Spoofed from/to from hacked accounts - how to deal with? RSS Back to forum
Hi Bryon,
I did recognize that too. I followed the advice to configure the clamAV external Agent and enabled the macroblocking in it. So no more malicious files are getting through to the users.
https://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-1
https://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-2
HTH
Norbert
@Bryon:
Hello Bryon,
Besides connecting ClamAV to ORF - as suggested by Norbert - I would recommend the following:
+ Make sure you have the recommended DNSBLs and SURBLs enabled: https://vamsoft.com/support/docs/knowledge-base/recommended-dnsbls-surbls-agents
+ Blacklist the email if the sending server does not identify itself (in the EHLO/HELO command) using a fully qualified domain name. Compromised servers and workstations tend to use their own hostname as is, which is often not an FQDN. (Blacklists > HELO Blacklist > "Is not a ... FQDN")
+ Blacklist the email if the sending server does not have an MX record or its IP address cannot be resolved into a domain name. Both of these are requirements for legitimate mail exchangers.(Blacklists > Reverse DNS Test > "The sender domain must have a DNS MX record (strict check)" + "Enable Sender IP Reverse Name Validation")
+ If you have not done so already, enable Greylisting (Blacklists > Greylisting) and change its default settings:
> Disable the “Accept delivery retries from the same /24 subnet” option; needs to be done to stop more sophisticated spammers
> Disable the “Skip Greylisting if the sender explicitly passes the SPF Test” option; this is crucial, as spammer too can publish valid SPF records for their domains.
> Add large organizations that are known for using load balancing for outbound emails (which breaks Greylisting) to the Sender/IP Exception list of Greylisting; Send us an email to to receive an up-to-date list that you can import into ORF.
> Increase the “Reject unknown senders for” value to 180 - 240 seconds; to fend off more persistent spammers
> Increase the “Record lifetime” value to 168 - 336 hours; this way ORF will “remember” legitimate senders much longer, so their emails will be delayed far less often.
+ Enable the Auto Sender Whitelist and assign it to both filtering points to mitigate the delay introduced to legitimate emails by Greylisting. (Whitelists > Auto Sender Whitelist)
I hope the above will prove helpful to you.
@Daniel Novak (Vamsoft):
Hi Daniel, this is great info. Most of these settings we already have in place but i have edited some based on your awesome list
We'll see how it goes!
@Bryon:
Here's an example that just came in... can you help me block these? The sender address is always different, as is the ip address, and the spam link inside... i guess clam didnt catch this url, nor did any of the subscribed dnsbl's
It looks very much like it was sent from an authenticated hacked account on eigbox
image: [IMG]http://i66.tinypic.com/24w9cts.png[/IMG]
http://i66.tinypic.com/24w9cts.png
headers follow - i replaced our domain with DOMAIN.COM
Received: from MAIL.DOMAIN.COM (172.16.1.71) by MAIL.DOMAIN.COM
(172.16.1.71) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1415.2 via Mailbox
Transport; Fri, 14 Dec 2018 11:02:43 -0500
Received: from MAIL.DOMAIN.COM (172.16.1.71) by MAIL.DOMAIN.COM
(172.16.1.71) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1415.2; Fri, 14 Dec
2018 11:02:43 -0500
Received: from bosmailout06.eigbox.net (66.96.185.6) by MAIL.DOMAIN.COM
(172.16.1.71) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1415.2 via Frontend
Transport; Fri, 14 Dec 2018 11:02:43 -0500
Received: from bosmailscan03.eigbox.net ([10.20.15.3])
by bosmailout06.eigbox.net with esmtp (Exim)
id 1gXpvH-0005IM-Oq
for ; Fri, 14 Dec 2018 11:02:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=influxstudios.com; s=dkim; h=Sender:Content-Type:MIME-Version:Subject:
Message-ID:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=p1wwRefdnYdqylFM8RVmLDIlLlG1bz2oqj0J+/emkS8=; b=jXK7yZsJ83Y1FtBVrQLSTmBXLQ
bKErRjo16KffHIw49REshfDYe/zaL1pGhXMTpfZEVQKG1BqTgMWDR1pFKLZvHxlrAMJKRc/RATTZG
bvPQHbk1rAeqbaL23oUiEcApGi1+KWkj+hRLFOtyRfwkISGbeNyi5oL8F/UFlaO/ioA3o7D2EYa/0
3EY3ormO39wpbjI4xuAq3DOS0xeBY391374FhJ5ihqTUxtsQoH461IiaYtg1ECcuWdFEZ87BDNmQh
U4NAdOEMLtZOIrnJFqle4e4tDNVEyZnK7g9jdCxTlDsEx17n4TA5ir01c5yMiKxAqrBlou5NuxvO0
fyyeYKfA==;
Received: from [10.115.3.31] (helo=bosimpout11)
by bosmailscan03.eigbox.net with esmtp (Exim)
id 1gXpvH-0004id-LW
for ; Fri, 14 Dec 2018 11:02:43 -0500
Received: from bosauthsmtp10.yourhostingaccount.com ([10.20.18.10])
by bosimpout11 with
id Bs2g1z00S0D2CUy01s2jVw; Fri, 14 Dec 2018 11:02:43 -0500
X-Authority-Analysis: v=2.2 cv=FsZ1xyjq c=1 sm=1 tr=0
a=Kpo39fPXdbgqDwiI3/AEUA==:117 a=OnwNedpwbEmQjfhdaadWyA==:17
a=2ur7OfE09M0A:10 a=DdkwvKWMyH8A:10 a=4f2JbuSVAAAA:8 a=6cidbXwNAAAA:8
a=Xr9l-omSUyeDwLqkOO8A:9 a=QEXdDO2ut3YA:10 a=fop_wKec13AA:10
a=5eW-U5RUVcAA:10 a=9ee4PZrlbecA:10 a=l3g7QsRNICkA:10
a=k08_IvnJdnjDs05Epclm:22 a=SFoW15EquUWVc-jo8gTH:22
Received: from [148.202.114.117] (port=59391 helo=10.2.48.110)
by bosauthsmtp10.eigbox.net with esmtpa (Exim)
id 1gXpvE-0000p0-G8
for ; Fri, 14 Dec 2018 11:02:40 -0500
Date: Fri, 14 Dec 2018 10:02:42 -0600
From: Don Shadrake <>
To:
Message-ID: <>
Subject: 060272 Survey questions
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_45719_2118882677.5581344372213795066"
X-EN-UserInfo: fcc5039dbf79a75bed105a838f69c3ce:931c98230c6409dcc37fa7e93b490c27
X-EN-AuthUser:
Sender: Don Shadrake <>
X-EN-OrigIP: 148.202.114.117
X-EN-OrigHost: unknown
Return-Path: [email protected]
X-MS-Exchange-Organization-Network-Message-Id: 35ad7f32-e077-477a-2f5b-08d661dd94c4
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: MAIL.DOMAIN.COM
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6411126
X-MS-Exchange-Processed-By-BccFoldering: 15.01.1415.007
Hello Bryon,
Could you send us (to ) your ORF configuration file (orfent.ini), the ORF log from today (i.e. orfee-2018-12-14.log) and a few spam samples (saved in .eml or .msg format) for analysis? I just want to make sure everything is set up properly and there are no technical issues before we try anything else. You can find the above mentioned files in the ORF program directory (default: \Program Files (x86)\ORF Fusion\)
Thank you.
@Daniel Novak (Vamsoft):
Do you use ORF for your email filter too? I sent this hours ago and just got the notice back, i think you're greylisting me
Diagnostic information for administrators:
Generating server: MAIL.domain.com
Receiving server: vamsoft.com (185.80.50.217)
Server at vamsoft.com (185.80.50.217) returned '400 4.4.7 Message delayed'
12/14/2018 8:49:36 PM - Server at vamsoft.com (185.80.50.217) returned '451 4.4.397 Error communicating with target host. -> 421 4.2.1 Unable to connect -> SocketTimedout: Socket error code 10060'
@Bryon:
We too use ORF, of course :) However, the SMTP error that you received is indicating an issue on your side, not ours. If you send us the original non-delivery report (unchanged) we may be able to help you resolve this problem. Use a third-party mail service provider (e.g. Gmail) to send us your email if necessary.
The diagnostics tool of MXToolbox.com can pinpoint the issue with your mail server (or DNS) as well: https://mxtoolbox.com/diagnostic.aspx
P.S. When ORF rejects an email due to Greylisting, it returns the following SMTP message: "4.7.1 Temporarily rejected. Try again later."
@Daniel Novak (Vamsoft): I sent these files again from a personal yahoo address on 16 Dec at 12:53pm eastern
@Bryon:
Hello Bryon,
Thank you, I have just finished reviewing them; I am going to send you a reply shortly. As for the phishing emails sent from the eigbox.net address, they were allowed to pass because an ORF administrator has explicitly whitelisted that domain - two years ago, on 11/23/2016, according to corresponding Sender Whitelist entry in the ORF configuration.
Hello,
For the last month, we're noticing A LOT of emails claiming to be invoices, or having links because "our remittance address has changed", or asking to update an employees ACH payroll info...
As far as i can tell, some account in the world was hacked (not on our system) and the hacker is sending emails FROM those contacts TO other contacts, hoping they'll be more trusted since they probably know each other.
However:
- the ip address is different every time (and not belonging to the FROM spoof)
- the smtp-envelope address, reply-to are all randomly different hacked accounts
- the DISPLAY NAMES are copied from the hacked contacts of the victim
- the body is never the same, nor are the links, or attachments
So:
- i can't use SPF because the from address isn't the real from address
- i can't use sender-blacklist because the from address is always random
- i can't use keyword blacklists because the bodies are all different
here's an example:
relevent headers:
Received: from mailout1.dokom.net (85.22.55.23) <-- not the real sender mx
envelope-from <> <-- not a known contact
From: [display name from contact] <> <- not a known email
to: [display name from another contact] <[email protected]>
X-Username:
Return-Path: <-- not a known email
body:
Please note our remittance has changed. Please send payment to [exact display name from contact]. Thank you for your business - we appreciate it very much.
http://lysayiti.xyz/InvoiceCodeChanges/Download/US_us/Scan
Thank you for your business - we appreciate it very much.
-
[exact correct display name from contact]
Main: 628-056.6667 Fax: 628-056.6452 <-- both of these are made up
e:[correct email address from contact]