1
Crypto Spam from gmail.com
Problem reported by Chris Danks - 1/3/2023 at 4:23 AM
Submitted
Hello

several of our customers are experiencing a problem with crypto spam, I too have the same issue.

Spam is coming with a PDF Attachment and passing spam checks

X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, SPF [Pass]: -2, Null Sender: 0, Message Sniffer [code:0]: 0, DK [None]: 0, DKIM [Pass]: -2
X-MessageSniffer-ResultCode: 0
X-SmarterMail-TotalSpamWeight: -4

We use Message Sniffer with Smartermail.
We're using the latest stable build (dated August 2022).

here is the full header (with my email removed)

Return-Path: <sharonedwardslap1@gmail.com>
Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com [209.85.208.176]) by MY-MAIL-HOST-NAME with SMTP
	(version=TLS\Tls12
	cipher=Aes256 bits=256);
   Mon, 2 Jan 2023 16:36:47 +0000
Received: by mail-lj1-f176.google.com with SMTP id s25so29474200lji.2
        for <my-email@domain.com>; Mon, 02 Jan 2023 08:36:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=IGV63hlGs4eOwYuqhEAh1lEezavxt6sByR/fbm8zfrc=;
        b=e1ciY/Ej8z1IAHR2ydb1glunaeOeqdh9/SOvEEycoWCUx3T/f5Od49YYzSlL0G0s69
         1DWvtncXEnfD2pNBb7jjczafEnI9Zhtn3HelqLedWsrxIA0WXIe6ewHlEftmTaTN1xrr
         aHlTW35MT468oxpo9AOCWsLaN3dFKb2nNSYVCntfLBZwNpJKd1ppboFJiKMETZR9ZB1b
         8PUbSH7I51XKhwdS4JnVJpETaMvUxhmov88V1bvijuodotGrI28dfmA64j6TUFQa/ZdK
         T9AEyMR+Jf5RnHCKk+CGzzgVpU1s036gp332PfbA0lKUMGViDWSsm7BjU5ehT/3UqHEq
         1a+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=IGV63hlGs4eOwYuqhEAh1lEezavxt6sByR/fbm8zfrc=;
        b=nhgWWYX+D5vZwao4RN5Xs4EIth8XWouMRihMH2PLXsRn/I7ZP7QTgTVwJDc3K+C9QF
         q4rtXfhR+vQeUNPPZ26+ypsc9kT/vpm6JXf//JGaiUFHKUSsX9nCuX9SbDjFB4j3cWxu
         WmgGQRz2OMrtmdo0SAsW2njiQa8/vR852QUEo/iyqpBH5lJ6daMy729nWgmNdEKEr2UV
         /wK/Bq/L2pTOdyiGvyjaDyxDfWY3kNLwhfjWtm1o8PZxNDys97apw7apDtXLaPV61+hW
         WzaPmxIiCD29qAWbfY4p8r2SftkwrfsnDnT9AIq60yTIRm5V02HYquIFcdvvJE0das3k
         8Vkw==
X-Gm-Message-State: AFqh2krQB7vzkmC6FC7sr+qcyaS+26xDIM8d9MAj/NZqSx5xZ3M0d2Ja
	fkd1Dbuwo/G+sRj6/PY/UxagUbOvVCKUBKULsC0=
X-Google-Smtp-Source: AMrXdXvJ640aMJPFyUPR08wVM2uL6BNWIfP9RclkUQLIbh2/7PupQ7ee5nEz4onws3cuNRaGoi5cDLBe8P2+k8aae8U=
X-Received: by 2002:a2e:9b96:0:b0:27f:ca4b:2ec5 with SMTP id
 z22-20020a2e9b96000000b0027fca4b2ec5mr808170lji.63.1672677401896; Mon, 02 Jan
 2023 08:36:41 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:a05:6022:3109:b0:35:1e42:4d3f with HTTP; Mon, 2 Jan 2023
 08:36:41 -0800 (PST)
From: Sanda Marlowe <sharonedwardslap1@gmail.com>
Date: Mon, 2 Jan 2023 08:36:41 -0800
Message-ID: <CAOV=V=jhrOD0vd-Xu9tm6wPTjHjXvXMRkwRWbk7L0EWL0My=pg@mail.gmail.com>
Subject: Money.transfer.0.7495.Bitcoin
To: jessicapimentel1017@yahoo.com
Content-Type: multipart/mixed; boundary="0000000000005d3d0805f14a8ea2"
X-Rcpt-To: <my-email@domain.com>
X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, SPF [Pass]: -2, Null Sender: 0, Message Sniffer [code:0]: 0, DK [None]: 0, DKIM [Pass]: -2
X-MessageSniffer-ResultCode: 0
X-SmarterMail-TotalSpamWeight: -4

I then tried enabling cyren anti-spam in to the mix, the spam still came and updated header file for spam looks like:

X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, SPF [Pass]: -2, Null Sender: 0, Cyren [Bulk]: 10, Message Sniffer [code:0]: 0, DK [None]: 0, DKIM [Pass]: -2
X-CTCH-RefId: str=0001.0A782F27.63B41410.0027,ss=3,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
X-MessageSniffer-ResultCode: 0

What can we do to stop these??

2 Replies

Reply to Thread
1
Douglas Foster Replied
There are three parts to the email filtering process:   sender filters, message content filters, and attachment filters.   Then there are defense-in-depth strategies as well.
Sender filters:
Messages from gmail are well authenticated, so you know that the purported user and the actual user are the same.
- Block the source email address
- Notify Google via a message to abuse@gmail.com
I am amazed at how little spam comes from gmail.   They must be really good at using their data collection tools to catch and block problem accounts.

Message content Filters:  
Not applicable given the data you have supplied.   But if this particular attack uses a come-on like "Special Offer", you could write a filter rule which is specific to this attack.

Attachment Filters:  
What constitutes a malicious attachment?    This is an inherently difficult problem.
If the attachment can contain macros or scripts, the answer is as complex as the imagination of the script developer.  Detecting a malicious script requires detailed knowledge of the file structure and sophisticated interpretation of the code.   Reliability is not likely.   

Consequently, the approaches that I have seen include:
Block attachments based on file extension.
Block attachments based on MIME type..
Block Office documents with embedded macros.

I have not seen a tool that can block PDFs with embedded javascript, but that would be useful.

In this case, your ideal rule is probably to quarantine messages with PDF attachments coming from gmail, which will require manual labor to manage the quarantine.

Woefully many spam filters are unable to do multi-attribute filters.   If you cannot write a rule that selects on both source (gmail.com) and attachment type (PDF), you should look for one that can  (which is how I ended up using Declude).

Defense in depth
On client devices, Adobe should be configured with Javascript disabled, and turned on only as needed.

A lot of email attacks use malicious web links, and some attachment attacks will trigger web downloads as well.   Every organization needs a good web filter.

User education.   Remind people continuously to reject messages from unrecognized sources.

There is no one spam solution that can perfectly detect and block every threat that can be created by human ingenuity applied to evil purposes, and do so without blocking wanted messages as well.
0
Linda Pagillo Replied
Hey Chris!

We (MBF) have something that may help with this type of spam. 

It is called Gauntlet and it is a plugin for Declude. 

As Doug said above, we agree there is no one spam solution that will detect and block every threat so the layered approach is best.

Pre-Tested Spam, by definition, the spammer pre-tests their campaigns against all available tests by sending samples to themselves on protected systems. When they have a version that gets past all of the tests deploy these messages in huge volumes with their bot-net. Gauntlet is used to combat this technique.

You can read more about Gauntlet and what it does here: https://www.lifeatwarp9.com/2012/06/gauntlet-a-solution-to-pre-tested-spam/

You can get it and Declude from the following link: https://mailsbestfriend.com/downloads/

Best of all.. Declude and Gauntlet are free. We only charge for support.

Hope this helps!
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller

Reply to Thread