Spoofed "From:" (From: and To: same)

Discussion forum for Enterprise Edition.
Post Reply
227ths
Posts: 6
Joined: Wed May 02, 2018 9:14 pm

Spoofed "From:" (From: and To: same)

Post by 227ths » Wed May 15, 2019 3:22 pm

We are getting 'extortion' type spam coming in from random IP's that are not whitelisted or allowed relaying.

The format is always the same:

1. They use an inline image of text (so email body text cannot be scanned for spam content). How can I spam block this?
2. They always use the SAME From: and To: (MAIL FROM/return path is NOT local, though)
3. Subject line is always the username part of email address (the user being sent to)

Code: Select all

-> From: <someone@mydomain.com>
-> To: someone@mydomain.com
-> Subject: someone
-> Mail From/Return Path/X-Envelope-Sender: someone-else@3rdpartydomain.com
Header Example:

Code: Select all

Received-SPF: pass (mydomain.com: domain of 100pceffective.com designates 5.77.56.20 as permitted sender)
	client-ip=5.77.56.20
Received: from www.100pceffective.com ([5.77.56.20]) by mydomain.com with
 MailEnable ESMTPS (version=TLS1 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256); Wed, 15 May 2019 06:43:18 +0000
Received: from [a96.sub16.net78.udm.net] (a96.sub16.net78.udm.net [78.85.16.96]) by www.100pceffective.com with SMTP;
   Wed, 15 May 2019 07:24:30 +0100
Feedback-ID: dibfz8o7tboyh3190560e6jn5g2vxse1x75ggcvyc4ixhmg:none:tyzuzln
List-Unsubscribe:
 <https://100pceffective.com/unsubscribe/fu/98041/gzow8qpksppw8js3u45rw5cnclk8xdpeuawkn527d8qzmu5qgq7ma9t3yx8oqcpl/647176637>
List-Help: <mailto:abuse@100pceffective.com>
Date: Wed, 15 May 2019 08:24:50 +0200
X-Priority: Critical
Message-ID: <p2jzqpbsngsg7ao$ijb3dd07secof5n$rba5f@f6wykjdlrfil>
X-Sender-Info: <peter.sammons@100pceffective.com>
To: user1@mydomain.com
Content-Type: multipart/related;
 boundary="3E9E4386CCAAF-23783AD11D0E-17ABE5EF4D2-02667A1FC-18A525BFF4422AE6"
MIME-Version: 1.0
Subject: user1
From: <user1@mydomain.com>
X-ME-CountryOrigin: GB
X-Envelope-Sender: peter.sammons@100pceffective.com
X-ME-Bayesian: 40.000000
Return-Path: <peter.sammons@100pceffective.com>
Logs:

Code: Select all

05/15/19 06:43:17	SMTP-IN	9CFCA5BD09AC4ED3A072AE994D61BB54.MAI	2036	5.77.56.20			220 mydomain.com ESMTP MailEnable Service, Version: 10.20--10.20 ready at 05/15/19 06:43:16	94	0		
05/15/19 06:43:17	SMTP-IN	9CFCA5BD09AC4ED3A072AE994D61BB54.MAI	2036	5.77.56.20	EHLO	EHLO www.100pceffective.com	250-mydomain.com [5.77.56.20], this server offers 7 extensions	269	29		
05/15/19 06:43:17	SMTP-IN	9CFCA5BD09AC4ED3A072AE994D61BB54.MAI	2036	5.77.56.20	STARTTLS			24	10		
05/15/19 06:43:17	SMTP-IN	9CFCA5BD09AC4ED3A072AE994D61BB54.MAI	2036	5.77.56.20	STARTTLS	STARTTLS		24	10		
05/15/19 06:43:17	SMTP-IN	9CFCA5BD09AC4ED3A072AE994D61BB54.MAI	2036	5.77.56.20	EHLO	EHLO www.100pceffective.com	250-mydomain.com [5.77.56.20], this server offers 6 extensions	161	29		
05/15/19 06:43:17	SMTP-IN	9CFCA5BD09AC4ED3A072AE994D61BB54.MAI	2036	5.77.56.20	MAIL	MAIL FROM:<peter.sammons@100pceffective.com> SIZE=243626	250 Requested mail action okay, completed	43	58		
05/15/19 06:43:18	SMTP-IN	9CFCA5BD09AC4ED3A072AE994D61BB54.MAI	2036	5.77.56.20	RCPT	RCPT TO:<user1@mydomain.com>	250 Requested mail action okay, completed	43	34		
05/15/19 06:43:18	SMTP-IN	9CFCA5BD09AC4ED3A072AE994D61BB54.MAI	2036	5.77.56.20	DATA	DATA	354 Start mail input; end with <CRLF>.<CRLF>	46	6		
05/15/19 06:43:19	SMTP-IN	ABEBD9C02FD04ACF9BE3AC128C01B426.MAI	2036	5.77.56.20	QUIT	QUIT	221 Service closing TLS SSL transmission session	50	6

Code: Select all

2019-05-15 06:43:17 5.77.56.20 SMTP-IN - 10.148.127.237 2036 EHLO EHLO+www.100pceffective.com 250-mydomain.com+[5.77.56.20],+this+server+offers+7+extensions mydomain-MAIL 269 29 - 
2019-05-15 06:43:17 5.77.56.20 SMTP-IN - 10.148.127.237 2036 STARTTLS STARTTLS - mydomain-MAIL 24 10 - 
2019-05-15 06:43:17 5.77.56.20 SMTP-IN - 10.148.127.237 2036 EHLO EHLO+www.100pceffective.com 250-mydomain.com+[5.77.56.20],+this+server+offers+6+extensions mydomain-MAIL 161 29 - 
2019-05-15 06:43:17 5.77.56.20 SMTP-IN - 10.148.127.237 2036 MAIL MAIL+FROM:<peter.sammons@100pceffective.com>+SIZE=243626 250+Requested+mail+action+okay,+completed mydomain-MAIL 43 58 - 
2019-05-15 06:43:18 5.77.56.20 SMTP-IN mydomain.com 10.148.127.237 2036 RCPT RCPT+TO:<user1@mydomain.com> 250+Requested+mail+action+okay,+completed mydomain-MAIL 43 34 - 
2019-05-15 06:43:18 5.77.56.20 SMTP-IN mydomain.com 10.148.127.237 2036 DATA DATA 354+Start+mail+input;+end+with+<CRLF>.<CRLF> mydomain-MAIL 46 6 - 
2019-05-15 06:43:19 5.77.56.20 SMTP-IN mydomain.com 10.148.127.237 2036 DATA DATA 354+Start+mail+input;+end+with+<CRLF>.<CRLF> mydomain-MAIL 43 243582 - 
2019-05-15 06:43:19 5.77.56.20 SMTP-IN - 10.148.127.237 2036 QUIT QUIT 221+Service+closing+TLS+SSL+transmission+session mydomain-MAIL 50 6 -
Settings seem fine to me - am I missing something?
ME-Forum-Post-spoof-from-2019-05-15_101653.png
SMTP Properties/Security
ME-Forum-Post-spoof-from-2019-05-15_101653.png (43.34 KiB) Viewed 1549 times

Please let me know why these emails are still getting through to our users.
Attachments
1557908690619.jpg
Non-Text text - cannot be scanned.
1557908690619.jpg (172.54 KiB) Viewed 1549 times

kiamori
Posts: 210
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Spoofed "From:" (From: and To: same)

Post by kiamori » Thu May 16, 2019 3:42 am

They are using envelope sender function to get past the no spoofing function. You can block based on envelope sender however you will likely have many issues with email list services. Best solution is to use a DNSBL like 0spam.org which blocks many of these types of senders.

rfwilliams777
Posts: 1305
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Spoofed "From:" (From: and To: same)

Post by rfwilliams777 » Mon May 20, 2019 1:54 am

You can also set up a filter where the body states something consistent with that junk and any time any emails (even it is not them) they get deleted.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

kiamori
Posts: 210
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Spoofed "From:" (From: and To: same)

Post by kiamori » Thu May 30, 2019 2:32 am

That's a good suggestion and we do that but it does not work 100% since they are always changing the wording of these and it takes a lot of work to keep it constantly updated.

We use a rule,

FilterResult=0
If CriteriaMet([ME_SubJECT],"<REFERENCE><FILE>FraudPhrases.txt</FILE><PATH>X:\ME\Config\Filters\Patterns</PATH><REFERENCE>") OR _
CriteriaMet([ME_BODY],"<REFERENCE><FILE>FraudPhrases.txt</FILE><PATH>X:\ME\Config\Filters\Patterns</PATH><REFERENCE>") Then
FilterResult=1
End If

Then Mark it as junk.

This catches maybe 70% of them.

delta2
Posts: 40
Joined: Mon Dec 20, 2004 7:25 am

Re: Spoofed "From:" (From: and To: same)

Post by delta2 » Thu May 30, 2019 7:10 am

The following gets a lot of this stuff for me ...

Code: Select all

If ([ME_SENDERAUTH] = 0) Then
    If [ME_SIZE] < 20000 Then
      If ( CriteriaMet([ME_BODY],"Bitcoin*") _
        OR CriteriaMet([ME_BODY],"Bitcoin") _
        OR CriteriaMet([ME_BODY],"Bitcoin*") _
        OR CriteriaMet([ME_BODY],"*bitcoin*") ) Then
        If (CriteriaMet([ME_BODY],"keylogger")  _
          OR CriteriaMet([ME_BODY],"portafoglio") _
          OR CriteriaMet([ME_BODY],"*asturbat*") _
          OR CriteriaMet([ME_BODY],"*sexy*") _
          OR CriteriaMet([ME_BODY],"trojan") _
          OR CriteriaMet([ME_BODY],"darknet") _
          OR CriteriaMet([ME_BODY],"hack*") _
          OR CriteriaMet([ME_SUBJECT],"hack*") _
          OR CriteriaMet([ME_HEADERS_CONTAIN],"*hack*") _
          OR CriteriaMet([ME_BODY],"attaccato") _
          OR CriteriaMet([ME_BODY],"xxx") _
          OR CriteriaMet([ME_BODY],"wallet") _
          OR CriteriaMet([ME_BODY],"wallet:") ) Then
          FilterResult=1
          MEResultData = "[08-02] ""bitcoin + keylogger etc"" 1-20K (" & [ME_SIZE] & "b) %POSTOFFICE%  %SENDER%  %RECIPIENTS%"
        End If
      ElseIf CriteriaMet([ME_BODY],"*cG9ybm8*") _
          OR CriteriaMet([ME_BODY],"*JpdGNvaW*")  _
          OR CriteriaMet([ME_BODY],"*IChwb3Ju*")  _
          OR CriteriaMet([ME_BODY],"*aGFja2Vk*")  _
          OR CriteriaMet([ME_BODY],"*cGF5bWVud*")  _
          OR CriteriaMet([ME_BODY],"*IHdhbGxldC*")  _
          OR CriteriaMet([ME_BODY],"*cGl4ZWw*") Then
          FilterResult=1
          MEResultData = "[08-03] ""bitcoin hack base64"" 1-20K (" & [ME_SIZE] & "b) %POSTOFFICE%  %SENDER%  %RECIPIENTS%"
      End If
    End If

    If (([ME_SIZE] >23000) And ([ME_SIZE] < 40000)) Then
      If CriteriaMet([ME_BODY],"*LS0+dCYjODIwMzt*") Then
        FilterResult=1
        MEResultData = "[08-04] ""Double Obfus Hacked"" 23-40K (" & [ME_SIZE] & "b)"
      End If
    End If

  End If
End If ' [ME_SENDERAUTH] = 0
Stuart

Post Reply