phising attacks

classic Classic list List threaded Threaded
7 messages Options
ab
Reply | Threaded
Open this post in threaded view
|

phising attacks

ab
Hi Postfix Peeps

We seem to be getting more phishing attacks that are being clever. The address looks like it someone internal but the from address is not that person.

Any suggestions postfix or otherwise to help with these

Thanks
Adam

Reply | Threaded
Open this post in threaded view
|

Re: phising attacks

Matus UHLAR - fantomas
On 15.01.20 15:08, Adam Barnett wrote:
>We seem to be getting more phishing attacks that are being clever. The address looks like it someone internal but the from address is not that person.
>
>Any suggestions postfix or otherwise to help with these

except standard anti-spam and anti-spoofing measures?
Hardly any. Is possible, teach you users to verify strange requests.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
Reply | Threaded
Open this post in threaded view
|

Re: phising attacks

Dominic Raferd
In reply to this post by ab


On Wed, 15 Jan 2020 at 15:09, Adam Barnett <[hidden email]> wrote:
Hi Postfix Peeps
We seem to be getting more phishing attacks that are being clever. The address looks like it someone internal but the from address is not that person.
Any suggestions postfix or otherwise to help with these

When you say 'looks like it someone internal' what *exactly* do you mean?
ab
Reply | Threaded
Open this post in threaded view
|

Re: phising attacks

ab
The from address will be, for example

From: Jo Blogs

But the return address and return path would be and different address from what Jo Blogs is


I am 99% sure it is a user error, but just wondering if there was anything else to be done

Thanks



--
______________________
Adam Barnett
Systems Engineer
Double Negative
160 Great Portland Street,W1W 5QA
T: 020-7268-5000
[ http://www.dneg.com/ | www.dneg.com ]
______________________

----- Original Message -----
| From: "Dominic Raferd" <[hidden email]>
| To: "Postfix users" <[hidden email]>
| Sent: Wednesday, 15 January, 2020 15:15:30
| Subject: Re: phising attacks

| On Wed, 15 Jan 2020 at 15:09, Adam Barnett <[hidden email]> wrote:
|
|> Hi Postfix Peeps
|> We seem to be getting more phishing attacks that are being clever. The
|> address looks like it someone internal but the from address is not that
|> person.
|> Any suggestions postfix or otherwise to help with these
|>
|
| When you say 'looks like it someone internal' what *exactly* do you mean?
Reply | Threaded
Open this post in threaded view
|

Re: phising attacks

Dominic Raferd


On Wed, 15 Jan 2020 at 15:20, Adam Barnett <[hidden email]> wrote:
The from address will be, for example

From: Jo Blogs

But the return address and return path would be and different address from what Jo Blogs is


I am 99% sure it is a user error, but just wondering if there was anything else to be done
______________________

----- Original Message -----
| From: "Dominic Raferd" <[hidden email]>
| To: "Postfix users" <[hidden email]>
| Sent: Wednesday, 15 January, 2020 15:15:30
| Subject: Re: phising attacks

| On Wed, 15 Jan 2020 at 15:09, Adam Barnett <[hidden email]> wrote:
|
|> Hi Postfix Peeps
|> We seem to be getting more phishing attacks that are being clever. The
|> address looks like it someone internal but the from address is not that
|> person.
|> Any suggestions postfix or otherwise to help with these
|>
|
| When you say 'looks like it someone internal' what *exactly* do you mean?

There is plenty that can be done with header_checks (based on one header at a time) but it depends on exactly what you are seeing, and you haven't provided a full From header. Is the email address in the From header being faked as well as the text, or only the text? For multi-header rules (e.g. combination of From: and Reply-To:) you need something like postfwd / spamassassin / mimedefang(?)

I don't see actual email addresses of our domains being faked in From headers, but that's because we use DMARC with p=reject. But I do see the text being faked, including inserting our names or a fake email address (i.e. one of ours) before the real (foreign) address. I trap these.
ab
Reply | Threaded
Open this post in threaded view
|

Re: phising attacks

ab
Thanks, i will look into it


--
______________________
Adam Barnett
Systems Engineer
Double Negative
160 Great Portland Street,W1W 5QA
T: 020-7268-5000
[ http://www.dneg.com/ | www.dneg.com ]
______________________

----- Original Message -----
| From: "Dominic Raferd" <[hidden email]>
| To: "Postfix users" <[hidden email]>
| Sent: Wednesday, 15 January, 2020 15:33:33
| Subject: Re: phising attacks

| On Wed, 15 Jan 2020 at 15:20, Adam Barnett <[hidden email]> wrote:
|
|> The from address will be, for example
|>
|> From: Jo Blogs
|>
|> But the return address and return path would be and different address from
|> what Jo Blogs is
|>
|>
|> I am 99% sure it is a user error, but just wondering if there was anything
|> else to be done
|> ______________________
|>
|> ----- Original Message -----
|> | From: "Dominic Raferd" <[hidden email]>
|> | To: "Postfix users" <[hidden email]>
|> | Sent: Wednesday, 15 January, 2020 15:15:30
|> | Subject: Re: phising attacks
|>
|> | On Wed, 15 Jan 2020 at 15:09, Adam Barnett <[hidden email]> wrote:
|> |
|> |> Hi Postfix Peeps
|> |> We seem to be getting more phishing attacks that are being clever. The
|> |> address looks like it someone internal but the from address is not that
|> |> person.
|> |> Any suggestions postfix or otherwise to help with these
|> |>
|> |
|> | When you say 'looks like it someone internal' what *exactly* do you mean?
|>
|
| There is plenty that can be done with header_checks (based on one header at
| a time) but it depends on exactly what you are seeing, and you haven't
| provided a full From header. Is the email address in the From header being
| faked as well as the text, or only the text? For multi-header rules (e.g.
| combination of From: and Reply-To:) you need something like postfwd /
| spamassassin / mimedefang(?)
|
| I don't see actual email addresses of our domains being faked in From
| headers, but that's because we use DMARC with p=reject. But I do see the
| text being faked, including inserting our names or a fake email address
| (i.e. one of ours) before the real (foreign) address. I trap these.
Reply | Threaded
Open this post in threaded view
|

Re: phising attacks

Matus UHLAR - fantomas
In reply to this post by ab
On 15.01.20 15:20, Adam Barnett wrote:
>The from address will be, for example
>
>From: Jo Blogs
>
>But the return address and return path would be and different address from what Jo Blogs is

>I am 99% sure it is a user error, but just wondering if there was anything else to be done

unless there's only one Jo Blogs in the world, there's possibility a real Jo
Blogs is sending the mail, just not the one you may think.
Blocking the mail might be bad.

This is why I recommend to verify strange/suspicious requests.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.