Attack analsyis: Free gift of AAA emergency kit
Problem reported by Douglas Foster - 9/29/2025 at 10:08 PM
Submitted
Note for non-US residents:  AAA is a trademark for the American Automobile Association

Recently, my users have been getting spam offering a free AAA roadside emergency kit.   The attacks come from multiple domain names, so domain name blocking has been minimally effective.  The messages also come from servers in multiple countries, including my own, so country blocking has limited effectiveness.

I am able to block a lot of messages by enforcing mandatory authentication, but these messages are fully authenticated (SPF PASS, DKIM PASS, and one address for both SMTP Mail From and message From.)  The host name is usually from that same domain and forward-verifies as valid.

RBL filtering has mixed results, depending on the speed with which the RBL becomes aware of somebody else being attacked.

I have added a content filtering rule that is tailored to the attack, but it will only work until the attacking organization begins impersonating a different trademark.

Fortunately, I have an External Sender warning that notifies about messages from an unrecognized sender.  That helps, but I would like to do better.

Ideally, the filtering system needs to "understand" that the message impersonates AAA, then "understand" that the domain name is not AAA or an authorized agent.  But this seems impossible.

For those who are using AI in your filtering, are you seeing this attack, and was your A.I. smart enough to block this attack from the first message?   

YS Tech Replied
I too get loads of these, i've setup a custom rule but that's only as good as the rule I suppose.
These are who i get it from (along with some others):
AAAProtectionKit
AAARescueKit
AAAResponseKit
AAARoadsideKit
AAAPreparednessKit
ACEHardwareHome
ACEHardwareInc
ACEHardwareLocal
AceHardwareStore
ACEHardwareStore
ACEHardwareSupplies
ACEHardwareSupply
ACEHomeHardware
CostcoClubMembers
CostcoClubSpecial
CostcoSupport

Filtering is working currently and places most of them in spam, but its a never ending job to collate these.
Douglas Foster Replied
Overnight, I came up with a new strategy.   I have metadata about all allowed messages, and I have already been using that to distinguish between known senders and unrecognized senders.    At the moment, I have too many legitimate messages from unknown senders to route all of them to quarantine for manual review, although that would be safest.

I plan to do the same thing based on host names:   Use the message log to build a list of known server organizations, then use that list to distinguish between known and unknown server sources.   I am pretty optimistic that sending unknown servers to quarantine will not hinder very much legitimate traffic.

This issue was the trigger for my post about greylisting.  A known-server database will be more effective than greylisting, because it will not block known-good sources.
J. LaDow Replied
We use a LOT of wildcard matching on these -- 
AAA*kit@* got added this morning...  

Then our log monitor picks up the rejections and eventually bans the IP at the edge.



MailEnable survivor / convert --
Douglas Foster Replied
I hate responding to attacks after they get through to my users, so I am hoping that the KnownServer strategy will be able to catch a lot of this stuff on the first attempt.

Martin Schaible Replied
These phishing emails have also been active in Europe for some time. Instead of AAA, Ace, and other US companies, they use appropriate local organizations. In Germany, for example, ADAC and in Switzerland, TCS.
Douglas Foster Replied
I brought the topic up because I was working through its implications for our defenses:
- Authentication tests do not block the messages
- Country blocking only blocks some of the messages because it is a worldwide network
- RBL blocking only blocks some of the messages because of varying source IP and sender identity 
- Content filtering only blocks messages after enough have been received to know that a defense rule is needed, and in the process the impersonated company may be harmed

In short, all of our favorite tools are insufficient.   But it validates a direction that I have been heading for awhile:   malicious messages come from unrecognized senders.   Keep a list of previously-allowed servers and senders, then send the exceptions to quarantine.   When only one penetration is needed to destroy your organization, nothing else is sufficient.

Reply to Thread

Enter the verification text