While I haven't received a forged Amazon order email in this exact form,
there is all kinds of stuff here that could be caught with appropriate
rules.
"In-case you require any
change in order or like to cancel we recommend giving us call
immediately at "
"In-case" is unlikely in mail, there should be no dash there.
"giving us call" is missing "a" and is bad grammer, but typical of
non-English speaking spam.
"In case you require any change in order" is also poor phrasing.
The whole "call us immediately to change your order" concept rates 3 points
on my mail system.
No phrase of any similar sort appears in a real Amazon order confirmation.
An actual Amazon order has a subject of the form
Subject: Your Amazon.com order #114-2489974-7888243
The Subject here is
Subject: IVK-1250703-9254770 | Apple Watch Series 6 Order Now Confirmed
The order number is in the wrong format.
The order number is in the wrong place in the subject text
The subject text is in the wrong format.
An actual Amazon order confirmation has the headers, in this order:
From: "Amazon.com" <auto-conf...@amazon.com>
Reply-To: no-re...@amazon.com
To: <target>
Message-ID: <010001774af541dc-d38f4184-621e-4014-a295-c520285ae319-00
0...@email.amazonses.com>
Subject: Your Amazon.com order #114-2489974-7888242
This mail has
From: "or...@amazon.com" <gk5751...@gmail.com>
X-Google-Original-From: "or...@amazon.com" <or...@amazon.com>
Content-Type: multipart/alternative;
boundary="===============2707982310301423984=="
MIME-Version: 1.0
Subject: IVK-1250703-9254770 | Apple Watch Series 6 Order Now Confirmed
To: s...@dondley.com
The header order is completely different.
There is no Reply-To header
The From address is completely wrong.
There should be no X-Google-* headers.
There should also be a header:
X-AMAZON-MAIL-RELAY-TYPE: notification
A real Amazon order receipt has Content-Type = multipart/alternative, but it
only contains a text/plain part encoded in QP, with no HTML part. This
message has an HTML part and should be getting MPART_ALT_DIFF.
"This email was sent from a
customer service address kindly write us back if you have any concern. "
This is bad grammar and a very unlikely form of robot sending account
notice. A real Amazon order contains
"This email was sent from a notification-only address that cannot accept
inc=
oming email. Please do not reply to this message."
This is a very stasndard phrasing for this sort of notice.
A real Amazon order confirmation does not contain an "unsubscribe" link.
This phish does.
There is a lot of other stuff that could be caught by various rules, but a
trivial set would be something like
#-----------------------------------------------------------------------------------
# 04/16/2021
# A bunch of rules to try to catch fake Amazon order confirmations, based on
a
# message pasted to the SA Users list.
header __LW_SUB_AMZ_ORDER Subject =~ /^Your Amazon\.com order
\#\d{3}-\d{7}-\d{7}\s*$/
header __LW_FROM_AMZ_ORDER From =~
/\"Amazon\.com\"\s+<auto-confirm\@amazon\.com>/
header __LW_REP_AMZ_ORDER Reply-To =~ /^no-reply\@amazon\.com\s*$/
body __LW_BODY_AMZ_ORDER /Amazon.com Order Confirmation/
meta LW_REAL_AMZ_ORDER __LW_SUB_AMZ_ORDER && __LW_FROM_AMZ_ORDER &&
__LW_REP_AMZ_ORDER && __LW_BODY_AMZ_ORDER
score LW_REAL_AMZ_ORDER -2
describe LW_REAL_AMZ_ORDER Amazon order confirmation
header __LW_FROM_AMZ From =~ /\bamazon\b/i
header __LW_SUB_ORDER Subject =~ /\border\b/i
meta LW_FAKE_AMZ_ORDER __LW_FROM_AMZ && __LW_SUB_ORDER && !LW_REAL_AMZ_ORDER
score LW_FAKE_AMZ_ORDER 7
describe LW_FAKE_AMZ_ORDER Amazon order phish
You might also like
body LW_PAYMENT /You\s+sent\s+a\s+Payment\s+of/i
score LW_PAYMENT 0.5
describe LW_PAYMENT You sent someone a payment
body LW_ORDER /\b(?:order|purchase)\s+(?:number|ID|date|description)\b/i
score LW_ORDER 0.5
describe LW_ORDER Contains order information
?
meta LW_FREEMAIL_ORDER FREEMAIL_FROM && (LW_ORDER || LW_PAYMENT)
score LW_FREEMAIL_ORDER 4
describe LW_FREEMAIL_ORDER An order receipt from a free email address
?
