spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ram <...@netcore.co.in>
Subject Re: Catching well directed spear phishing messages
Date Mon, 27 Jun 2016 15:10:29 GMT


On Monday 27 June 2016 06:50 PM, Reindl Harald wrote:
>
>
> Am 27.06.2016 um 15:11 schrieb Ram:
>> I am seeing messages that appear to come from the MD or the CEO of the
>> company to the accounts department asking people to transfer money to
>> some fake account
>
> happens all day long
>
>> I know these are not spam messages so catching them will be out of scope
>> for a spam filter.
>
> "appear to come from" is by definition a spam message and most of that 
> crap *in fact* is trainable and catchable with a combination of 
> clamav-signatures (sanesecurity) and bayes
>
>> These messages have different envelope ids  so SPF checks always pass.
>> The header from is properly formatted exactly how it will be in a normal
>> mail
>>
>> What measures do you take for such spear phishing
>
> without a sample or a crystal ball hard to say
>



Here is the sample


I just redacted the actual recpient email id and name


Return-Path: <c-level@cognitorex.com>
Received: from ho.targeteddomain.com ([unix socket])
        by ho.targeteddomain.com with LMTPA;
         Thu, 23 Jun 2016 15:12:30 +0530
X-Sieve: CMU Sieve 2.4
X-Envelope-From: <c-level@cognitorex.com>
Received: from p3plwbeout16-06.prod.phx3.secureserver.net 
(p3plsmtp16-06-2.prod.phx3.secureserver.net [173.201.193.64])
       by mta3p4r.targeteddomain.com (Postfix) with ESMTP id CCF881284F
       for <vish.pai@targeteddomain.com>; Thu, 23 Jun 2016 15:11:43 
+0530 (IST)
Received: from localhost ([173.201.193.27])
       by p3plwbeout16-06.prod.phx3.secureserver.net with bizsmtp
       id A9hj1t0010bvwv9019hjyn; Thu, 23 Jun 2016 02:41:43 -0700
X-SID: A9hj1t0010bvwv901
Received: (qmail 7400 invoked by uid 99); 23 Jun 2016 09:41:43 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 41.144.23.225
User-Agent: Workspace Webmail 6.3.7
Message-Id: 
<20160623024142.b85a750d2ce78aac2cd21c9e32050f02.6816dce81f.wbe@email16.godaddy.com>
From: "YYYYYY Jain" <YYYYYY@targeteddomain.com>
X-Sender: c-level@cognitorex.com
Reply-To: "YYYYYY Jain" <exec.m@execs.com>
To: YYYYYYY@targeteddomain.com
Subject: RE: SV/PI- Ref - 909020AX
Date: Thu, 23 Jun 2016 02:41:42 -0700
Mime-Version: 1.0
X-NetcoreISpam11-ECMScanner-Information: Please contact Netcore Support 
for more information
X-NetcoreISpam11-MailScanner-ID: E7ADE5F.A055E
X-NetcoreISpam11-ECMScanner: Found to be clean
X-NetcoreISpam11-ECMScanner-SpamCheck: not spam,
                        CTSCORE : 0 
str=0001.0A160205.576BAEE5.013C:SCFMA16949757, ss=1,
                        re=-1.900, recu=0.000, reip=0.000, cl=1, cld=1, 
fgs=0,
                        SpamAssassin (not cached, score=0.701, required 5,
                        autolearn=disabled, ECM_HDR_MISMATCH1 0.10, 
ECM_PHISH 0.50,
                        HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10)
X-NetcoreISpam11-ECMScanner-From: c-level@cognitorex.com
X-MailServ-MailFilter-MailScanner-Information: Please contact the ISP 
for more information
X-MailServ-MailFilter-MailScanner-ID: EF7C66C466.AB237
X-MailServ-MailFilter-MailScanner: Found to be clean
X-MailScanner-From: c-level@cognitorex.com




YYYY - Process Rtgs Tf to this below account -

BANK NAME : UNJAB NATIONAL BANK
BENEFICIARY NAME : KARAN SHYAM SINGH
ACCOUNT NO : 0386006900002824
IFSC CODE : UNB0038600
BRANCH : CAMP
PAN NO: GAHPS7812F

AMOUNT - 3.1 Lacs

I will provide the Invoice later in the day as i am busy now, and please 
make sure they receive in their account before 3pm

Thanks,
YYYYYY

Mime
View raw message