From users-return-119376-archive-asf-public=cust-asf.ponee.io@spamassassin.apache.org Fri Nov 16 16:40:00 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id D1895180670 for ; Fri, 16 Nov 2018 16:39:59 +0100 (CET) Received: (qmail 82316 invoked by uid 500); 16 Nov 2018 15:39:58 -0000 Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 82306 invoked by uid 99); 16 Nov 2018 15:39:57 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Nov 2018 15:39:57 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 7AE8E180FAC for ; Fri, 16 Nov 2018 15:39:57 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.801 X-Spam-Level: X-Spam-Status: No, score=0.801 tagged_above=-999 required=6.31 tests=[KAM_MXURI=1.5, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id QEVt3lM5ODKJ for ; Fri, 16 Nov 2018 15:39:55 +0000 (UTC) Received: from smtp1.vianet.ca (smtp1.vianet.ca [209.91.128.18]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 2665D5F42E for ; Fri, 16 Nov 2018 15:39:55 +0000 (UTC) Received: from [192.168.99.115] (pem-goatfarm.vianet.ca [209.91.179.158]) (Authenticated sender: kdeugau@vianet.ca) by smtp1.vianet.ca (Postfix) with ESMTPSA id 7811780EE9 for ; Fri, 16 Nov 2018 10:39:48 -0500 (EST) Subject: Re: Forgery with SPF/DKIM/DMARC To: "users@spamassassin.apache.org" References: <20181116144753.0f7c383d@gumby.homeunix.com> From: Kris Deugau Organization: Vianet Internet Solutions Mail-Followup-To: users@spamassassin.apache.org Message-ID: <6d308996-7352-3415-b6cc-84c8c82903df@vianet.ca> Date: Fri, 16 Nov 2018 10:39:47 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <20181116144753.0f7c383d@gumby.homeunix.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit RW wrote: > On Fri, 16 Nov 2018 08:44:52 -0500 > Robert Fitzpatrick wrote: > >> We're having an issue with spam coming from the same company even >> though SPF and DKIM is setup with DMARC to reject. Take this >> forwarded email for instances.... [ fake invoice email ] SPF and DKIM rarely return "fail" on these because the envelope sender either doesn't publish either, or publishes them and they match. SPF in particular would usually have nothing to do with the "obvious" From: address that most people would look at. > This is a pretty confusing question because it has nothing to do with > DMARC, SPF, or DKIM, and "same company" reads like "consistent > spammer". > > I think what you're getting at is the use of a local address in the > author display name: > >> From: User >> To: other.user@company.com > > Did you actually mean that precise form, which looks invalid, This certainly sounds like a series of fake invoice mails I've been getting a trickle of reports for, and if so, then yes, that is literally exactly what's in the original. I dug through my reporting account's history and found one that came directly to my own account: Delivered-To: kdeugau@vianet.ca Return-Path: Received: from mail.vianet.ca [209.91.128.17] by pod.pem-lan with POP3 (fetchmail-6.3.26) for (single-drop); Tue, 06 Nov 2018 09:05:12 -0500 (EST) Received: from rla3.dizinc.com (rla3.dizinc.com [72.29.77.172]) by mx1.vianet.ca (Postfix) with ESMTPS id 83FE2E24D6 for ; Tue, 6 Nov 2018 09:03:08 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=corpmaqplast.com; s=default; h=Content-Type:MIME-Version:Subject:Message-ID :To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+EAmfCv8FqMxiASYoMWTcRGrgS++5JXOIOM7h8kgXyw=; b=n/4UOgM/LfvfnVl8gzWrv7uU/P 6GL1HJgU4KMmU/hsZR6sG5y/ijG09RLmuMK1OAoYULC8P4BewtmtfsDElVGXHU9P3EG6poaMliWeM RRxcaV8/DMUiFOa2O8Y1Q9F4OXpI8t19pAchCaR+OFs34+Npjwad/wkX/+E82uWs57gs0VJMH76z9 UVynTFc+hRbwEFGdYPi+Gnc+fpvtbO7RN0pqcNOjLQWdEr2RcO2yg1hCPUs6z8HJ7gNYT1Wx7DQEj y6adnz0tG+sLmqsYYC/67cJYdgHuEfUvUIlCCRVgV38BXGJiDoRSsz6txHAaCYa7bXHZ892FN9EbC CIVnco0Q==; Received: from [187.217.80.180] (port=3340 helo=10.1.34.37) by rla3.dizinc.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1gK1wg-00073v-8J for kdeugau@vianet.ca; Tue, 06 Nov 2018 08:03:07 -0600 Date: Tue, 06 Nov 2018 14:03:06 +0000 From: John D. Smith To: kdeugau@vianet.ca Message-ID: <35706717752563516902.8F4660866AA84645@vianet.ca> Subject: John D. Smith Factures 0611-KDG47168618-939 In this instance SPF and DKIM passed, so whatever policies richland.edu might publish they're irrelevant and not checked. This particular subseries also has an attached Word document, which is now getting flagged by ClamAV, but IIRC there have been a few that were either "just" phishing, or linked to malware instead of attaching it to the message. Looking at a couple of other examples, there are also some in the form: From: =?UTF-8?B?[encoded stuff]= where [encoded stuff] decodes to: Some User -kgd