Koozali.org formerly Contribs.org

Block spear phishing using spoofed email addresses

Block spear phishing using spoofed email addresses
« on: October 15, 2020, 12:55:15 PM »
Any pointers on how to deal with these on SME, perhaps a custom SA rule?

Return-Path: <rastine@lelevelio.vilnius.lm.lt>
From: "Valid User <valid.user@domain.tld>" <rastine@lelevelio.vilnius.lm.lt>
Reply-To is missing

SPF: pass, dkim=none, dmarc=pass
Our company and contacts is profiled thoroughly.
Some users keep falling for it no matter what...

Re: Block spear phishing using spoofed email addresses
« Reply #1 on: October 15, 2020, 01:21:22 PM »
Comparing Return-Path with sender won't do any good.

Finding every email address in From field and comparing them should do the trick.

Any ideeas?

Re: Block spear phishing using spoofed email addresses
« Reply #2 on: October 15, 2020, 01:51:28 PM »
Actually not every spoofed sender has two email addresses in From line.

Attack comming from distributed botned from allowed countries, Geoip not helping.

Trying:

db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2
signal-event email-update

Offline mmccarn

  • *
  • 2,527
Re: Block spear phishing using spoofed email addresses
« Reply #3 on: October 16, 2020, 01:12:30 PM »
It's a tricky problem.

The emails we see most at work are "From" "CFO's Name <rando-email@gmail.com>" - The email address itself is completely valid, and passes all traditional anti-spam systems (SPF, DKIM, DMarc, etc) but the name portion of the email has been modified to match one of our senior staff. 

Usually the email domain is a major provider (gmail, hotmail, yahoo) but sometimes the email has been relayed through someone else's (probably compromised) mail server.  I can't block the major providers.  The compromised servers eventually end up on someone's RBL list, but we've already received the malicious email by that time.

There are spam filter services that claim to identify and block these sorts of emails, but I've never used any.

We could (I suppose) build a template to look for any of our local users' names combined with non-official email addresses and deliver them to 'Junkmail' but then you'd have problems with:
* users' personal emails - in case someone is locked out of their business email
* suppliers and collaborators (much of the spoofed emails we get also look like "frequent supplier's name <rando-email@gmail.com>" or "sister-organization-user's-name <rando-email@gmail.com>"

To truly identify emails like these you would need a system that keeps a record of which email addresses and names get involved in ongoing productive conversations, then do something different with emails that use the same name portion but a different email address.

I took a different tack and signed up for end-user security training from KnowBe4.  Every user is required to take a couple online courses in how to identify fake emails, then, if they get fooled and click on any of the links or attachments in a weekly fake email they win an extra 20 minute online training session in how to identify malicious email messages.  The fake emails are designed to mimic current malicious email techniques, or you can build your own templates.

Offline mmccarn

  • *
  • 2,527
Re: Block spear phishing using spoofed email addresses
« Reply #4 on: October 16, 2020, 01:45:25 PM »
Return-Path: <rastine@lelevelio.vilnius.lm.lt>
From: "Valid User <valid.user@domain.tld>" <rastine@lelevelio.vilnius.lm.lt>

In your example, the sending email is "rastine@lelevelio.vilnius.lm.lt".  An SPF check for that domain shows that it has close to 10,000 IPs configured as valid mail servers according to its SPF records:
Code: [Select]
$ nslookup -type=txt lelevelio.vilnius.lm.lt
lelevelio.vilnius.lm.lt text = "v=spf1 mx include:spf1.vilnius.lm.lt -all"

$ nslookup -type=txt spf1.vilnius.lm.lt
Non-authoritative answer:
spf1.vilnius.lm.lt text = "v=spf1  ip4:193.219.80.0/22 ip4:158.129.128.0/19 a:darzeliai.is.lt a:outmail.is.lt -all"

193.219.80.0/22 (1016 IP addresses)
158.129.128.0/19 (8128 IP addresses)

I suspect this is a pretty large ISP, and that the sending email address is valid as far as the ISP is concerned.

If all or most of your spoofed emails follow the pattern you show, you could try to build a rule to find emails where 'From' contains two '@' signs, or where it contains '@domain.tld.*@'. 

[edit]
from https://cwiki.apache.org/confluence/display/SPAMASSASSIN/WritingRules you might get what you need by putting something like this into /etc/mail/spamassassin/local.cf -

Code: [Select]
header LOCAL_DEMONSTRATION_FROM From =~ /\@domain.tld.*\<.*\@.*\>/i
score LOCAL_DEMONSTRATION_FROM 0.1

[caveat] I have never done this myself...
« Last Edit: October 16, 2020, 03:03:32 PM by mmccarn »

Re: Block spear phishing using spoofed email addresses
« Reply #5 on: October 16, 2020, 01:56:27 PM »
It's a tricky problem.

Absolutely :)
Problem is one can never fully trust the users.

Actually GeoIP does most of the blocking, also SMEOptimizer seems to catch quite a few
.DOC attachments containing viruses. Hope it just needs some more time to report.

Problem is they go through ClamAV undetected. Would SecuriteInfo payed 0-day help?

What seems to detect almost every .DOC virus is VirusTotal. If only they had a mail plugin
that checks realtime for signatures of selected attachments throttling down lookups to 4/min.

For now I managed to stop attack by creating 2 attachment patterns for these virused
.DOC files, possibly also blocking some valid .DOC and perhaps .XLS and .PPT files.

Could this a qpsmtpd plugin that could be used to block specific content/attachment types?

check_content_type            http://www.hjp.at/projekte/qpsmtpd/check_content_type/

This module parses a MIME message into its components and compares the content types of all parts with the contents of config/content_types. It returns OK, DENY or DECLINED on the first match, or DECLINED if there is no match.

Re: Block spear phishing using spoofed email addresses
« Reply #6 on: October 16, 2020, 02:04:20 PM »
If all or most of your spoofed emails follow the pattern you show, you could try to build a rule to find emails where 'From' contains two '@' signs, or where it contains '@domain.tld.*@'.

That was my hope, but some are spoofed like:  From: "Valid User" <rastine@lelevelio.vilnius.lm.lt>
Problem is not every mail client shows the real sender email address and users are sloppy.

I suspect the attack is conducted from a large world-wide botnet after years of profiling for spear phishing.
« Last Edit: October 16, 2020, 02:21:45 PM by bunkobugsy »

Re: Block spear phishing using spoofed email addresses
« Reply #7 on: October 19, 2020, 10:44:42 AM »
Another ideea is to blacklist every TLD from geoip badcountries list in WBL panel: ^.*@.*\.tld$
Just in case they are spamming from servers located in other countries (I've had a few cases).

Offline ReetP

  • *
  • 2,576
Re: Block spear phishing using spoofed email addresses
« Reply #8 on: October 20, 2020, 10:29:09 AM »
Best idea of all is to can email ;-)

Can't wait for the day it is consigned to the same bin that Fax was..... !
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Block spear phishing using spoofed email addresses
« Reply #9 on: October 20, 2020, 03:40:06 PM »
Till then:
www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml?lg=en
ClamAV even with free securiteinfo bases barely ever cathes anything.
Currently on 1 week trial of 0day bases, pro account worth every penny :)
Tested another linux qmail antivirus, server became unresponsive.
« Last Edit: October 21, 2020, 01:11:32 AM by bunkobugsy »

Offline ReetP

  • *
  • 2,576
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Block spear phishing using spoofed email addresses
« Reply #11 on: Yesterday at 10:28:02 PM »
I presume that isn't fixing your original spoofed email address issue?

No, it only fixes the problem they create, i.e. blocks .doc attachments with malware.
I sincerely think it's a must-have add-on for the otherwise almost useless clamav bases, endpoint AV can fail too. Anyone can try it free for a week when malware is slipping through. Another great thing is the free sanesecurity foxhole database.

SMEOptimizer has kicked in nicely banning few thousand mails per day, 80% still blocked by GeoIP.

Horde 5.2 also has a nice red warning box about phishing attempt when it detects links with differing href, too bad webmail isn't used much.

I still think a SA rule can be customized for spoofed from email addresses, just don't know how.
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_FromNameSpoof.txt

https://www.roaringpenguin.com/wiki/index.php/Spoofed_Addresses
« Last Edit: Yesterday at 10:34:36 PM by bunkobugsy »