Crypto Spam from gmail.com
Problem reported by Chris Danks - 1/3/2023 at 4:23 AM

several of our customers are experiencing a problem with crypto spam, I too have the same issue.

Spam is coming with a PDF Attachment and passing spam checks

X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, SPF [Pass]: -2, Null Sender: 0, Message Sniffer [code:0]: 0, DK [None]: 0, DKIM [Pass]: -2
X-MessageSniffer-ResultCode: 0
X-SmarterMail-TotalSpamWeight: -4

We use Message Sniffer with Smartermail.
We're using the latest stable build (dated August 2022).

here is the full header (with my email removed)

Return-Path: <sharonedwardslap1@gmail.com>
Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com []) by MY-MAIL-HOST-NAME with SMTP
	cipher=Aes256 bits=256);
   Mon, 2 Jan 2023 16:36:47 +0000
Received: by mail-lj1-f176.google.com with SMTP id s25so29474200lji.2
        for <my-email@domain.com>; Mon, 02 Jan 2023 08:36:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
X-Gm-Message-State: AFqh2krQB7vzkmC6FC7sr+qcyaS+26xDIM8d9MAj/NZqSx5xZ3M0d2Ja
X-Google-Smtp-Source: AMrXdXvJ640aMJPFyUPR08wVM2uL6BNWIfP9RclkUQLIbh2/7PupQ7ee5nEz4onws3cuNRaGoi5cDLBe8P2+k8aae8U=
X-Received: by 2002:a2e:9b96:0:b0:27f:ca4b:2ec5 with SMTP id
 z22-20020a2e9b96000000b0027fca4b2ec5mr808170lji.63.1672677401896; Mon, 02 Jan
 2023 08:36:41 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:a05:6022:3109:b0:35:1e42:4d3f with HTTP; Mon, 2 Jan 2023
 08:36:41 -0800 (PST)
From: Sanda Marlowe <sharonedwardslap1@gmail.com>
Date: Mon, 2 Jan 2023 08:36:41 -0800
Message-ID: <CAOV=V=jhrOD0vd-Xu9tm6wPTjHjXvXMRkwRWbk7L0EWL0My=pg@mail.gmail.com>
Subject: Money.transfer.0.7495.Bitcoin
To: jessicapimentel1017@yahoo.com
Content-Type: multipart/mixed; boundary="0000000000005d3d0805f14a8ea2"
X-Rcpt-To: <my-email@domain.com>
X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, SPF [Pass]: -2, Null Sender: 0, Message Sniffer [code:0]: 0, DK [None]: 0, DKIM [Pass]: -2
X-MessageSniffer-ResultCode: 0
X-SmarterMail-TotalSpamWeight: -4

I then tried enabling cyren anti-spam in to the mix, the spam still came and updated header file for spam looks like:

X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, SPF [Pass]: -2, Null Sender: 0, Cyren [Bulk]: 10, Message Sniffer [code:0]: 0, DK [None]: 0, DKIM [Pass]: -2
X-CTCH-RefId: str=0001.0A782F27.63B41410.0027,ss=3,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
X-MessageSniffer-ResultCode: 0

What can we do to stop these??

2 Replies

Reply to Thread
Douglas Foster Replied
There are three parts to the email filtering process:   sender filters, message content filters, and attachment filters.   Then there are defense-in-depth strategies as well.
Sender filters:
Messages from gmail are well authenticated, so you know that the purported user and the actual user are the same.
- Block the source email address
- Notify Google via a message to abuse@gmail.com
I am amazed at how little spam comes from gmail.   They must be really good at using their data collection tools to catch and block problem accounts.

Message content Filters:  
Not applicable given the data you have supplied.   But if this particular attack uses a come-on like "Special Offer", you could write a filter rule which is specific to this attack.

Attachment Filters:  
What constitutes a malicious attachment?    This is an inherently difficult problem.
If the attachment can contain macros or scripts, the answer is as complex as the imagination of the script developer.  Detecting a malicious script requires detailed knowledge of the file structure and sophisticated interpretation of the code.   Reliability is not likely.   

Consequently, the approaches that I have seen include:
Block attachments based on file extension.
Block attachments based on MIME type..
Block Office documents with embedded macros.

I have not seen a tool that can block PDFs with embedded javascript, but that would be useful.

In this case, your ideal rule is probably to quarantine messages with PDF attachments coming from gmail, which will require manual labor to manage the quarantine.

Woefully many spam filters are unable to do multi-attribute filters.   If you cannot write a rule that selects on both source (gmail.com) and attachment type (PDF), you should look for one that can  (which is how I ended up using Declude).

Defense in depth
On client devices, Adobe should be configured with Javascript disabled, and turned on only as needed.

A lot of email attacks use malicious web links, and some attachment attacks will trigger web downloads as well.   Every organization needs a good web filter.

User education.   Remind people continuously to reject messages from unrecognized sources.

There is no one spam solution that can perfectly detect and block every threat that can be created by human ingenuity applied to evil purposes, and do so without blocking wanted messages as well.
Linda Pagillo Replied
Hey Chris!

We (MBF) have something that may help with this type of spam. 

It is called Gauntlet and it is a plugin for Declude. 

As Doug said above, we agree there is no one spam solution that will detect and block every threat so the layered approach is best.

Pre-Tested Spam, by definition, the spammer pre-tests their campaigns against all available tests by sending samples to themselves on protected systems. When they have a version that gets past all of the tests deploy these messages in huge volumes with their bot-net. Gauntlet is used to combat this technique.

You can read more about Gauntlet and what it does here: https://www.lifeatwarp9.com/2012/06/gauntlet-a-solution-to-pre-tested-spam/

You can get it and Declude from the following link: https://mailsbestfriend.com/downloads/

Best of all.. Declude and Gauntlet are free. We only charge for support.

Hope this helps!
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller

Reply to Thread