RW wrote:
On Fri, 16 Nov 2018 08:44:52 -0500
Robert Fitzpatrick wrote:
We're having an issue with spam coming from the same company even
though SPF and DKIM is setup with DMARC to reject. Take this
forwarded email for instances....
[ fake invoice email ]
SPF and DKIM rarely return "fail" on these because the envelope sender
either doesn't publish either, or publishes them and they match. SPF in
particular would usually have nothing to do with the "obvious" From:
address that most people would look at.
This is a pretty confusing question because it has nothing to do with
DMARC, SPF, or DKIM, and "same company" reads like "consistent
spammer".
I think what you're getting at is the use of a local address in the
author display name:
From: User <u...@company.com> <arte.fin...@creativegroup.com.ec>
To: other.u...@company.com
Did you actually mean that precise form, which looks invalid,
This certainly sounds like a series of fake invoice mails I've been
getting a trickle of reports for, and if so, then yes, that is literally
exactly what's in the original.
I dug through my reporting account's history and found one that came
directly to my own account:
Delivered-To: kdeu...@vianet.ca
Return-Path: <cay...@corpmaqplast.com>
Received: from mail.vianet.ca [209.91.128.17]
by pod.pem-lan with POP3 (fetchmail-6.3.26)
for <kdeugau@localhost> (single-drop); Tue, 06 Nov 2018 09:05:12 -0500
(EST)
Received: from rla3.dizinc.com (rla3.dizinc.com [72.29.77.172]) by
mx1.vianet.ca (Postfix) with ESMTPS id 83FE2E24D6 for <kdeu...@vianet.ca>;
Tue, 6 Nov 2018 09:03:08 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=corpmaqplast.com; s=default;
h=Content-Type:MIME-Version:Subject:Message-ID
:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=+EAmfCv8FqMxiASYoMWTcRGrgS++5JXOIOM7h8kgXyw=;
b=n/4UOgM/LfvfnVl8gzWrv7uU/P
6GL1HJgU4KMmU/hsZR6sG5y/ijG09RLmuMK1OAoYULC8P4BewtmtfsDElVGXHU9P3EG6poaMliWeM
RRxcaV8/DMUiFOa2O8Y1Q9F4OXpI8t19pAchCaR+OFs34+Npjwad/wkX/+E82uWs57gs0VJMH76z9
UVynTFc+hRbwEFGdYPi+Gnc+fpvtbO7RN0pqcNOjLQWdEr2RcO2yg1hCPUs6z8HJ7gNYT1Wx7DQEj
y6adnz0tG+sLmqsYYC/67cJYdgHuEfUvUIlCCRVgV38BXGJiDoRSsz6txHAaCYa7bXHZ892FN9EbC
CIVnco0Q==;
Received: from [187.217.80.180] (port=3340 helo=10.1.34.37) by
rla3.dizinc.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim
4.91) (envelope-from <cay...@corpmaqplast.com>) id 1gK1wg-00073v-8J for
kdeu...@vianet.ca; Tue, 06 Nov 2018 08:03:07 -0600
Date: Tue, 06 Nov 2018 14:03:06 +0000
From: John D. Smith <johnsm...@richland.edu> <cay...@corpmaqplast.com>
To: kdeu...@vianet.ca
Message-ID: <35706717752563516902.8f4660866aa84...@vianet.ca>
Subject: John D. Smith Factures 0611-KDG47168618-939
In this instance SPF and DKIM passed, so whatever policies richland.edu
might publish they're irrelevant and not checked.
This particular subseries also has an attached Word document, which is
now getting flagged by ClamAV, but IIRC there have been a few that were
either "just" phishing, or linked to malware instead of attaching it to
the message.
Looking at a couple of other examples, there are also some in the form:
From: =?UTF-8?B?[encoded stuff]= <crackedorspoo...@example.com>
where [encoded stuff] decodes to:
Some User <spoof.vic...@example.org>
-kgd
