spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex <mysqlstud...@gmail.com>
Subject Re: Phishing email or no?
Date Sat, 13 Oct 2018 17:30:59 GMT
Hi,

> >>> I'm curious what people think of this:
> >>>
> >>> https://pastebin.com/1XjwaCY1
> >>>
> >>> It's unsolicited, so that makes it spam to me, but is it dangerous?
> >>> yesinsights.com appears to be a legitimate company, but the sender,
> >>> emma@hrteamerus.com, is a registered domain but has no DNS record.
> >>>
> >>> Is it just a lame attempt to confirm email addresses?
> >>>
> >>> Outlook just seems to be a non-stop source of spam. I'd report it to
> >>> yesinsights, but it appears it's being used exactly as the service
> >>> intended?
> >>>
> >>> Any idea on tips to block it, other than bayes?
> >>>
> >>
> >> Is that the entire email in the pastebin link above?  I ran it through
> >> my SA platform and it's missing a few headers.
> >>
> >>          DKIM_INVALID,DKIM_SIGNED,ENA_NO_TO_CC,MISSING_DATE,MISSING_FROM,
> >>          MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT
> >
> > Yes, it's the complete email - those missing headers are in the
> > pastebin. It also passed DKIM. Send me a message if you want the
> > original.
> >
> >> Since it doesn't have a valid opt-out, I would report it to SpamCop,
> >> report it to yesinsights.com's abuse if SpamCop doesn't already, and add
> >> a blacklist_from *@hrteamerus.com entry.
> >
> > Yes, we've seen an increase in these types of emails. We've reported
> > it to spamcop, but there doesn't appear to be a way to communicate
> > abuse to yesinsights.
> >
>
> I checked yesinsights.com site and they don't have a way to contact them
> or report abuse.  They do have a free week trial so you could setup a
> trial to get in touch with someone and tell them they need to have an
> abuse contact setup with Spamcop or they will eventually be listed on
> RBLs if they have enough shady customers sending to recipients that
> haven't opted into these emails.

They have a twitter :-)

SurveyGizmo was also similarly used in a fraud attempt to our users.
We're also contacting them using this method because they also have no
abuse contact, or really any direct support contact, on their site
without registering.

> If I received complaints from my customers about spam from yesinsights,
> I would put a REJECT line in my Postfix config with a details
> explanation as to why they were being blocked to give them feedback in
> their logs in case they actually check them.

That's a great idea, and we've added body rules for these specific patterns.

> Another option you have if you see repeating characteristics is to
> create a local meta rule that combines URLs with yesinsights.com with
> the envelope-from domain of hrteamerus.com or other things you see over
> and over to add some points.

I've created a meta that combines yesinsights with our 'invoice' rules.

> This email came via Office 365 which is a major problem for sorting out
> spam.  They are so large that you can't block them outright so I have
> created a set of meta rules that amplify some spammy scores for O365 and
> add a point or two for all O365 email then put known good O365 senders
> to an exception list.  It has worked pretty well for the past year.
> Takes a little work up front to start the list but I haven't had to do
> much lately.  I mainly had to exclude senders that send odd attachments
> or invoices that trigger suspicious phishing-type rules.

Can they be rolled into mass-checks or the regular rules or shared
here, or perhaps just more details so we can build customization
locally?

>
> --
> David Jones

Mime
View raw message