Page 1 of 1

New method of spoofing?

Posted: 12 Apr 2019 18:40
by 2Old4This
My VP of Sales has been getting a bunch of emails that look pretty convincingly like they're coming from his account. It's a poorly-spelled bitcoin extortion attempt.

Info from quarantine on EFA, which seems like a message sent to himself:
Message Headers: Received: from relay1.live.com (unknown [10.5.4.244])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.domain.com (Postfix) with ESMTPS id 54A3C2005F
for <jdoe@domain.com>; Thu, 11 Apr 2019 06:28:07 -0700 (PDT)
Subject: Important: Your system was compromised!
From: jdoe@domain.com <jdoe@domain.com>
To: jdoe@domain.com <jdoe@domain.com>
Date: Thu, 11 Apr 2019 08:27:33 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="===============7383535216796029040=="
From: jdoe@domain.com [Add to Whitelist | Add to Blacklist]
To: jdoe@domain.com
Subject: Important: Your system was compromised!
Size: 16.51kB


But here's the header from the message in the user's Outlook (sent via on-prem Exchange 2013):
Received: from exch13.domain.local (10.5.4.64) by
exch13.domain.local (10.5.4.64) with Microsoft SMTP Server (TLS) id
15.0.1320.4 via Mailbox Transport; Thu, 11 Apr 2019 06:28:21 -0700
Received: from exch13.domain.local (10.5.4.64) by
exch13.domain.local (10.5.4.64) with Microsoft SMTP Server (TLS) id
15.0.1320.4; Thu, 11 Apr 2019 06:27:59 -0700
Received: from efa.domain.com (10.5.4.57) by exch13.domain.local
(10.5.4.64) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Frontend
Transport; Thu, 11 Apr 2019 06:27:59 -0700
X-Spam-Status: No
X-domain-MailScanner-EFA-Watermark: 1555594092.25085@2iOHl+CfjNEJTOoWuENANA
X-domain-MailScanner-EFA-From: jdoe@domain.com
X-domain-MailScanner-EFA: Found to be clean
X-domain-MailScanner-EFA-ID: 54A3C2005F.AAC67
X-domain-MailScanner-EFA-Information: Please contact admin@domain.com for more information
Received: from relay1.live.com (unknown [10.5.4.244])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.domain.com (Postfix) with ESMTPS id 54A3C2005F
for <jdoe@domain.com>; Thu, 11 Apr 2019 06:28:07 -0700 (PDT)
Subject: Important: Your system was compromised!
From: "jdoe@" <domain.com jdoe@domain.com>
To: "jdoe@" <domain.com jdoe@domain.com>
Date: Thu, 11 Apr 2019 08:27:33 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="===============7383535216796029040=="
Message-ID: <3ef4c2c64d234b7d837ae9abbfb05e1f@exch13.domain.local>
Return-Path: jdoe@domain.com



For a legitimate internal message the From: header is: "John Doe" <jdoe@domain.com>
For this spoofed message the From: header is: "jdoe@" <domain.com jdoe@domain.com>

So I guess my immediate question is "What can I do in the short term to stop these?"

TIA

Re: New method of spoofing?

Posted: 12 Apr 2019 23:09
by henk

Re: New method of spoofing?

Posted: 11 May 2019 13:09
by JamesBotch
I have been getting a few of these emails recently. Thanks for the solution.
Check my websites: parenting, eating, clever, cmg, felicity

Re: New method of spoofing?

Posted: 18 Jun 2019 12:33
by bikertrash
Yeah... same here. This seems to be on the rise again lately.

I just implemented the "How-to Prevent external sender spoofing to EFA" this morning and tested incoming and outgoing mail to make sure I didn't break anything. A couple of weeks ago I also created a Search Filter to look for spoofs from the first of the year to the current date the search is run. So now I'm really looking forward to another one of these spoofs to see if this modification does the trick. :P

As a side note, all of these spoofs have been coming from Asia (specifically Taiwan), all claiming my account has been hacked and that I need to pay a ransom so my "naughty activity" doesn't get released... Yeah... sure... what ever. :lol:

Shall I report the results if/when someone tries this again?

Re: New method of spoofing?

Posted: 20 Jun 2019 09:19
by jamerson
I Would suggest to use Dkim so no one can spoof your EFA.

Re: New method of spoofing?

Posted: 20 Jun 2019 21:54
by henk
bikertrash, if the spoofs come mainly from Asia (specifically Taiwan) a simple country block will do the trick viewtopic.php?t=2659

See https://www.spamhaus.org/statistics/countries/

and the country codes https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#TW