On 2023-05-23 at 12:08:10 UTC-0400 (Tue, 23 May 2023 18:08:10 +0200) Thierry <host...@ezwww.ch> is rumored to have said:
> Hi, > > we just received phishing spams (Postfinance) from zendesk.com > > This domain is present in 60_welcomelist_auth.cf for the rule > USER_IN_DEF_SPF_WL > > Can you remove this domain (temporarily or permanently) next update ? Yes. I've also seen evidence of what looks like cross-tenant phishing from ZenDesk. shiny:rules root# svn diff Index: 60_welcomelist_auth.cf =================================================================== --- 60_welcomelist_auth.cf (revision 1910020) +++ 60_welcomelist_auth.cf (working copy) @@ -439,7 +439,6 @@ def_welcomelist_auth *@*.trulia.com def_welcomelist_auth *@*.rentalcars.com def_welcomelist_auth *@recommendedjobs.com -def_welcomelist_auth *@*.zendesk.com def_welcomelist_auth *@*.advocareemail.com def_welcomelist_auth *@*.plenti.com def_welcomelist_auth *@*.amolatina.com @@ -1417,7 +1416,6 @@ def_whitelist_auth *@*.trulia.com def_whitelist_auth *@*.rentalcars.com def_whitelist_auth *@recommendedjobs.com -def_whitelist_auth *@*.zendesk.com def_whitelist_auth *@*.advocareemail.com def_whitelist_auth *@*.plenti.com def_whitelist_auth *@*.amolatina.com shiny:rules root# svn commit -m "Phish reported on user list from/via ZenDesk" Authentication realm: <https://svn.apache.org:443> ASF Committers Password for 'billcole': *************** Sending 60_welcomelist_auth.cf Transmitting file data .done Committing transaction... Committed revision 1910021. > > Received: from outbyoip4.pod19.use1.zdsys.com (outbyoip4.pod19.use1.zdsys.com > [192.161.149.4]) > (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 > verify=NO) > for <xxxxx>; Tue, 23 May 2023 17:26:00 +0200 > Authentication-Results: dmarc=none (p=none dis=none) > header.from=atlys.zendesk.com > Authentication-Results: spf=pass smtp.mailfrom=atlys.zendesk.com > Authentication-Results: > dkim=pass (2048-bit key) header.d=zendesk.com header.i=@zendesk.com > header.b="Se7nuDiy" > Received: from zendesk.com (unknown [10.219.24.95]) > by outbyoip4.pod19.use1.zdsys.com (Postfix) with ESMTP id xxxxxxxxx > for <xxxxxx>; Tue, 23 May 2023 15:25:58 +0000 (UTC) > Date: Tue, 23 May 2023 15:25:58 +0000 > From: "Роstfinаnсе (GmbH)" <supp...@atlys.zendesk.com> > Reply-To: "Роstfinаnсе (GmbH)" <support+id55...@atlys.zendesk.com> > To: xxxxx <xxxxxx> > Message-ID: <6x2430xxxxxxx_sp...@zendesk.com> > In-Reply-To: <6x2430xxx...@zendesk.com> > *Subject: Wichtig: Aktualisieren Sie Ihr** > **Роstfinаnсе-Konto* > Mime-Version: 1.0 > Content-Type: multipart/alternative; > boundary="--==_mimepart_646cdb0667952_4c4a9c38871"; > charset=utf-8 > Content-Transfer-Encoding: 7bit > X-Delivery-Context: automatic-answer-1689173234243234 > Auto-Submitted: auto-generated > X-Auto-Response-Suppress: All > X-Mailer: Zendesk Mailer > X-Zendesk-From-Account-Id: 83f40dd > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zendesk.com; > q=dns/txt; s=zendesk2; t=1684855558; > bh=hZXuEvY/OemVRfx2BSZkm7AF9OUMlXdBZZugXDZhHF0=; > > ... > > > Thierry -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
