Attack analsyis: Free gift of AAA emergency kit
Problem reported by Douglas Foster - 9/29/2025 at 10:08 PM
Submitted
Note for non-US residents:  AAA is a trademark for the American Automobile Association

Recently, my users have been getting spam offering a free AAA roadside emergency kit.   The attacks come from multiple domain names, so domain name blocking has been minimally effective.  The messages also come from servers in multiple countries, including my own, so country blocking has limited effectiveness.

I am able to block a lot of messages by enforcing mandatory authentication, but these messages are fully authenticated (SPF PASS, DKIM PASS, and one address for both SMTP Mail From and message From.)  The host name is usually from that same domain and forward-verifies as valid.

RBL filtering has mixed results, depending on the speed with which the RBL becomes aware of somebody else being attacked.

I have added a content filtering rule that is tailored to the attack, but it will only work until the attacking organization begins impersonating a different trademark.

Fortunately, I have an External Sender warning that notifies about messages from an unrecognized sender.  That helps, but I would like to do better.

Ideally, the filtering system needs to "understand" that the message impersonates AAA, then "understand" that the domain name is not AAA or an authorized agent.  But this seems impossible.

For those who are using AI in your filtering, are you seeing this attack, and was your A.I. smart enough to block this attack from the first message?   

YS Tech Replied
I too get loads of these, i've setup a custom rule but that's only as good as the rule I suppose.
These are who i get it from (along with some others):
AAAProtectionKit
AAARescueKit
AAAResponseKit
AAARoadsideKit
AAAPreparednessKit
ACEHardwareHome
ACEHardwareInc
ACEHardwareLocal
AceHardwareStore
ACEHardwareStore
ACEHardwareSupplies
ACEHardwareSupply
ACEHomeHardware
CostcoClubMembers
CostcoClubSpecial
CostcoSupport

Filtering is working currently and places most of them in spam, but its a never ending job to collate these.
Douglas Foster Replied
Overnight, I came up with a new strategy.   I have metadata about all allowed messages, and I have already been using that to distinguish between known senders and unrecognized senders.    At the moment, I have too many legitimate messages from unknown senders to route all of them to quarantine for manual review, although that would be safest.

I plan to do the same thing based on host names:   Use the message log to build a list of known server organizations, then use that list to distinguish between known and unknown server sources.   I am pretty optimistic that sending unknown servers to quarantine will not hinder very much legitimate traffic.

This issue was the trigger for my post about greylisting.  A known-server database will be more effective than greylisting, because it will not block known-good sources.
J. LaDow Replied
We use a LOT of wildcard matching on these -- 
AAA*kit@* got added this morning...  

Then our log monitor picks up the rejections and eventually bans the IP at the edge.



MailEnable survivor / convert --
Douglas Foster Replied
I hate responding to attacks after they get through to my users, so I am hoping that the KnownServer strategy will be able to catch a lot of this stuff on the first attempt.

Martin Schaible Replied
These phishing emails have also been active in Europe for some time. Instead of AAA, Ace, and other US companies, they use appropriate local organizations. In Germany, for example, ADAC and in Switzerland, TCS.
Douglas Foster Replied
I brought the topic up because I was working through its implications for our defenses:
- Authentication tests do not block the messages
- Country blocking only blocks some of the messages because it is a worldwide network
- RBL blocking only blocks some of the messages because of varying source IP and sender identity 
- Content filtering only blocks messages after enough have been received to know that a defense rule is needed, and in the process the impersonated company may be harmed

In short, all of our favorite tools are insufficient.   But it validates a direction that I have been heading for awhile:   malicious messages come from unrecognized senders.   Keep a list of previously-allowed servers and senders, then send the exceptions to quarantine.   When only one penetration is needed to destroy your organization, nothing else is sufficient.
We get blasted by the same AAA each day as well, to multiple domains and multiple end users. Its really frustrating. same experience.

www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
Douglas Foster Replied
I realized that a partial filter can be based on their use of a single domain for every identifier:  Smtp from address matches message from address, while helo and reverse dns names match each other.  The host domain also matches the From domain.  That is enough to build a filter in Declude using a script that parses the HDR file.

   If you also have authentication tests, you can also note that a valid DKIM signature matches the domain, SPF produces Pass, and Host names are forward-confirmed to IP address. 

The last piece is to exclude legitimate domains with these characteristics, or limit the scope to newly-observed domains only.  That requires an existing tool that has captured metadata about incoming messages

To protect against errors, send the.captured messages to quarantine, but that assumes a better quarantine tool than what is available in SM or Declude.

Organizations that do not have a customizable spam filter. And a good quarantine review tool should take this attack as a wake-up call.   The attacks probably comes from a nation-state atacker, and nobody is too small to escape their notice.  I grieve in advance for all the organizations that will fall prey to them.

When you detect these attacks, please send an abuse report to the IP address owner.   Maxmind.com will show the owner, and abuse.net will provide an address to use for the report.
Martin Schaible Replied
It took me some time to develop good RegEx phrases for Rspamd. They work well, and this spam is reliably intercepted.

It just bothers me that, even in 2025, good old-fashioned RegEx phrases still offer the best protection.

Reply to Thread

Enter the verification text