (messagelabs) for years. These days they stop most (but not all) of these emails. 

The creators of this stuff are pretty crafty; it's a moving target - this is not a surprise to any of us.

Matthew Titley Replied
I was going to add in my post that I've been considering outsourcing MX services to messagelabs or one of many competitors but am hoping against hope for an in-house solution whether an additional SM spam test or a virtual appliance incoming gateway solution. Thanks for the note, Paul.

Scarab Replied
If they all contain DOC attachments the easy solution would just be to add that to the Incoming Extension Blocklist in SmarterMail. In this day and age most clients should be used to sharing links to attachments stored in Google Drive, Dropbox, OneDrive, iCloud, SpiderOak, OwnCloud/NextCloud, or SmarterMail's File Storage, instead of receiving or sending attachments direct.

We still use Declude, primarily because we can easily add global filters to catch content based on strings, which you cannot do effectively in SmarterMail (the base filters that come with Declude are "okay" but the ability to create our own in-house makes it invaluable). We had the same lag issue with Declude (due to it using as much CPU as is  available) and eventually opted for using separate Incoming Mail Servers that run antispam and antivirus checks, along with Declude, before passing it to our SmarterMail server. Doing such took the delay down to a mere 2 seconds in most cases and 10 seconds max under heavy usage above and beyond peak.

The only other option would be to start capturing IPs (and HELO/EHLO) of the Spear Phishers and track them over time. You'll start to see them coming from the same providers, moving to the next provider every 7-14 days and cycling back through every 60-90 days, which is how they circumvent traditional RBLs (and the sloppy ones use the same naming scheme for their HELO/EHLO regardless of what provider they are using to send from that week). Once you've tracked them you can start being heavy-fisted with blocking entire IP Ranges (or HELO/EHLO patterns using wildcards) in your Smartermail Security Blacklist & SMTP Blocking. It's tedious, but it is definitely effective. Once you start seeing the same provider names over and over again you can just lookup all the IP Ranges assigned to that network owner and block them wholesale.

Our shortlist of blocked network owners (most of whom are in business only for Spammers) are:

China Telecom
Turk Telekom
myLoc managed IT AG
Choopa, LLC
Aruba S.p.A.
Psychz Networks
Limestone Networks
Worldstream B.V.
Interactive 3D B.V.
Global Layer B.V.
Joe's Datacenter
Hostwinds LLC
Toqen LLC
Global Frag Networks

It is amazing how much Spam originates from only 18 network owners on roughly 100 IP Ranges (adding Talos Intelligence, formerly Senderbase, to your RBLs with a heavy score will catch most of these top harbors for spammers without potentially blocking legitimate email traffic and tediously adding IP Ranges to your SmarterMail Blacklist every week.)

For SMTP Blocking if you add the HELO/EHLO of ylmf-pc you'll probably block far more than you ever imagined you might (they are also one of the biggest Brute-Force botnets).

Unfortunately there is no single silver bullet option for stopping all Spam. Spammers and Phishers have far more money to throw at it than the AntiSpam industry has at their disposal. It's a losing game where you have to use every tool in your arsenal, constantly change tactics, and at the end of the day just accept that you're only going to catch 90-94% and that some are always going to slip through.
Matthew Titley Replied
Thanks for the detailed reply; that certainly took you some time to type out. I'd love to block .doc (etc.) and/or move most file attachments to Owncloud/DropBox but I think I'd get a lot of push-back on that. As I'm sure you know all too well, customers want it all. Years ago I blocked many of those foreign IP blocks but then started to run into legitimate mail getting blocked for my clients in manufacturing who have to deal with China and a few other countries that I had blocked. Maybe I'll revisit that. I blocked the ylmf-pc a few years ago. Forgot all about that! If I recall, that was the option we begged for and eventually got in SM15? I remember years ago that we asked ST for EHLO keyword blocking and it took ages to get it.

Anyway, thanks for the input. I think I'll revisit the IP net block blocks. Also, I'm going to test out a few VM appliances as MX gateways in front of SM. I'll report back on how it goes.

Shivam Parikh Replied
Maybe someone can make an IP block list and we can have an import method to block those IPs (at least reduces some spam if not more) or make sure SPF is valid or else send them to junk or reject them? Blacklisting extensions is a bad idea. Stops valid documents too. Until SmarterMail allows creating docs and sharing docs (not the link method) but like Google Drive or through a better method, I would not think we should even consider blocking extensions.

Reply to Thread