My VP of Sales has been getting a bunch of emails that look pretty convincingly like they're coming from his account. It's a poorly-spelled bitcoin extortion attempt.
Info from quarantine on EFA, which seems like a message sent to himself:
Message Headers: Received: from relay1.live.com (unknown [10.5.4.244])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.domain.com (Postfix) with ESMTPS id 54A3C2005F
for <jdoe@domain.com>; Thu, 11 Apr 2019 06:28:07 -0700 (PDT)
Subject: Important: Your system was compromised!
From: jdoe@domain.com <jdoe@domain.com>
To: jdoe@domain.com <jdoe@domain.com>
Date: Thu, 11 Apr 2019 08:27:33 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="===============7383535216796029040=="
From: jdoe@domain.com [Add to Whitelist | Add to Blacklist]
To: jdoe@domain.com
Subject: Important: Your system was compromised!
Size: 16.51kB
But here's the header from the message in the user's Outlook (sent via on-prem Exchange 2013):
Received: from exch13.domain.local (10.5.4.64) by
exch13.domain.local (10.5.4.64) with Microsoft SMTP Server (TLS) id
15.0.1320.4 via Mailbox Transport; Thu, 11 Apr 2019 06:28:21 -0700
Received: from exch13.domain.local (10.5.4.64) by
exch13.domain.local (10.5.4.64) with Microsoft SMTP Server (TLS) id
15.0.1320.4; Thu, 11 Apr 2019 06:27:59 -0700
Received: from efa.domain.com (10.5.4.57) by exch13.domain.local
(10.5.4.64) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Frontend
Transport; Thu, 11 Apr 2019 06:27:59 -0700
X-Spam-Status: No
X-domain-MailScanner-EFA-Watermark: 1555594092.25085@2iOHl+CfjNEJTOoWuENANA
X-domain-MailScanner-EFA-From: jdoe@domain.com
X-domain-MailScanner-EFA: Found to be clean
X-domain-MailScanner-EFA-ID: 54A3C2005F.AAC67
X-domain-MailScanner-EFA-Information: Please contact admin@domain.com for more information
Received: from relay1.live.com (unknown [10.5.4.244])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.domain.com (Postfix) with ESMTPS id 54A3C2005F
for <jdoe@domain.com>; Thu, 11 Apr 2019 06:28:07 -0700 (PDT)
Subject: Important: Your system was compromised!
From: "jdoe@" <domain.com jdoe@domain.com>
To: "jdoe@" <domain.com jdoe@domain.com>
Date: Thu, 11 Apr 2019 08:27:33 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="===============7383535216796029040=="
Message-ID: <3ef4c2c64d234b7d837ae9abbfb05e1f@exch13.domain.local>
Return-Path: jdoe@domain.com
For a legitimate internal message the From: header is: "John Doe" <jdoe@domain.com>
For this spoofed message the From: header is: "jdoe@" <domain.com jdoe@domain.com>
So I guess my immediate question is "What can I do in the short term to stop these?"
TIA
New method of spoofing?
Re: New method of spoofing?
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
-
- Posts: 1
- Joined: 19 Apr 2019 10:06
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: New method of spoofing?
Yeah... same here. This seems to be on the rise again lately.
I just implemented the "How-to Prevent external sender spoofing to EFA" this morning and tested incoming and outgoing mail to make sure I didn't break anything. A couple of weeks ago I also created a Search Filter to look for spoofs from the first of the year to the current date the search is run. So now I'm really looking forward to another one of these spoofs to see if this modification does the trick.
As a side note, all of these spoofs have been coming from Asia (specifically Taiwan), all claiming my account has been hacked and that I need to pay a ransom so my "naughty activity" doesn't get released... Yeah... sure... what ever.
Shall I report the results if/when someone tries this again?
I just implemented the "How-to Prevent external sender spoofing to EFA" this morning and tested incoming and outgoing mail to make sure I didn't break anything. A couple of weeks ago I also created a Search Filter to look for spoofs from the first of the year to the current date the search is run. So now I'm really looking forward to another one of these spoofs to see if this modification does the trick.
As a side note, all of these spoofs have been coming from Asia (specifically Taiwan), all claiming my account has been hacked and that I need to pay a ransom so my "naughty activity" doesn't get released... Yeah... sure... what ever.
Shall I report the results if/when someone tries this again?
"If it ain't broke, it needs a lot more fix'n."
Re: New method of spoofing?
I Would suggest to use Dkim so no one can spoof your EFA.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Re: New method of spoofing?
bikertrash, if the spoofs come mainly from Asia (specifically Taiwan) a simple country block will do the trick viewtopic.php?t=2659
See https://www.spamhaus.org/statistics/countries/
and the country codes https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#TW
See https://www.spamhaus.org/statistics/countries/
and the country codes https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#TW
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams