pishing from ME

classic Classic list List threaded Threaded
31 messages Options
12
Reply | Threaded
Open this post in threaded view
|

pishing from ME

Christian Schmitz
Hi everyone:
        I have a small mail server with fewer emails account, The server is:
Opensuse/Postfix/apache

Today i receive a pishing email Words more or less say that i was hacked, that
he know my passwords blah blah blah and i must pay on bit_coins. The email
content is 100% pishing and no real hacking because sevral reasons:
        list@XXX was only created for mailing lists and no other usage
        I have not webcam
        The hacker not used SASL to get real use of my account.
        For forums/website registrations i use mailinator.com

The  curious is that email seem at first time writed from me to myself. If my
email is list@xxx the emails say to be list@xxx

So i start a little investigation on LOG file, and all seem that the "hacker"
do not know the passwords. Because the emailer has no SASL autenticated, so
the "hacker"simply spoof the FROM field:

1)First question: how i can filter the spoofed emails. In other words, if the
sender is not authorized to send list@xxx because this emai is managed by ME

2)Seccond question :how i can adjust the sender policy to block soft fail SPF?

Thanks you all.
Best Regards.
Christian Schmitz

Info extra 1: LOG: /var/log/mail
connect from mmu.ac.ug[62.75.235.12]
Anonymous TLS connection established from mmu.ac.ug[62.75.235.12]: TLSv1.2
with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
: SPF softfail (Mechanism '~all' matched): Envelope-from: [hidden email]
: handler sender_policy_framework: is decisive.
: Policy action=PREPEND Received-SPF: softfail (mmu.ac.ug: Sender is not
authorized by default to use '[hidden email]' in 'mfrom' identity, however
domain is not currently prepared for false failures (mechanism '~all'
matched)) receiver=schweb; identity=mailfrom; envelope-from="[hidden email]";
helo=xray144.theg7.com; client-ip=62.75.235.12
client=mmu.ac.ug[62.75.235.12]
message-id=<[hidden email]>
from=<[hidden email]>, size=228789, nrcpt=1 (queue active)
disconnect from mmu.ac.ug[62.75.235.12]
to=<list@XXX>, relay=virtual, delay=8, delays=6.9/0.02/0/1, dsn=2.0.0,
status=sent (delivered to maildir)
removed

Info extra 2: when i send a email i get the log of sasl autentication:
client=unknown[192.168.XX.XX], sasl_method=LOGIN, sasl_username=YYY@XXX

Info extra 3: received email header
Return-Path: <[hidden email]>
X-Original-To: list@XXX
Delivered-To: list@XXX
Received-SPF: softfail (mmu.ac.ug: Sender is not authorized by default to
use '[hidden email]' in 'mfrom' identity, however domain is not currently
prepared for false failures (mechanism '~all' matched)) receiver=schweb;
identity=mailfrom; envelope-from="[hidden email]"; helo=xray144.theg7.com;
client-ip=62.75.235.12
Received: from xray144.theg7.com (mmu.ac.ug [62.75.235.12])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by schweb.com.ar (schweb.com.ar) with ESMTPS id 9EE12450F4
        for <[hidden email]>; Fri, 22 Mar 2019 07:41:58 -0300 (ART)
Received: from localhost (localhost [127.0.0.1])
        by xray144.theg7.com (Postfix) with ESMTP id 50A1C11A0A4A
        for <[hidden email]>; Fri, 22 Mar 2019 09:58:35 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at xray144.theg7.com
Received: from xray144.theg7.com ([127.0.0.1])
        by localhost (xray144.theg7.com [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id pFCoeEV4cz8Y for <[hidden email]>;
        Fri, 22 Mar 2019 09:58:34 +0000 (UTC)
Received: from [IP-45-237-216-17.acesstelecom.com] (unknown [168.196.195.30])
        (Authenticated sender: [hidden email])
        by xray144.theg7.com (Postfix) with ESMTPSA id 9097B11A042A
        for <[hidden email]>; Fri, 22 Mar 2019 09:58:20 +0000 (UTC)
Message-ID: <[hidden email]>
X-Sender-Info: <[hidden email]>
X-Abuse-Reports-To: <[hidden email]>
X-Mailer: ZetaMail50
Content-Type: multipart/related;
  boundary="7737CA265D6"
MIME-Version: 1.0
Errors-To: [hidden email]
To: [hidden email]
Subject: list
From: <[hidden email]>
Date: Fri, 22 Mar 2019 11:41:41 +0100
Organization: Tdmearjjqvslxt
List-ID: <93206451344121874219.mmu.ac.ug>
Status: R
X-Status: NT
X-KMail-EncryptionState:  
X-KMail-SignatureState:  
X-KMail-MDN-Sent:  

This is a multi-part message in MIME format

--7737CA265D6
Content-Type: multipart/alternative;
        boundary="C596CBF6D5"

--C596CBF6D5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64


--C596CBF6D5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64

PGh0bWw+PGJvZHk+PGltZyBzcmM9ImNpZDphdHRfaW1nXzgyNzA1MCI+PC9ib2R5PjwvaHRtbD4N
Cg==

--C596CBF6D5--

--7737CA265D6





--
Be Free, Be Linux
Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Kevin A. McGrail
On 3/22/2019 7:19 PM, Christian Schmitz wrote:
Hi everyone:
	I have a small mail server with fewer emails account, The server is: 
Opensuse/Postfix/apache

Today i receive a pishing email Words more or less say that i was hacked, that 
he know my passwords blah blah blah and i must pay on bit_coins. The email 
content is 100% pishing and no real hacking because sevral reasons:
Christian,

They do know the passwords but they didn't hack your PC.  See haveibeenpwned.com.  They compromised other services you use and you need better password management.


Also see KAM.cf and the KAM_CRIM ruleset for spamassassin for this exact run of spams.

Regards,
KAM
--
Kevin A. McGrail
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
[hidden email]

https://www.linkedin.com/in/kmcgrail

Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Viktor Dukhovni


> On Mar 22, 2019, at 7:34 PM, Kevin A. McGrail <[hidden email]> wrote:
>
> They do know the passwords but they didn't hack your PC.  See haveibeenpwned.com.  They compromised other services you use and you need better password management.

No.  The scareware alerts are generally completely fake.  They
are spammed indiscriminately to users the scammer knows nothing
about.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Kevin A. McGrail
On 3/22/2019 7:55 PM, Viktor Dukhovni wrote:
No.  The scareware alerts are generally completely fake.  They
are spammed indiscriminately to users the scammer knows nothing
about.

Viktor, that does not agree with my significant experience studying this particular spam threat.  Yes, they are "fake" alerts in that they haven't hacked your PC but they do in fact have some information that they are extrapolating to scare people. 

What I see with many of the samples is that they are using passwords gained from massive attacks where passwords were leaked.  These hacks have lead to user/email/password data easily available for gazillions of people on the darkweb.  Haveibeenpwned.com can give you insight into this. I recommend you take a look. 

This is step #1, obtaining some real passwords and email addresses.

Step #2 is they take this data and use the real passwords to email people.  It's gives the scam a high psychological impact to trick targets into paying.  People read and go "OMG, that is my password, I have been hacked" because they don't have unique passwords.  Using this technique, they separate logic from emotion and get people to pay the ransom.  That's an important thing in the execution of many cons.

I'm giving a presentation for HIMSS on Mar 28 that we'll cover some of these bad actor techniques and how to combat them.  It's free and I'd welcome your feedback and anyone else who would like to join. HIMSS is a great organization and I think even experts like you and those on this list will learn some things.  Here's the information to register and attend:

Topic: Bad Actors and the Security Risks of Social Media Date and Time: Thursday, March 28, 2019 2:00 pm, Eastern Daylight Time (New York, GMT-04:00) Event number: 927 552 095 Event password: DG#$&uJET1743 Event address for attendees: https://himss.webex.com/himss/onstage/g.php?MTID=e4a485adfd01c461169172190512e0fe9 Program: HIMSS: Healthcare Cybersecurity Community Program address: https://himss.webex.com/himss/onstage/g.php?PRID=dbe3a254261c448fe25995d7d9d2e2bf Program registration password: The program has no registration password ------------------------------------------------------- Audio conference information ------------------------------------------------------- To receive a call back, provide your phone number when you join the event, or call the number below and enter the access code. Call-in toll-free number (US/Canada): 1-866-469-3239 Call-in toll number (US/Canada): 1-650-429-3300 Global call-in numbers: https://himss.webex.com/himss/globalcallin.php?serviceType=EC&ED=743596137&tollFree=1 Toll-free dialing restrictions: https://www.webex.com/pdf/tollfree_restrictions.pdf Access code: 927 552 095

Regards,

KAM

--
Kevin A. McGrail
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
[hidden email]

https://www.linkedin.com/in/kmcgrail

Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Viktor Dukhovni
> On Mar 22, 2019, at 8:54 PM, Kevin A. McGrail <[hidden email]> wrote:
>
> Viktor, that does not agree with my significant experience studying this particular spam threat.  Yes, they are "fake" alerts in that they haven't hacked your PC but they do in fact have some information that they are extrapolating to scare people.  

I receive these email messages regularly, for email addresses that
are scraped from web pages and are not tied to any passwords at any
sites.  For example:

  LAST WARNING info@[...]foundation.com!

  You have the last chance to save your social life - I am not kidding!!

  I give you the last 72 hours to make the payment before I send
  the video with your [...] to all your friends and associates.

  The last time you visited a [...] website with [...],
  you downloaded and installed the software I developed.

  ...

Or:

  ATTN: legal@[...]foundation.org

  THIS IS NOT A JOKE - I AM DEAD SERIOUS!

  Hi [...],

  The last time you visited a [...] website with [...],
  you downloaded and installed software I developed.

  My program has turned on your camera and recorded
  the process of your [...].

  My software has also downloaded all your email contact lists
  and a list of your friends on Facebook.

  ...

Sure they may also be scraping email addresses from breaches, but
that's one source.  These scams are not a specific indication that
one's passwords are at risk.  That's true or false with or without
receipt of these scams.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Julian Opificius-3
In reply to this post by Kevin A. McGrail

On 3/22/2019 7:54 PM, Kevin A. McGrail wrote:

> On 3/22/2019 7:55 PM, Viktor Dukhovni wrote:
>> No.  The scareware alerts are generally completely fake.  They
>> are spammed indiscriminately to users the scammer knows nothing
>> about.
>
> Viktor, that does not agree with my significant experience studying
> this particular spam threat.  Yes, they are "fake" alerts in that they
> haven't hacked your PC but they do in fact have some information that
> they are extrapolating to scare people.
>
> What I see with many of the samples is that they are using passwords
> gained from massive attacks where passwords were leaked.  These hacks
> have lead to user/email/password data easily available for gazillions
> of people on the darkweb. Haveibeenpwned.com can give you insight into
> this. I recommend you take a look.
>
>
<clipped>

I can confirm that password information in such emails can be correct,
implying a successful fishing attack somewhere. I have received many of
these messages with what was a correct password for an old account that
fortunately is no longer valid.



Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Phil Stracchino
On 3/22/19 9:11 PM, Julian Opificius wrote:

>
> On 3/22/2019 7:54 PM, Kevin A. McGrail wrote:
>> On 3/22/2019 7:55 PM, Viktor Dukhovni wrote:
>>> No.  The scareware alerts are generally completely fake.  They
>>> are spammed indiscriminately to users the scammer knows nothing
>>> about.
>>
>> Viktor, that does not agree with my significant experience studying
>> this particular spam threat.  Yes, they are "fake" alerts in that they
>> haven't hacked your PC but they do in fact have some information that
>> they are extrapolating to scare people.
>>
>> What I see with many of the samples is that they are using passwords
>> gained from massive attacks where passwords were leaked.  These hacks
>> have lead to user/email/password data easily available for gazillions
>> of people on the darkweb. Haveibeenpwned.com can give you insight into
>> this. I recommend you take a look.
>>
>>
> <clipped>
>
> I can confirm that password information in such emails can be correct,
> implying a successful fishing attack somewhere. I have received many of
> these messages with what was a correct password for an old account that
> fortunately is no longer valid.


Exactly.  It does NOT mean they hacked you.  It means they bought a list
of passwords from past breaches and found your email address somewhere
in the list.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Kevin A. McGrail
In reply to this post by Viktor Dukhovni
On 3/22/2019 9:06 PM, Viktor Dukhovni wrote:
> Sure they may also be scraping email addresses from breaches, but
> that's one source.  These scams are not a specific indication that
> one's passwords are at risk.  That's true or false with or without
> receipt of these scams.

Have you checked on haveibeenpwned for the email addresses and domains
in question?

I do not disagree that the scammers are likely throwing everything they
can into their engine to send out the scams whether that's just a
scraped email or more compromised PII. 

So if you see one that has a password and it's legit, don't jump to OMG,
I've been hacked by this guy.  Look at haveibeenpwned and similar
sources to see, was I pwned through someone else's compromise and do I
need a better unique password regiment?

In general, for lay people, I tell them to use unique passphrases and
they don't stress when they see this BS as much.


Regards,

KAM

Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Viktor Dukhovni
On Fri, Mar 22, 2019 at 09:23:13PM -0400, Kevin A. McGrail wrote:

> > Sure they may also be scraping email addresses from breaches, but
> > that's one source.  These scams are not a specific indication that
> > one's passwords are at risk.  That's true or false with or without
> > receipt of these scams.
>
> Have you checked on haveibeenpwned for the email addresses and domains
> in question?

There's no need.  The team mailboxes in question are not associated
with any login accounts, they're just public contact addresses
scraped from websites.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Bill Cole-3
In reply to this post by Christian Schmitz
On 22 Mar 2019, at 19:19, Christian Schmitz wrote:

> Hi everyone:
> I have a small mail server with fewer emails account, The server is:
> Opensuse/Postfix/apache
>
> Today i receive a pishing email Words more or less say that i was
> hacked, that
> he know my passwords blah blah blah and i must pay on bit_coins. The
> email
> content is 100% pishing and no real hacking because sevral reasons:
> list@XXX was only created for mailing lists and no other usage
> I have not webcam
> The hacker not used SASL to get real use of my account.
> For forums/website registrations i use mailinator.com
>
> The  curious is that email seem at first time writed from me to
> myself. If my
> email is list@xxx the emails say to be list@xxx
>
> So i start a little investigation on LOG file, and all seem that the
> "hacker"
> do not know the passwords. Because the emailer has no SASL
> autenticated, so
> the "hacker"simply spoof the FROM field:
>
> 1)First question: how i can filter the spoofed emails. In other words,
> if the
> sender is not authorized to send list@xxx because this emai is managed
> by ME

Do not accept mail claiming to be from any address in a local domain on
the port 25 (smtp) smtpd service. Only accept such mail via port 587
(submission) and 465 (smtps) services configured to require
authentication.

>
> 2)Seccond question :how i can adjust the sender policy to block soft
> fail SPF?

That would be a very dangerous thing to do. SPF 'soft fail' is not
intended to be used that way and it is used instead of 'hard fail'
because the domain owner does NOT want receivers to reject non-passing
messages absolutely.

Postfix itself does not directly support SPF. Whatever you are using for
SPF checking would be an external tool: a policy daemon, smtp proxy
filter, or milter. The log entries you posted are too mangled for me to
recognize what tool you are using to check SPF.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

MickTW8
In reply to this post by Christian Schmitz
On 22/03/2019 23:19, Christian Schmitz wrote:

> Hi everyone:
> I have a small mail server with fewer emails account, The server is:
> Opensuse/Postfix/apache
>
> Today i receive a pishing email Words more or less say that i was hacked, that
> he know my passwords blah blah blah and i must pay on bit_coins. The email
> content is 100% pishing and no real hacking because sevral reasons:
> list@XXX was only created for mailing lists and no other usage
> I have not webcam
> The hacker not used SASL to get real use of my account.
> For forums/website registrations i use mailinator.com
>
> The  curious is that email seem at first time writed from me to myself. If my
> email is list@xxx the emails say to be list@xxx
>
> So i start a little investigation on LOG file, and all seem that the "hacker"
> do not know the passwords. Because the emailer has no SASL autenticated, so
> the "hacker"simply spoof the FROM field:
>
> 1)First question: how i can filter the spoofed emails. In other words, if the
> sender is not authorized to send list@xxx because this emai is managed by ME

Hi Christian,

If you want to stop your domain(s) being spoofed you can try the
following, but note that ;

1) I've blocked authentication on Port 25 (smptd). If you use Port 25
for authentication, don't read on :- as this won't work for you (unless
someone here knows different).
2) This will not stop you receiving opportunistic blackmail messages as
they just as often use compromised accounts without spoofing your email
address or domain. The below will only stop you getting messages
pertaining to be from yourself from the outside world.


Add a line to main.cf (if line and file doesn't already exist) ;
header_checks = pcre:/etc/postfix/header_checks
Create the file 'header_checks'  and add following lines to file ;

/^From:.*@yourPrimarydomain.tld/ REJECT  Shut the door on your way out!.
/^From:.*@yourSecondarydomainIfYouHaveOne.tld/ REJECT  Get lost # (or
whatever polite message you want to send)

DON'T STOP NOW : Leaving the above as it is will have the undesired
effect of also rejecting authenticated mail, so disable header checks
from submission (port 587) and smtps (port 465) in 'master.cf' by adding
an override switch under those sections.
     -o receive_override_options=no_header_body_checks'
If you use sendmail, mail or mailx add the override to pickup as well.

I'm only a Postfix novice+, so please someone put me right if I'm wrong
with the above.

I have received many of these threats. I've even got one in Chinese (or
Japanese or something like that)!  Most messages contained passwords I'd
used a long long time ago, but others used passwords in recent failed
attempts at auth. I think it must have proved fruitful as more people
seem to be in on the act now. First message I got was very well written,
sent from an IP in Russia, sender claiming he was Romanian and not to be
messed with.  In the later offerings, the spelling and grammar seriously
deteriorated.

Best wishes,
Mick.


>
> 2)Seccond question :how i can adjust the sender policy to block soft fail SPF?
>
> Thanks you all.
> Best Regards.
> Christian Schmitz
>
> Info extra 1: LOG: /var/log/mail
> connect from mmu.ac.ug[62.75.235.12]
> Anonymous TLS connection established from mmu.ac.ug[62.75.235.12]: TLSv1.2
> with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> : SPF softfail (Mechanism '~all' matched): Envelope-from: [hidden email]
> : handler sender_policy_framework: is decisive.
> : Policy action=PREPEND Received-SPF: softfail (mmu.ac.ug: Sender is not
> authorized by default to use '[hidden email]' in 'mfrom' identity, however
> domain is not currently prepared for false failures (mechanism '~all'
> matched)) receiver=schweb; identity=mailfrom; envelope-from="[hidden email]";
> helo=xray144.theg7.com; client-ip=62.75.235.12
> client=mmu.ac.ug[62.75.235.12]
> message-id=<[hidden email]>
> from=<[hidden email]>, size=228789, nrcpt=1 (queue active)
> disconnect from mmu.ac.ug[62.75.235.12]
> to=<list@XXX>, relay=virtual, delay=8, delays=6.9/0.02/0/1, dsn=2.0.0,
> status=sent (delivered to maildir)
> removed
>
> Info extra 2: when i send a email i get the log of sasl autentication:
> client=unknown[192.168.XX.XX], sasl_method=LOGIN, sasl_username=YYY@XXX
>
> Info extra 3: received email header
> Return-Path: <[hidden email]>
> X-Original-To: list@XXX
> Delivered-To: list@XXX
> Received-SPF: softfail (mmu.ac.ug: Sender is not authorized by default to
> use '[hidden email]' in 'mfrom' identity, however domain is not currently
> prepared for false failures (mechanism '~all' matched)) receiver=schweb;
> identity=mailfrom; envelope-from="[hidden email]"; helo=xray144.theg7.com;
> client-ip=62.75.235.12
> Received: from xray144.theg7.com (mmu.ac.ug [62.75.235.12])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by schweb.com.ar (schweb.com.ar) with ESMTPS id 9EE12450F4
> for <[hidden email]>; Fri, 22 Mar 2019 07:41:58 -0300 (ART)
> Received: from localhost (localhost [127.0.0.1])
> by xray144.theg7.com (Postfix) with ESMTP id 50A1C11A0A4A
> for <[hidden email]>; Fri, 22 Mar 2019 09:58:35 +0000 (UTC)
> X-Virus-Scanned: Debian amavisd-new at xray144.theg7.com
> Received: from xray144.theg7.com ([127.0.0.1])
> by localhost (xray144.theg7.com [127.0.0.1]) (amavisd-new, port 10026)
> with ESMTP id pFCoeEV4cz8Y for <[hidden email]>;
> Fri, 22 Mar 2019 09:58:34 +0000 (UTC)
> Received: from [IP-45-237-216-17.acesstelecom.com] (unknown [168.196.195.30])
> (Authenticated sender: [hidden email])
> by xray144.theg7.com (Postfix) with ESMTPSA id 9097B11A042A
> for <[hidden email]>; Fri, 22 Mar 2019 09:58:20 +0000 (UTC)
> Message-ID: <[hidden email]>
> X-Sender-Info: <[hidden email]>
> X-Abuse-Reports-To: <[hidden email]>
> X-Mailer: ZetaMail50
> Content-Type: multipart/related;
>    boundary="7737CA265D6"
> MIME-Version: 1.0
> Errors-To: [hidden email]
> To: [hidden email]
> Subject: list
> From: <[hidden email]>
> Date: Fri, 22 Mar 2019 11:41:41 +0100
> Organization: Tdmearjjqvslxt
> List-ID: <93206451344121874219.mmu.ac.ug>
> Status: R
> X-Status: NT
> X-KMail-EncryptionState:
> X-KMail-SignatureState:
> X-KMail-MDN-Sent:
>
> This is a multi-part message in MIME format
>
> --7737CA265D6
> Content-Type: multipart/alternative;
>          boundary="C596CBF6D5"
>
> --C596CBF6D5
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: base64
>
>
> --C596CBF6D5
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: base64
>
> PGh0bWw+PGJvZHk+PGltZyBzcmM9ImNpZDphdHRfaW1nXzgyNzA1MCI+PC9ib2R5PjwvaHRtbD4N
> Cg==
>
> --C596CBF6D5--
>
> --7737CA265D6
>
>
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Kevin A. McGrail
In reply to this post by Viktor Dukhovni
On 3/22/2019 9:31 PM, Viktor Dukhovni wrote:
Have you checked on haveibeenpwned for the email addresses and domains
in question?
There's no need.  The team mailboxes in question are not associated
with any login accounts, they're just public contact addresses
scraped from websites.

You might be aware of this compromise but others might not: "Email list-cleaning site may have leaked up to 2 billion records"

https://nakedsecurity.sophos.com/2019/03/12/researchers-disagree-on-volume-of-exposed-verificationsio-records/

Regards,

KAM

Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Mauricio Tavares
In reply to this post by Bill Cole-3
On Fri, Mar 22, 2019 at 9:46 PM Bill Cole
<[hidden email]> wrote:

>
> On 22 Mar 2019, at 19:19, Christian Schmitz wrote:
>
> > Hi everyone:
> >       I have a small mail server with fewer emails account, The server is:
> > Opensuse/Postfix/apache
> >
> > Today i receive a pishing email Words more or less say that i was
> > hacked, that
> > he know my passwords blah blah blah and i must pay on bit_coins. The
> > email
> > content is 100% pishing and no real hacking because sevral reasons:
> >       list@XXX was only created for mailing lists and no other usage
> >       I have not webcam
> >       The hacker not used SASL to get real use of my account.
> >       For forums/website registrations i use mailinator.com
> >
> > The  curious is that email seem at first time writed from me to
> > myself. If my
> > email is list@xxx the emails say to be list@xxx
> >
> > So i start a little investigation on LOG file, and all seem that the
> > "hacker"
> > do not know the passwords. Because the emailer has no SASL
> > autenticated, so
> > the "hacker"simply spoof the FROM field:
> >
> > 1)First question: how i can filter the spoofed emails. In other words,
> > if the
> > sender is not authorized to send list@xxx because this emai is managed
> > by ME
>
> Do not accept mail claiming to be from any address in a local domain on
> the port 25 (smtp) smtpd service. Only accept such mail via port 587
> (submission) and 465 (smtps) services configured to require
> authentication.
>
> >
> > 2)Seccond question :how i can adjust the sender policy to block soft
> > fail SPF?
>
> That would be a very dangerous thing to do. SPF 'soft fail' is not
> intended to be used that way and it is used instead of 'hard fail'
> because the domain owner does NOT want receivers to reject non-passing
> messages absolutely.
>
> Postfix itself does not directly support SPF. Whatever you are using for
> SPF checking would be an external tool: a policy daemon, smtp proxy
> filter, or milter. The log entries you posted are too mangled for me to
> recognize what tool you are using to check SPF.
>
      I would add that spamassassin does not seem to have much of a
problem  catching that
> --
> Bill Cole
> [hidden email] or [hidden email]
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Bill Cole-3
On 22 Mar 2019, at 21:56, Mauricio Tavares wrote:

> I would add that spamassassin does not seem to have much of a
> problem  catching that

True. This is due to a lot of work by John Hardin to create and maintain
a focused rule cluster that catches a big slice of this garbage. It has
morphed substantially over time, using a diverse collection of
obfuscation tactics, so this has been a non-trivial effort.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Benny Pedersen-2
In reply to this post by Kevin A. McGrail
Kevin A. McGrail skrev den 2019-03-23 00:34:

> Also see KAM.cf and the KAM_CRIM ruleset for spamassassin for this
> exact run of spams.

will you add good rules to core spamassassin ?

so above is testing rules, not yet ready for core, if its stable just
not in core i can see why thay could not be :(
Reply | Threaded
Open this post in threaded view
|

OFF-TOPIC: KAM.cf to Core SA was Re: pishing from ME

Kevin A. McGrail
On 3/22/2019 10:45 PM, Benny Pedersen wrote:
Kevin A. McGrail skrev den 2019-03-23 00:34:

Also see KAM.cf and the KAM_CRIM ruleset for spamassassin for this
exact run of spams.

will you add good rules to core spamassassin ?

so above is testing rules, not yet ready for core, if its stable just not in core i can see why thay could not be :(

No, sorry.  The core ruleset does not align with my needs specifically in that the corpora and mass checkers at SA make additions too slow to promote as well as too unlikely to get promoted for our needs.  We've provided the file for free since at least 2004 and believe it is good rules.

One bit of good news is that we moved KAM.cf to The McGrail Foundation which is a 501(c)(3) with a mission to provide services, education and advocacy for private, secure and unimpeded business and communications.   It's still ASLv2 licensed but we are looking for sponsors to help fund it's development and as a 501(c)(3), all donations are tax deductible to the extent permissible by law.

In particular, I'd like to move it to a channel with good mirrors.  There are also discussions about how to speed up masscheck and publish multiple rulesets per day. 

Regards,

KAM

Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Bill Cole-3
In reply to this post by Kevin A. McGrail
On 22 Mar 2019, at 20:54, Kevin A. McGrail wrote:

> On 3/22/2019 7:55 PM, Viktor Dukhovni wrote:
>> No.  The scareware alerts are generally completely fake.  They
>> are spammed indiscriminately to users the scammer knows nothing
>> about.
>
> Viktor, that does not agree with my significant experience studying
> this
> particular spam threat.  Yes, they are "fake" alerts in that they
> haven't hacked your PC but they do in fact have some information that
> they are extrapolating to scare people. 

With "some" being the critical word...

Most of the early variants of this extortion spam included a password in
the spam as evidence of a "hack" but more recently there have been waves
aimed at addresses that don't have any possibility of a password being
leaked because there has never been any password associated with the
address.

> What I see with many of the samples is that they are using passwords
> gained from massive attacks where passwords were leaked.  These hacks
> have lead to user/email/password data easily available for gazillions
> of
> people on the darkweb.  Haveibeenpwned.com can give you insight into
> this. I recommend you take a look. 

FWIW, Haveibeenpwned.com includes data dumps which do not include
passwords in any form. These are some of their largest data sets. When I
recently ran a scan on my email domains, these were the only dumps that
included any currently deliverable addresses. I know of no extortion
spams aimed at any other addresses in my domains, and none of those I've
seen the bodies of included purported passwords. That supports your
theory that the targets are pulled from purchasable datasets originating
in system breaches. However, it is concrete proof that the spammers do
not always have passwords or even any identifying data other than email
addresses.

Having a password to wave at the target is hypothetically valuable but
in the end very few people actually fall for these scams and the
scammers can't limit themselves to email addresses with associated
passwords.

--
Bill Cole
Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

@lbutlr
In reply to this post by Bill Cole-3
On 22 Mar 2019, at 19:45, Bill Cole <[hidden email]> wrote:
> Do not accept mail claiming to be from any address in a local domain on the port 25 (smtp) smtpd service. Only accept such mail via port 587 (submission) and 465 (smtps) services configured to require authentication.

And the way to do this is:

 /etc/postfix/sender_access.pcre:
/^@/    550 Invalid address format.
/[!%\@].*\@/ 550 This server disallows weird address syntax.
/@kreme.com$/ 450 Spoofing local domain?
/^[hidden email]$/ 550 Don't Spoof as my postmaster
/^postmaster\@/ OK
/^hostmaster\@/ OK
/^abuse\@/ OK

main.cf:

smtpd_recipient_restrictions = {stuff} check_sender_access pcre:$config_directory/sender_access.pcre, permit

This very rarely triggers for me because mail gets rejected by the previous criteria in nearly all cases:

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
    reject_non_fqdn_sender, reject_non_fqdn_recipient,
    reject_unknown_sender_domain, reject_invalid_hostname,
    reject_unlisted_recipient, reject_unlisted_sender,
    reject_unknown_reverse_client_hostname, warn_if_reject
    reject_unknown_client_hostname, check_recipient_access
    hash:$config_directory/recipient_access, check_sender_access
    pcre:$config_directory/sender_access.pcre, permit



Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Andrey Repin-2
In reply to this post by Kevin A. McGrail
Greetings, Kevin A. McGrail!

> On 3/22/2019 7:55 PM, Viktor Dukhovni       wrote:

>  
>> No.  The scareware alerts are generally completely fake.  They
>> are spammed indiscriminately to users the scammer knows nothing
>> about.
>
>  
> Viktor, that does not agree with my significant experience

My significant experience says that it does not take a lot of effort sending
email with identical MAIL FROM and RCPT TO addresses, if target host did not
set up SPF declaration/validation.


--
With best regards,
Andrey Repin
Saturday, March 23, 2019 12:14:42

Sorry for my terrible english...

Reply | Threaded
Open this post in threaded view
|

Re: pishing from ME

Andrey Repin-2
In reply to this post by Christian Schmitz
Greetings, Christian Schmitz!

> Info extra 1: LOG: /var/log/mail
> connect from mmu.ac.ug[62.75.235.12]
> Anonymous TLS connection established from mmu.ac.ug[62.75.235.12]: TLSv1.2
> with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> : SPF softfail (Mechanism '~all' matched): Envelope-from: [hidden email]

mmu.ac.ug.      86400   IN  TXT "v=spf1 include:_spf.google.com ~all"

See, ~all was your undoing.

> : handler sender_policy_framework: is decisive.
> : Policy action=PREPEND Received-SPF: softfail (mmu.ac.ug: Sender is not
> authorized by default to use '[hidden email]' in 'mfrom' identity, however
> domain is not currently prepared for false failures (mechanism '~all'
> matched)) receiver=schweb; identity=mailfrom; envelope-from="[hidden email]";
> helo=xray144.theg7.com; client-ip=62.75.235.12
> client=mmu.ac.ug[62.75.235.12]
> message-id=<[hidden email]>
> from=<[hidden email]>, size=228789, nrcpt=1 (queue active)
> disconnect from mmu.ac.ug[62.75.235.12]
> to=<list@XXX>, relay=virtual, delay=8, delays=6.9/0.02/0/1, dsn=2.0.0,
> status=sent (delivered to maildir)
> removed


--
With best regards,
Andrey Repin
Saturday, March 23, 2019 12:16:53

Sorry for my terrible english...

12