How to block this type of spam emails when the mail from is domain account. RSS

1

How to block this type of spam emails when the mail from: is domain account but mailto: is nondomain email.
Example:
real domain user From: John Doe
spam email From: John Doe

It looks like a "MIME/From header spoofing"
Thank you.

by Drew.Lopshire 1 month ago
2

Hello Drew,

This one is tricky because the spammers only spoofed the display name, but not the actual email address. You will have to use a modified version of the "header filter" which you are most probably already familiar with (from: https://vamsoft.com/support/docs/articles/how-to-blacklist-self-spam#mime-sender-spoofing) to blacklist these emails.

The "header filter" should be added to the Blacklists > Keyword Blacklist of the ORF Administration Tool. Click New, select search scope Email header (raw MIME). Select the Filter expression tab, set the expression type to regular expression and enter the following expression:

.*^From:[^\r\n]*(Name1|Name2|Name3)[^\r\n]*\b[^\r\n]*@((?!yourdomain)[^\r\n])*\.com\b[^\r\n]*\s$

The above pattern will match the specified display name(s) *only* if the domain found in the email address does not match yours. Note that this filter may block legitimate emails if you add common names, hopefully, your CEO is not called "John Smith" :)

For the filter to work properly, you have to replace the "Name1, Name2, Name3, etc." and "yourdomain" placeholders, and if necessary the "com" TLD as well. You may list additional names inside the parentheses by separating them with the "|" vertical bar (or pipe) character. I hope this helps.

by Daniel Novak (Vamsoft) 1 month ago
3

@Daniel Novak (Vamsoft): Hello Daniel,

Thank you for your answer. We also thought about it but the problem that we have a lot of users in our company and adding a new name to a filter each time not the best solution. Is there any way to do it automatically?

by Spambulance911 1 month ago
(in reply to this post)

4

@Spambulance911: Yes, there is. Though, it would take some time (and scripting skills) to set it up.

The External Agent test of ORF can use any external command line agent to perform additional checks by providing the agent with a copy of the incoming email - in an .eml format. Thus, if you could write a script that would match the contents of the .eml against a "header filter" (i.e. regex pattern) that is periodically updated to contain all user names, then you could configure ORF to use that as an additional blacklist test. If you want to learn more about External Agents and how to configure them in ORF, please consult the related help page at https://vamsoft.com/support/docs/orf-help/5.5/adm-agents

by Daniel Novak (Vamsoft) 1 month ago
(in reply to this post)

5

Hi Daniel,

This pattern: .*^From:[^\r\n]*(Chris Doner|Dmitriy Guselnikov|Drew Lopshire|IT|Andrei Lebedev|Tom Lester|Vitaliy Kuriltsev|Mykola Kotsurskyi)[^\r\n]*\b[^\r\n]*@((?!accesssoftek)[^\r\n])*\.com\b[^\r\n]*\s$

Block legitimate emails. This is an example:
Received: from xxxx.accesssoftek.com (x.x.x.x) by
xxxx.accesssoftek.com (x.x.x.x) with Microsoft SMTP Server (TLS)
id 15.0.1347.2 via Mailbox Transport; Wed, 25 Jul 2018 16:44:53 -0700
Received: from xxxx.accesssoftek.com (x.x.x.x) by
xxxx.accesssoftek.com (x.x.x.x) with Microsoft SMTP Server (TLS)
id 15.0.1347.2; Wed, 25 Jul 2018 16:44:52 -0700
Received: from smtp.github.com (192.30.252.194) by
xxxx.accesssoftek.com (x.x.x.x) with Microsoft SMTP Server (TLS)
id 15.0.1347.2 via Frontend Transport; Wed, 25 Jul 2018 16:44:51 -0700
Date: Wed, 25 Jul 2018 16:44:50 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
s=pf2014; t=1532562290;
bh=5fG+tt1NOxCiP9oRAM2c7pNeB0DLZg3hHxuL6wrACf0=;
h=Date:From:To:Subject:From;
b=LiHSAnSh0S07iJWw3IHZf+v4QUc2Ezrqsm298HxC89BwajgbhEOSV9n9xv83tMgYe
4dbznJOOfi+fWPEB/tS/m0hy69sUTV9QeETnFeti2LxMQTR+J4QMMYEAQ0Dug0foQs
n47qzbwCu35Fx8E87oVIsl+5Yg+XJaV4MrjztWW8=
From: GitHub
To: o-ran
Message-ID:
Subject: [GitHub] Please verify your email address.
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_5b590b72e0533_642c3fd6294d45c48280";
charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Auto-Response-Suppress: All
X-GitHub-Verify: o-ran
Return-Path:
X-MS-Exchange-Organization-Network-Message-Id: 639ac9b0-7ba2-4885-e8a3-08d5f2889e32
X-MS-Exchange-Organization-AuthSource: xxxx.accesssoftek.com
X-MS-Exchange-Organization-AuthAs: Anonymous

by Spambulance911 3 weeks ago
6

missed part:
From: GitHub
To: o-ran

by Spambulance911 3 weeks ago
7

@Spambulance911: It took us some head scratching to figure out why did this happen, but we have found the problem. *drumroll* the regex matches the "it" in 'GitHub'. This is because the expression is case-insensitive and allows additional characters before and after the names specified between the parentheses (in case the spammers try {name} or [name] for example), which is a non-issue with unique full names. However, that is not the case with "IT". In its current form the regex would match, for example: Mr. Chris Doner, {[Chris Doner]}, foochris donerbar, fooITbar, foo.it.bar.

To resolve the issue, use (?-i:IT) in place of "IT" in the regex pattern to make the "IT" part case-sensitive. This will still match GITHUB, or ITALY, so you might want to add some spaces before and after (?-i:IT) to further limit the possible matches - though it would still match IT in 'BEST IT EVER', but it would also protect against phishing attempts such as '100% Real Accesssoftek IT'.

The updated regex would like this:

.*^From:[^\r\n]*(Chris Doner|Dmitriy Guselnikov|Drew Lopshire| (?-i:IT) |Andrei Lebedev|Tom Lester|Vitaliy Kuriltsev|Mykola Kotsurskyi)[^\r\n]*\b[^\r\n]*@((?!accesssoftek)[^\r\n])*\.com\b[^\r\n]*\s$

Let me know if you would need any other changes.

by Daniel Novak (Vamsoft) 3 weeks ago
(in reply to this post)

8

@Daniel Novak (Vamsoft): Thank you for your help. We'll test.

by Spambulance911 3 weeks ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed