Recent phishing mails are targeting mailing-lists -- and do pass

Recent phishing mails are targeting mailing-lists -- and do pass.
From our logs: Sep 25 12:10:41 2017 (1940) post to rundmail-it from sabishi.meister@charite.de, size=4760, message-id=<486320030245.201792592050@charite.de>, success
But the headers of the mail that was automatically passed (since sabishi.meister@charite.de is a member) was:
From: "Sabishi.Meister@" <charite.de events@tryphotels.ae>
-- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebrandt@charite.de Campus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

On 09/25/2017 03:49 AM, Ralf Hildebrandt wrote:
Recent phishing mails are targeting mailing-lists -- and do pass.
From our logs: Sep 25 12:10:41 2017 (1940) post to rundmail-it from sabishi.meister@charite.de, size=4760, message-id=<486320030245.201792592050@charite.de>, success
But the headers of the mail that was automatically passed (since sabishi.meister@charite.de is a member) was:
From: "Sabishi.Meister@" <charite.de events@tryphotels.ae>
A post is considered to be from a list member if any of the headers in the Defaults.py/mm_cfg.py SENDER_HEADERS setting contains a member address. The default setting is
SENDER_HEADERS = ('from', None, 'reply-to', 'sender')
(None means the envelope sender). Assuming you have the default setting, the sabishi.meister@charite.de address was either the envelope sender or in Reply-To: or Sender:.
You could set
SENDER_HEADERS = ('from',)
in mm_cfg.py to test only the From: for list membership.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

One thing *I* have discovered is that "bogus" messages (eg phishing, etc. spam), often have various envlope headers that give them away. One is a "Reveived: " from a mail server with no reverse DNS ('Reveived: from ... (unknown [ddd.ddd.ddd.ddd])', so a spam filter rule like this:
"Received: from.*(unknown \[\d+\.\d+\.\d+\.\d+\])"
catches them. Set this filter to "Hold", since *some* E-Mail clients/providers seem to use machines with non routing addresses either internally or otherwise (typically AOL over a Satelite Internet connection), which you will want to pass though manually.
I also use Spamassassin on my server, so having a rule like:
"X-Spam-Score: \d"
is also helpful at catching spam and phishing mail.
At Mon, 25 Sep 2017 21:31:05 -0700 Mark Sapiro <mark@msapiro.net> wrote:
On 09/25/2017 03:49 AM, Ralf Hildebrandt wrote:
Recent phishing mails are targeting mailing-lists -- and do pass.
From our logs: Sep 25 12:10:41 2017 (1940) post to rundmail-it from sabishi.meister@charite.de, size=4760, message-id=<486320030245.201792592050@charite.de>, success
But the headers of the mail that was automatically passed (since sabishi.meister@charite.de is a member) was:
From: "Sabishi.Meister@" <charite.de events@tryphotels.ae>
A post is considered to be from a list member if any of the headers in the Defaults.py/mm_cfg.py SENDER_HEADERS setting contains a member address. The default setting is
SENDER_HEADERS = ('from', None, 'reply-to', 'sender')
(None means the envelope sender). Assuming you have the default setting, the sabishi.meister@charite.de address was either the envelope sender or in Reply-To: or Sender:.
You could set
SENDER_HEADERS = ('from',)
in mm_cfg.py to test only the From: for list membership.
-- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services heller@deepsoft.com -- Webhosting Services

Spamassassin produces a numeric rating for for an email based on multiple rules. Legitimate email can easily get a rating of 3 or 4 based on the way you have it configured. I've seen double digit ratings as well. If you check for a single digit, you may be filtering legitimate emails that have a low score.
On 9/26/2017 7:58 AM, Robert Heller wrote: [snip]
I also use Spamassassin on my server, so having a rule like:
"X-Spam-Score: \d"
is also helpful at catching spam and phishing mail.
[snip]

At Tue, 26 Sep 2017 09:23:21 -0400 Richard Shetron <guest2@sgeinc.com> wrote:
Spamassassin produces a numeric rating for for an email based on multiple rules. Legitimate email can easily get a rating of 3 or 4 based on the way you have it configured. I've seen double digit ratings as well. If you check for a single digit, you may be filtering legitimate emails that have a low score.
Spamassassin can be configured to only include the score header if the score excedes the threshold, so low score messages will be passed. Setting that pass the filter to "hold", allows the moderator to pass messages that Spamassassin has issues with (higher score). I can be worth it to catch the *occassional* "false positive", if almost all of the true spam is caught.
*I* have not had any problems. The 'unknown' filter catches some of the people posting from AOL, but mostly is catching spam. Ditto with the Spamassassin filter. And it is possible to tweek the Spamassassin scoring, if there is a *consistent* "false positive" problem. That is what /etc/mail/spamassassin/local.cf is for...
On 9/26/2017 7:58 AM, Robert Heller wrote: [snip]
I also use Spamassassin on my server, so having a rule like:
"X-Spam-Score: \d"
is also helpful at catching spam and phishing mail.
[snip]
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/heller%40deepsoft.com
-- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services heller@deepsoft.com -- Webhosting Services

On 09/26/2017 07:23 AM, Richard Shetron wrote:
Spamassassin produces a numeric rating for for an email based on multiple rules. Legitimate email can easily get a rating of 3 or 4 based on the way you have it configured. I've seen double digit ratings as well. If you check for a single digit, you may be filtering legitimate emails that have a low score.
SpamAssassin can also be configured to provide a X-Spam-Level: header which includes an asterisk for each whole number in the spam score. Thus you can easily do textual matches on lines with more stars while not matching lines with fewer stars.
X-Spam-Level: ************* X-Spam-Status: Yes, score=13.3
vs
X-Spam-Level: * X-Spam-Status: No, score=1
Both samples have "score=1" text, but only one has "X-Spam-Level: **********" text.
It's my understanding that this is exactly why SpamAssassin can be configured to provide the X-Spam-Level header.
-- Grant. . . . unix || die

SpamAssassin:
Don't match X-Spam-Score unless you are extracting the value and doing computation. Note that the value isn't necessarily numeric - e.g. 'undef - 10.0.0.23 is whitelisted' is a valid value, as are '-1.6 (-)', '0.70 () [Tag at 5.00] COMBINED_FROM,SUBJ_YOUR_DEBT,SPF(pass,0)' and '0.00%'
Instead, match X-Spam-Level, which is designed for regex matching.
This will have a value of '*' for score 1, '**********' for score 10, etc.
So match for the minimum score that you consider spam. (Obviously, in a regex, you have to quote the *).
E.g. '^\*\*\*\*\*\*\*\*\*' will match a score of 9 or higher.
On 26-Sep-17 09:23, Richard Shetron wrote:
Spamassassin produces a numeric rating for for an email based on multiple rules. Legitimate email can easily get a rating of 3 or 4 based on the way you have it configured. I've seen double digit ratings as well. If you check for a single digit, you may be filtering legitimate emails that have a low score.
On 9/26/2017 7:58 AM, Robert Heller wrote: [snip]
I also use Spamassassin on my server, so having a rule like:
"X-Spam-Score: \d"
is also helpful at catching spam and phishing mail.
[snip]
participants (6)
-
Grant Taylor
-
Mark Sapiro
-
Ralf Hildebrandt
-
Richard Shetron
-
Robert Heller
-
tlhackque