New method of spoofing?

General eFa discussion
Post Reply
2Old4This
Posts: 9
Joined: 15 May 2015 21:11

New method of spoofing?

Post by 2Old4This » 12 Apr 2019 18:40

My VP of Sales has been getting a bunch of emails that look pretty convincingly like they're coming from his account. It's a poorly-spelled bitcoin extortion attempt.

Info from quarantine on EFA, which seems like a message sent to himself:
Message Headers: Received: from relay1.live.com (unknown [10.5.4.244])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.domain.com (Postfix) with ESMTPS id 54A3C2005F
for <jdoe@domain.com>; Thu, 11 Apr 2019 06:28:07 -0700 (PDT)
Subject: Important: Your system was compromised!
From: jdoe@domain.com <jdoe@domain.com>
To: jdoe@domain.com <jdoe@domain.com>
Date: Thu, 11 Apr 2019 08:27:33 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="===============7383535216796029040=="
From: jdoe@domain.com [Add to Whitelist | Add to Blacklist]
To: jdoe@domain.com
Subject: Important: Your system was compromised!
Size: 16.51kB


But here's the header from the message in the user's Outlook (sent via on-prem Exchange 2013):
Received: from exch13.domain.local (10.5.4.64) by
exch13.domain.local (10.5.4.64) with Microsoft SMTP Server (TLS) id
15.0.1320.4 via Mailbox Transport; Thu, 11 Apr 2019 06:28:21 -0700
Received: from exch13.domain.local (10.5.4.64) by
exch13.domain.local (10.5.4.64) with Microsoft SMTP Server (TLS) id
15.0.1320.4; Thu, 11 Apr 2019 06:27:59 -0700
Received: from efa.domain.com (10.5.4.57) by exch13.domain.local
(10.5.4.64) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Frontend
Transport; Thu, 11 Apr 2019 06:27:59 -0700
X-Spam-Status: No
X-domain-MailScanner-EFA-Watermark: 1555594092.25085@2iOHl+CfjNEJTOoWuENANA
X-domain-MailScanner-EFA-From: jdoe@domain.com
X-domain-MailScanner-EFA: Found to be clean
X-domain-MailScanner-EFA-ID: 54A3C2005F.AAC67
X-domain-MailScanner-EFA-Information: Please contact admin@domain.com for more information
Received: from relay1.live.com (unknown [10.5.4.244])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.domain.com (Postfix) with ESMTPS id 54A3C2005F
for <jdoe@domain.com>; Thu, 11 Apr 2019 06:28:07 -0700 (PDT)
Subject: Important: Your system was compromised!
From: "jdoe@" <domain.com jdoe@domain.com>
To: "jdoe@" <domain.com jdoe@domain.com>
Date: Thu, 11 Apr 2019 08:27:33 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="===============7383535216796029040=="
Message-ID: <3ef4c2c64d234b7d837ae9abbfb05e1f@exch13.domain.local>
Return-Path: jdoe@domain.com



For a legitimate internal message the From: header is: "John Doe" <jdoe@domain.com>
For this spoofed message the From: header is: "jdoe@" <domain.com jdoe@domain.com>

So I guess my immediate question is "What can I do in the short term to stop these?"

TIA

henk
Posts: 383
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: New method of spoofing?

Post by henk » 12 Apr 2019 23:09


JamesBotch
Posts: 1
Joined: 19 Apr 2019 10:06

Re: New method of spoofing?

Post by JamesBotch » 11 May 2019 13:09

I have been getting a few of these emails recently. Thanks for the solution.
Check my websites: parenting, eating, clever, cmg, felicity

User avatar
bikertrash
Posts: 13
Joined: 03 Feb 2016 12:53
Location: San Diego, CA
Contact:

Re: New method of spoofing?

Post by bikertrash » 18 Jun 2019 12:33

Yeah... same here. This seems to be on the rise again lately.

I just implemented the "How-to Prevent external sender spoofing to EFA" this morning and tested incoming and outgoing mail to make sure I didn't break anything. A couple of weeks ago I also created a Search Filter to look for spoofs from the first of the year to the current date the search is run. So now I'm really looking forward to another one of these spoofs to see if this modification does the trick. :P

As a side note, all of these spoofs have been coming from Asia (specifically Taiwan), all claiming my account has been hacked and that I need to pay a ransom so my "naughty activity" doesn't get released... Yeah... sure... what ever. :lol:

Shall I report the results if/when someone tries this again?
"If it ain't broke, it needs a lot more fix'n."

jamerson
Posts: 130
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: New method of spoofing?

Post by jamerson » 20 Jun 2019 09:19

I Would suggest to use Dkim so no one can spoof your EFA.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

henk
Posts: 383
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: New method of spoofing?

Post by henk » 20 Jun 2019 21:54

bikertrash, if the spoofs come mainly from Asia (specifically Taiwan) a simple country block will do the trick viewtopic.php?t=2659

See https://www.spamhaus.org/statistics/countries/

and the country codes https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#TW

Post Reply