Koozali.org formerly Contribs.org

Block spear phishing using spoofed email addresses

Block spear phishing using spoofed email addresses
« on: October 15, 2020, 12:55:15 PM »
Any pointers on how to deal with these on SME, perhaps a custom SA rule?

Return-Path: <rastine@lelevelio.vilnius.lm.lt>
From: "Valid User <valid.user@domain.tld>" <rastine@lelevelio.vilnius.lm.lt>
Reply-To is missing

SPF: pass, dkim=none, dmarc=pass
Our company and contacts is profiled thoroughly.
Some users keep falling for it no matter what...

Re: Block spear phishing using spoofed email addresses
« Reply #1 on: October 15, 2020, 01:21:22 PM »
Comparing Return-Path with sender won't do any good.

Finding every email address in From field and comparing them should do the trick.

Any ideeas?

Re: Block spear phishing using spoofed email addresses
« Reply #2 on: October 15, 2020, 01:51:28 PM »
Actually not every spoofed sender has two email addresses in From line.

Attack comming from distributed botned from allowed countries, Geoip not helping.

Trying:

db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2
signal-event email-update

Offline mmccarn

  • *
  • 2,546
Re: Block spear phishing using spoofed email addresses
« Reply #3 on: October 16, 2020, 01:12:30 PM »
It's a tricky problem.

The emails we see most at work are "From" "CFO's Name <rando-email@gmail.com>" - The email address itself is completely valid, and passes all traditional anti-spam systems (SPF, DKIM, DMarc, etc) but the name portion of the email has been modified to match one of our senior staff. 

Usually the email domain is a major provider (gmail, hotmail, yahoo) but sometimes the email has been relayed through someone else's (probably compromised) mail server.  I can't block the major providers.  The compromised servers eventually end up on someone's RBL list, but we've already received the malicious email by that time.

There are spam filter services that claim to identify and block these sorts of emails, but I've never used any.

We could (I suppose) build a template to look for any of our local users' names combined with non-official email addresses and deliver them to 'Junkmail' but then you'd have problems with:
* users' personal emails - in case someone is locked out of their business email
* suppliers and collaborators (much of the spoofed emails we get also look like "frequent supplier's name <rando-email@gmail.com>" or "sister-organization-user's-name <rando-email@gmail.com>"

To truly identify emails like these you would need a system that keeps a record of which email addresses and names get involved in ongoing productive conversations, then do something different with emails that use the same name portion but a different email address.

I took a different tack and signed up for end-user security training from KnowBe4.  Every user is required to take a couple online courses in how to identify fake emails, then, if they get fooled and click on any of the links or attachments in a weekly fake email they win an extra 20 minute online training session in how to identify malicious email messages.  The fake emails are designed to mimic current malicious email techniques, or you can build your own templates.

Offline mmccarn

  • *
  • 2,546
Re: Block spear phishing using spoofed email addresses
« Reply #4 on: October 16, 2020, 01:45:25 PM »
Return-Path: <rastine@lelevelio.vilnius.lm.lt>
From: "Valid User <valid.user@domain.tld>" <rastine@lelevelio.vilnius.lm.lt>

In your example, the sending email is "rastine@lelevelio.vilnius.lm.lt".  An SPF check for that domain shows that it has close to 10,000 IPs configured as valid mail servers according to its SPF records:
Code: [Select]
$ nslookup -type=txt lelevelio.vilnius.lm.lt
lelevelio.vilnius.lm.lt text = "v=spf1 mx include:spf1.vilnius.lm.lt -all"

$ nslookup -type=txt spf1.vilnius.lm.lt
Non-authoritative answer:
spf1.vilnius.lm.lt text = "v=spf1  ip4:193.219.80.0/22 ip4:158.129.128.0/19 a:darzeliai.is.lt a:outmail.is.lt -all"

193.219.80.0/22 (1016 IP addresses)
158.129.128.0/19 (8128 IP addresses)

I suspect this is a pretty large ISP, and that the sending email address is valid as far as the ISP is concerned.

If all or most of your spoofed emails follow the pattern you show, you could try to build a rule to find emails where 'From' contains two '@' signs, or where it contains '@domain.tld.*@'. 

[edit]
from https://cwiki.apache.org/confluence/display/SPAMASSASSIN/WritingRules you might get what you need by putting something like this into /etc/mail/spamassassin/local.cf -

Code: [Select]
header LOCAL_DEMONSTRATION_FROM From =~ /\@domain.tld.*\<.*\@.*\>/i
score LOCAL_DEMONSTRATION_FROM 0.1

[caveat] I have never done this myself...
« Last Edit: October 16, 2020, 03:03:32 PM by mmccarn »

Re: Block spear phishing using spoofed email addresses
« Reply #5 on: October 16, 2020, 01:56:27 PM »
It's a tricky problem.

Absolutely :)
Problem is one can never fully trust the users.

Actually GeoIP does most of the blocking, also SMEOptimizer seems to catch quite a few
.DOC attachments containing viruses. Hope it just needs some more time to report.

Problem is they go through ClamAV undetected. Would SecuriteInfo payed 0-day help?

What seems to detect almost every .DOC virus is VirusTotal. If only they had a mail plugin
that checks realtime for signatures of selected attachments throttling down lookups to 4/min.

For now I managed to stop attack by creating 2 attachment patterns for these virused
.DOC files, possibly also blocking some valid .DOC and perhaps .XLS and .PPT files.

Could this a qpsmtpd plugin that could be used to block specific content/attachment types?

check_content_type            http://www.hjp.at/projekte/qpsmtpd/check_content_type/

This module parses a MIME message into its components and compares the content types of all parts with the contents of config/content_types. It returns OK, DENY or DECLINED on the first match, or DECLINED if there is no match.

Re: Block spear phishing using spoofed email addresses
« Reply #6 on: October 16, 2020, 02:04:20 PM »
If all or most of your spoofed emails follow the pattern you show, you could try to build a rule to find emails where 'From' contains two '@' signs, or where it contains '@domain.tld.*@'.

That was my hope, but some are spoofed like:  From: "Valid User" <rastine@lelevelio.vilnius.lm.lt>
Problem is not every mail client shows the real sender email address and users are sloppy.

I suspect the attack is conducted from a large world-wide botnet after years of profiling for spear phishing.
« Last Edit: October 16, 2020, 02:21:45 PM by bunkobugsy »

Re: Block spear phishing using spoofed email addresses
« Reply #7 on: October 19, 2020, 10:44:42 AM »
Another ideea is to blacklist every TLD from geoip badcountries list in WBL panel: ^.*@.*\.tld$
Just in case they are spamming from servers located in other countries (I've had a few cases).

Offline ReetP

  • *
  • 2,677
Re: Block spear phishing using spoofed email addresses
« Reply #8 on: October 20, 2020, 10:29:09 AM »
Best idea of all is to can email ;-)

Can't wait for the day it is consigned to the same bin that Fax was..... !
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Block spear phishing using spoofed email addresses
« Reply #9 on: October 20, 2020, 03:40:06 PM »
Till then:
www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml?lg=en
ClamAV even with free securiteinfo bases barely ever cathes anything.
Currently on 1 week trial of 0day bases, pro account worth every penny :)
Tested another linux qmail antivirus, server became unresponsive.
« Last Edit: October 21, 2020, 01:11:32 AM by bunkobugsy »

Offline ReetP

  • *
  • 2,677
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Block spear phishing using spoofed email addresses
« Reply #11 on: October 22, 2020, 10:28:02 PM »
I presume that isn't fixing your original spoofed email address issue?

No, it only fixes the problem they create, i.e. blocks .doc attachments with malware.
I sincerely think it's a must-have add-on for the otherwise almost useless clamav bases, endpoint AV can fail too. Anyone can try it free for a week when malware is slipping through. Another great thing is the free sanesecurity foxhole database.

SMEOptimizer has kicked in nicely banning few thousand mails per day, 80% still blocked by GeoIP.

Horde 5.2 also has a nice red warning box about phishing attempt when it detects links with differing href, too bad webmail isn't used much.

I still think a SA rule can be customized for spoofed from email addresses, just don't know how.
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_FromNameSpoof.txt

https://www.roaringpenguin.com/wiki/index.php/Spoofed_Addresses
« Last Edit: October 22, 2020, 10:34:36 PM by bunkobugsy »

Re: Block spear phishing using spoofed email addresses
« Reply #12 on: October 26, 2020, 08:01:47 AM »
I was about to open a new thread for this issue, really glad I've found this one.

Searching around, I've stumbled into this 3-year old thread that tries to handle this problem by creating a custom SA rule. See:
https://mail-archives.apache.org/mod_mbox/spamassassin-users/201710.mbox/%3calpine.LNX.2.00.1710021204300.25845@athena.impsec.org%3e

So my question would be, how can one include the following rule in SME?
Code: [Select]
header  __FROM_QUOTES           From =~ /"/
header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/
meta    __FROM_SPOOF            __FROM_MAYBE_SPOOF && !__FROM_QUOTES

Caveat emptor: this is untested! I'm more than happy to test this rule on my production box. Especially in the last week I've been receiving tons of malware for which my security product (and ClamAV of course on SME) is not detecting. And not only that, but all say "tier-1" AVs (Kaspersky, ESET, Bitdefender, Avira, Avast...)!

This is scaring me, first time I actually have to do something proactive on the mail server to at least put a halt to these forged emails and the only way to handle them will be via antispam and not AV.
« Last Edit: October 26, 2020, 09:12:27 AM by Michail Pappas »

Offline mmccarn

  • *
  • 2,546
Re: Block spear phishing using spoofed email addresses
« Reply #13 on: October 26, 2020, 12:01:24 PM »
There's an existing spamassassin plugin named FromNameSpoof that includes a header test __PLUGIN_FROMNAME_EMAIL

Here are instructions from the Zimbra Wiki on enabling this plugin:
https://wiki.zimbra.com/wiki/FromName_Spoofing

And here are notes from contribs.org on creating cutom rule scores:
https://wiki.contribs.org/Email#Custom_Rule_Scores

Part of the zimbra instructions say you need to load the fromnamespoof plugin.  I *think* you would do that by editing /etc/mail/spamassassin/v342.pre directly, as that file does not appear to be templated - but I don't know for sure how the spamassassin config coordinates with qpsmtpd and spamd.

Otherwise, to directly answer your question - I *think* you'd add your custom code into 'local.cf' (see link above) along with your desired score.

Offline ReetP

  • *
  • 2,677
Re: Block spear phishing using spoofed email addresses
« Reply #14 on: October 26, 2020, 03:47:43 PM »
Ahhh - this is NOT as easy as it at first seems.

I was just trying to hunt for where I added some custom templates for this. Answer is here:

/etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf

Here's a fragment I created when messing with Geoip2.

cat 82geoiprelay

Code: [Select]
# Mark GeoIP Relay Countries

ifplugin Mail::SpamAssassin::Plugin::RelayCountry

# We can add this header as RELAYCOUNTRY is a tag in RelayCountry.pm
add_header all Relay-Country _RELAYCOUNTRY_

# If we template properly we could use qpsmptd BadCountries here

header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(CN|RU|UA|RO|VN|US)/
describe RELAYCOUNTRY_BAD Relayed through spammy country at some point
score RELAYCOUNTRY_BAD 1.5

header RELAYCOUNTRY_GOOD X-Relay-Countries =~ /^(DE|AT|CH|FR)/
describe RELAYCOUNTRY_GOOD First untrusted GW is DE, AT,CH or FR
score RELAYCOUNTRY_GOOD -0.5

endif # Mail::SpamAssassin::Plugin::RelayCountry

This adds a header to the mail like this:

Code: [Select]
X-Spam-Details: *  0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to
*      Blah blah
*      Blah blah
* -0.5 RELAYCOUNTRY_GOOD First untrusted GW is DE, AT,CH or FR <<<<<<<<< Here

Woohoo - we can do some rules or whatever to deal with this.

HOWEVER, for your solution you look like you will need:

Mail::SpamAssassin::Plugin::FromNameSpoof

See the CPan page for help on the format of the plugin.

And that looks like it first appeared in Spamassassin 3.4.2

The default on SME v9 is something like 3.3.x and on SME v10 it is 3.4.0 so that plugin won't be available.

I can see that it is in the test build of 3.4.2 that I built a year or two back and which is in the SME Dev repo. I have had it running for a few years and it hasn't broken yet...!

You can give it a whirl if you want.

Code: [Select]
yum --enablerepo=smedev install spamassassin
I'll look at v3.4.4 and at adding it to v10 - no point doing any work on v9 now.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation