Quantcast

The "from" header looks like paypal but it is coming from somewhere else.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

The "from" header looks like paypal but it is coming from somewhere else.

P.V.Anthony
Hi,

Just got an scam email that looks like from paypal.

It passed dkim and spf.

     dkim=pass (1024-bit key) header.d=service2.sdmone.email
header.i=[hidden email] header.b="adXLiw9w";
     dkim=pass (1024-bit key) header.d=mandrillapp.com
header.i=@mandrillapp.com header.b="JsfO1hqx"

spf=pass (sender SPF authorized) smtp.mailfrom=mandrillapp.com
(client-ip=198.2.187.23;

The scammer used the following in the "from" header and looked like a
good email.

From: =?utf-8?Q?service=40paypaI=2Ecom=2Esg?= <[hidden email]>

So the email looked like coming from [hidden email]

Are there any tools that can change the subject and add [scam] or even
block this type of emails.

--
P.V.Anthony



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else. [signed]

Sebastian Nielsen
The problem here is that DKIM isn't aligned to paypal.com
Enforce strict DKIM alignment on sensitive domains like paypal

smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else. [signed]

lists@lazygranch.com
That is the mailchimp server. (Technically rocketsciencegroup.com) So has the email originator figured out some sort of unintended use of mailchimp? 



From: Sebastian Nielsen
Sent: Thursday, February 9, 2017 2:24 AM
Subject: Re: The "from" header looks like paypal but it is coming from somewhere else. [signed]

The problem here is that DKIM isn't aligned to paypal.com
Enforce strict DKIM alignment on sensitive domains like paypal
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else. [signed]

Dominic Raferd


On 9 Feb 2017 12:53, <[hidden email]> wrote:
That is the mailchimp server. (Technically rocketsciencegroup.com) So has the email originator figured out some sort of unintended use of mailchimp? 



From: Sebastian Nielsen
Sent: Thursday, February 9, 2017 2:24 AM
Subject: Re: The "from" header looks like paypal but it is coming from somewhere else. [signed]

The problem here is that DKIM isn't aligned to paypal.com
Enforce strict DKIM alignment on sensitive domains like paypal
I don't think this is a DKIM issue. A bespoke regex as check_header should be able to trap this specific faking attempt - if it relates as I think to the internal From header not the envelope sender (client).

More generally, are there legitimate cases where a sender shows a different but apparently valid email address as the (whole) to text of the From compared with the actual address which follows it? If not, can a pcre regex match such situations or is something more sophisticated needed?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else. [signed]

Sebastian Nielsen
It is a DKIM issue. Google "strict DKIM alignment"

This is something usually defined in DMARC, but you could have a local definition that forces strict DKIM alignment for sensitive domains, like "all domains containing *paypal* or *bank*".

Dominic Raferd <[hidden email]> skrev: (9 februari 2017 12:11:11 CET)


On 9 Feb 2017 12:53, <[hidden email]> wrote:
That is the mailchimp server. (Technically rocketsciencegroup.com) So has the email originator figured out some sort of unintended use of mailchimp? 



From: Sebastian Nielsen
Sent: Thursday, February 9, 2017 2:24 AM
Subject: Re: The "from" header looks like paypal but it is coming from somewhere else. [signed]

The problem here is that DKIM isn't aligned to paypal.com
Enforce strict DKIM alignment on sensitive domains like paypal
I don't think this is a DKIM issue. A bespoke regex as check_header should be able to trap this specific faking attempt - if it relates as I think to the internal From header not the envelope sender (client).

More generally, are there legitimate cases where a sender shows a different but apparently valid email address as the (whole) to text of the From compared with the actual address which follows it? If not, can a pcre regex match such situations or is something more sophisticated needed?

smime.p7s (8K) Download Attachment
nh
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else.

nh
In reply to this post by P.V.Anthony
I read you think the email is simulate to be sent from service@paypal.com.sg but if you change the font, you can see it's not "paypal", it's "paypaI" (upper case i for the L), if you want to block this, you have to take this information too.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else.

lists@lazygranch.com
Not to get off on a tangent, but on my desktop and notebook computers, where I know how to change fonts, I have them set up for "monospace." That gets around the font trickery. I'm using Google Roboto mono
 
https://fonts.google.com/specimen/Roboto+Mono

I've received four fake PayPal emails in the last few days. The embedded link in the various messages are not identical, but none go to PayPal.

Incidentally, basic Google gmail only provides DKIM. Trawling the interwebs, many but not all think DKIM alone is suffic‎ient.

  Original Message  
From: nh
Sent: Thursday, February 9, 2017 3:24 AM
To: [hidden email]
Subject: Re: The "from" header looks like paypal but it is coming from somewhere else.

I read you think the email is simulate to be sent from [hidden email]
but if you change the font, you can see it's not "paypal", it's "paypaI"
(upper case i for the L), if you want to block this, you have to take this
information too.



--
View this message in context: http://postfix.1071664.n5.nabble.com/The-from-header-looks-like-paypal-but-it-is-coming-from-somewhere-else-tp88656p88661.html
Sent from the Postfix Users mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else.

P.V.Anthony
In reply to this post by nh
On 09/02/2017 19:23, nh wrote:
> I read you think the email is simulate to be sent from [hidden email]
> but if you change the font, you can see it's not "paypal", it's "paypaI"
> (upper case i for the L), if you want to block this, you have to take this
> information too.

Wow! I didn't catch that.

Thanks for pointing it out.

It looks like dkim will not be able to catch this.

Since it is not paypal and it is paypaI, DMARC will not catch this too.

This scammer is smart.

Wonder is there something else that can be done.

P.V.Anthony



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else.

Wietse Venema
In reply to this post by P.V.Anthony
P.V.Anthony:
> Hi,
>
> Just got an scam email that looks like from paypal.
> From: =?utf-8?Q?service=40paypaI=2Ecom=2Esg?= <[hidden email]>

Note that the From: address is <[hidden email]>.

> It passed dkim and spf.

No surprise. DKIM checks the above From: address, and finds that
the message was really sent from the sdmone.email domain.

The trick is that they used a NON-ADDRESS field in the header to
suggest that email is from paypal. Trickery like this, an email
address in a display field, should be easy to catch with a content
filter.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else.

Noel Jones-2
In reply to this post by P.V.Anthony
On 2/9/2017 6:27 AM, P.V.Anthony wrote:
> Since it is not paypal and it is paypaI, DMARC will not catch this too.
>
> This scammer is smart.
>
> Wonder is there something else that can be done.
>


You can use a header check.  I don't imagine there's much legit mail
with "paypai.com" in the From: header, so this is probably safe.

/^From: .*paypai(\.|=2E)com/   REJECT paypai imposter



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else.

P.V.Anthony
On 09/02/2017 23:55, Noel Jones wrote:

> You can use a header check.  I don't imagine there's much legit mail
> with "paypai.com" in the From: header, so this is probably safe.
>
> /^From: .*paypai(\.|=2E)com/   REJECT paypai imposter

What if the header checked for "=2E" or "?utf-8?Q?" ?
This way other fictitious domains will also be rejected.

I am not a coder but something like this.
/^From: (\?utf\-8\?Q\?|=2E)/   REJECT imposter

Since the email contains the following.

From: =?utf-8?Q?service=40paypaI=2Ecom=2Esg?= <[hidden email]>

What do you all think about that?

P.V.Anthony



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else.

Noel Jones-2
On 2/9/2017 10:27 AM, P.V.Anthony wrote:

> On 09/02/2017 23:55, Noel Jones wrote:
>
>> You can use a header check.  I don't imagine there's much legit mail
>> with "paypai.com" in the From: header, so this is probably safe.
>>
>> /^From: .*paypai(\.|=2E)com/   REJECT paypai imposter
>
> What if the header checked for "=2E" or "?utf-8?Q?" ?
> This way other fictitious domains will also be rejected.
>
> I am not a coder but something like this.
> /^From: (\?utf\-8\?Q\?|=2E)/   REJECT imposter
>
> Since the email contains the following.
>
> From: =?utf-8?Q?service=40paypaI=2Ecom=2Esg?=
> <[hidden email]>
>
> What do you all think about that?
>
> P.V.Anthony
>
>


An encoded From: does not automatically mean spam, especially from
non-English speakers.  I expect it would reject a significant amount
of legit mail.  If you're curious, you can try it with WARN or HOLD
for a while to see how it performs for you.




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

AW: The "from" header looks like paypal but it is coming from somewhere else.

Uwe Drießen
In reply to this post by P.V.Anthony
Im Auftrag von P.V.Anthony
> Since the email contains the following.
>
> From: =?utf-8?Q?service=40paypaI=2Ecom=2Esg?=
> <[hidden email]>
>
> What do you all think about that?
>
> P.V.Anthony
>

Perhaps


if /^From:.*paypal.*/
   if !/\<.+@(.\.)?paypal\.(de|com)\>$/
    #!/\<.+@(.\.)paypal\.(de|com)\>$/i
     /^/     REJECT Your Mailaccount was hacked
  endif
endif





Mit freundlichen Grüßen

Uwe Drießen
--
Software & Computer

Netzwerke, Server.
Wir vernetzen Sie und Ihre Rechner !

Uwe Drießen
Lembergstraße 33
67824 Feilbingert

Tel.: 06708660045


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else.

/dev/rob0
In reply to this post by P.V.Anthony
On Thu, Feb 09, 2017 at 06:16:36PM +0800, P.V.Anthony wrote:

> Just got an scam email that looks like from paypal.
>
> It passed dkim and spf.
>
>     dkim=pass (1024-bit key) header.d=service2.sdmone.email
> header.i=[hidden email] header.b="adXLiw9w";
>     dkim=pass (1024-bit key) header.d=mandrillapp.com
> header.i=@mandrillapp.com header.b="JsfO1hqx"
>
> spf=pass (sender SPF authorized) smtp.mailfrom=mandrillapp.com
> (client-ip=198.2.187.23;

This appears to be from Mailchimp, so reporting it as abuse is likely
to yield some satisfactory results.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The "from" header looks like paypal but it is coming from somewhere else.

P.V.Anthony
On 11/02/2017 10:38, /dev/rob0 wrote:

> This appears to be from Mailchimp, so reporting it as abuse is likely
> to yield some satisfactory results.

Thanks to everyone for the advice.

P.V.Anthony



smime.p7s (5K) Download Attachment
Loading...