Spoofed from/to from hacked accounts - how to deal with? RSS

1

Hello,

For the last month, we're noticing A LOT of emails claiming to be invoices, or having links because "our remittance address has changed", or asking to update an employees ACH payroll info...

As far as i can tell, some account in the world was hacked (not on our system) and the hacker is sending emails FROM those contacts TO other contacts, hoping they'll be more trusted since they probably know each other.

However:
- the ip address is different every time (and not belonging to the FROM spoof)
- the smtp-envelope address, reply-to are all randomly different hacked accounts
- the DISPLAY NAMES are copied from the hacked contacts of the victim
- the body is never the same, nor are the links, or attachments

So:
- i can't use SPF because the from address isn't the real from address
- i can't use sender-blacklist because the from address is always random
- i can't use keyword blacklists because the bodies are all different

here's an example:
relevent headers:
Received: from mailout1.dokom.net (85.22.55.23) <-- not the real sender mx
envelope-from <-- not a known contact
From: [display name from contact] <- not a known email
to: [display name from another contact]
X-Username:
Return-Path: <-- not a known email

body:
Please note our remittance has changed. Please send payment to [exact display name from contact]. Thank you for your business - we appreciate it very much.

http://lysayiti.xyz/InvoiceCodeChanges/Download/US_us/Scan

Thank you for your business - we appreciate it very much.

-

[exact correct display name from contact]
Main: 628-056.6667 Fax: 628-056.6452 <-- both of these are made up
e:[correct email address from contact]

by Bryon 4 months ago
2

Hi Bryon,

I did recognize that too. I followed the advice to configure the clamAV external Agent and enabled the macroblocking in it. So no more malicious files are getting through to the users.
https://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-1
https://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-2

HTH
Norbert

by NorbertFe 4 months ago
3

@Bryon: Hello Bryon,

Besides connecting ClamAV to ORF - as suggested by Norbert - I would recommend the following:

+ Make sure you have the recommended DNSBLs and SURBLs enabled: https://vamsoft.com/support/docs/knowledge-base/recommended-dnsbls-surbls-agents

+ Blacklist the email if the sending server does not identify itself (in the EHLO/HELO command) using a fully qualified domain name. Compromised servers and workstations tend to use their own hostname as is, which is often not an FQDN. (Blacklists > HELO Blacklist > "Is not a ... FQDN")

+ Blacklist the email if the sending server does not have an MX record or its IP address cannot be resolved into a domain name. Both of these are requirements for legitimate mail exchangers.(Blacklists > Reverse DNS Test > "The sender domain must have a DNS MX record (strict check)" + "Enable Sender IP Reverse Name Validation")

+ If you have not done so already, enable Greylisting (Blacklists > Greylisting) and change its default settings:

> Disable the “Accept delivery retries from the same /24 subnet” option; needs to be done to stop more sophisticated spammers

> Disable the “Skip Greylisting if the sender explicitly passes the SPF Test” option; this is crucial, as spammer too can publish valid SPF records for their domains.

> Add large organizations that are known for using load balancing for outbound emails (which breaks Greylisting) to the Sender/IP Exception list of Greylisting; Send us an email to to receive an up-to-date list that you can import into ORF.

> Increase the “Reject unknown senders for” value to 180 - 240 seconds; to fend off more persistent spammers

> Increase the “Record lifetime” value to 168 - 336 hours; this way ORF will “remember” legitimate senders much longer, so their emails will be delayed far less often.

+ Enable the Auto Sender Whitelist and assign it to both filtering points to mitigate the delay introduced to legitimate emails by Greylisting. (Whitelists > Auto Sender Whitelist)

I hope the above will prove helpful to you.

by Daniel Novak (Vamsoft) 4 months ago
(in reply to this post)

4

@Daniel Novak (Vamsoft): Hi Daniel, this is great info. Most of these settings we already have in place but i have edited some based on your awesome list

We'll see how it goes!

by Bryon 4 months ago
(in reply to this post)

5

@Bryon: Here's an example that just came in... can you help me block these? The sender address is always different, as is the ip address, and the spam link inside... i guess clam didnt catch this url, nor did any of the subscribed dnsbl's

It looks very much like it was sent from an authenticated hacked account on eigbox

image: [IMG]http://i66.tinypic.com/24w9cts.png[/IMG]
http://i66.tinypic.com/24w9cts.png

headers follow - i replaced our domain with DOMAIN.COM

Received: from MAIL.DOMAIN.COM (172.16.1.71) by MAIL.DOMAIN.COM
(172.16.1.71) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1415.2 via Mailbox
Transport; Fri, 14 Dec 2018 11:02:43 -0500
Received: from MAIL.DOMAIN.COM (172.16.1.71) by MAIL.DOMAIN.COM
(172.16.1.71) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1415.2; Fri, 14 Dec
2018 11:02:43 -0500
Received: from bosmailout06.eigbox.net (66.96.185.6) by MAIL.DOMAIN.COM
(172.16.1.71) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1415.2 via Frontend
Transport; Fri, 14 Dec 2018 11:02:43 -0500
Received: from bosmailscan03.eigbox.net ([10.20.15.3])
by bosmailout06.eigbox.net with esmtp (Exim)
id 1gXpvH-0005IM-Oq
for ; Fri, 14 Dec 2018 11:02:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=influxstudios.com; s=dkim; h=Sender:Content-Type:MIME-Version:Subject:
Message-ID:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=p1wwRefdnYdqylFM8RVmLDIlLlG1bz2oqj0J+/emkS8=; b=jXK7yZsJ83Y1FtBVrQLSTmBXLQ
bKErRjo16KffHIw49REshfDYe/zaL1pGhXMTpfZEVQKG1BqTgMWDR1pFKLZvHxlrAMJKRc/RATTZG
bvPQHbk1rAeqbaL23oUiEcApGi1+KWkj+hRLFOtyRfwkISGbeNyi5oL8F/UFlaO/ioA3o7D2EYa/0
3EY3ormO39wpbjI4xuAq3DOS0xeBY391374FhJ5ihqTUxtsQoH461IiaYtg1ECcuWdFEZ87BDNmQh
U4NAdOEMLtZOIrnJFqle4e4tDNVEyZnK7g9jdCxTlDsEx17n4TA5ir01c5yMiKxAqrBlou5NuxvO0
fyyeYKfA==;
Received: from [10.115.3.31] (helo=bosimpout11)
by bosmailscan03.eigbox.net with esmtp (Exim)
id 1gXpvH-0004id-LW
for ; Fri, 14 Dec 2018 11:02:43 -0500
Received: from bosauthsmtp10.yourhostingaccount.com ([10.20.18.10])
by bosimpout11 with
id Bs2g1z00S0D2CUy01s2jVw; Fri, 14 Dec 2018 11:02:43 -0500
X-Authority-Analysis: v=2.2 cv=FsZ1xyjq c=1 sm=1 tr=0
a=Kpo39fPXdbgqDwiI3/AEUA==:117 a=OnwNedpwbEmQjfhdaadWyA==:17
a=2ur7OfE09M0A:10 a=DdkwvKWMyH8A:10 a=4f2JbuSVAAAA:8 a=6cidbXwNAAAA:8
a=Xr9l-omSUyeDwLqkOO8A:9 a=QEXdDO2ut3YA:10 a=fop_wKec13AA:10
a=5eW-U5RUVcAA:10 a=9ee4PZrlbecA:10 a=l3g7QsRNICkA:10
a=k08_IvnJdnjDs05Epclm:22 a=SFoW15EquUWVc-jo8gTH:22
Received: from [148.202.114.117] (port=59391 helo=10.2.48.110)
by bosauthsmtp10.eigbox.net with esmtpa (Exim)
id 1gXpvE-0000p0-G8
for ; Fri, 14 Dec 2018 11:02:40 -0500
Date: Fri, 14 Dec 2018 10:02:42 -0600
From: Don Shadrake
To:
Message-ID:
Subject: 060272 Survey questions
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_45719_2118882677.5581344372213795066"
X-EN-UserInfo: fcc5039dbf79a75bed105a838f69c3ce:931c98230c6409dcc37fa7e93b490c27
X-EN-AuthUser:
Sender: Don Shadrake
X-EN-OrigIP: 148.202.114.117
X-EN-OrigHost: unknown
Return-Path: SRS0=0CjsjX=OX=influxstudios.com=
X-MS-Exchange-Organization-Network-Message-Id: 35ad7f32-e077-477a-2f5b-08d661dd94c4
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: MAIL.DOMAIN.COM
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6411126
X-MS-Exchange-Processed-By-BccFoldering: 15.01.1415.007

by Bryon 4 months ago
(in reply to this post)

6

Hello Bryon,

Could you send us (to ) your ORF configuration file (orfent.ini), the ORF log from today (i.e. orfee-2018-12-14.log) and a few spam samples (saved in .eml or .msg format) for analysis? I just want to make sure everything is set up properly and there are no technical issues before we try anything else. You can find the above mentioned files in the ORF program directory (default: \Program Files (x86)\ORF Fusion\)

Thank you.

by Daniel Novak (Vamsoft) 4 months ago
7

@Daniel Novak (Vamsoft): Sure thing, on the way in 5-10 mins

by Bryon 4 months ago
(in reply to this post)

8

@Daniel Novak (Vamsoft): Do you use ORF for your email filter too? I sent this hours ago and just got the notice back, i think you're greylisting me

Diagnostic information for administrators:
Generating server: MAIL.domain.com
Receiving server: vamsoft.com (185.80.50.217)


Server at vamsoft.com (185.80.50.217) returned '400 4.4.7 Message delayed'
12/14/2018 8:49:36 PM - Server at vamsoft.com (185.80.50.217) returned '451 4.4.397 Error communicating with target host. -> 421 4.2.1 Unable to connect -> SocketTimedout: Socket error code 10060'

by Bryon 4 months ago
(in reply to this post)

9

@Bryon: We too use ORF, of course :) However, the SMTP error that you received is indicating an issue on your side, not ours. If you send us the original non-delivery report (unchanged) we may be able to help you resolve this problem. Use a third-party mail service provider (e.g. Gmail) to send us your email if necessary.

The diagnostics tool of MXToolbox.com can pinpoint the issue with your mail server (or DNS) as well: https://mxtoolbox.com/diagnostic.aspx

P.S. When ORF rejects an email due to Greylisting, it returns the following SMTP message: "4.7.1 Temporarily rejected. Try again later."

by Daniel Novak (Vamsoft) 4 months ago
(in reply to this post)

10

@Daniel Novak (Vamsoft): I sent these files again from a personal yahoo address on 16 Dec at 12:53pm eastern

by Bryon 4 months ago
(in reply to this post)

11

@Bryon: Hello Bryon,

Thank you, I have just finished reviewing them; I am going to send you a reply shortly. As for the phishing emails sent from the eigbox.net address, they were allowed to pass because an ORF administrator has explicitly whitelisted that domain - two years ago, on 11/23/2016, according to corresponding Sender Whitelist entry in the ORF configuration.

by Daniel Novak (Vamsoft) 4 months ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed