Received-SPF: pass (Cache: Last token {include:spf.n2net.net} (res=PASS)) client-ip=207.166.203.21; envelope-from=<JimL@n2net.net>; x-ip-name=mail1.n2net.net;
X-Received: from mail1.n2net.net (mail1.n2net.net [207.166.203.21])
by netwin.co.nz (SurgeMail 7.3h) with ESMTP (TLS) id 1161130-1391920
for <surgemail-list@netwin.co.nz>; Tue, 03 Apr 2018 15:36:05 +0000
X-Return-Path: JimL
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=n2net.net;
s=default; t=1522769765;
bh=0deblrGyNpDSHip22e/4PITG6T8GYO/KJP5DQ+m6vXE=;
h=From:To:Subject:Date;
b=IqZHITJqczRO/o5l5KAMr3eJaCelUoQZFjcdp5GBQwuKEO6pwRJ8vNr1wS/QHgaXg
qNZfOqQJXLV4LDlCjwscQAogqhv7QYCygkc/U75GhFgUMN5VgIn58mpSnuyPNBQ2k0
TJjLgo9ivY/MORgSmK0WmtJ4qMMnCsuQCSIlgC4Y=
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=207.166.203.3;
X-Received: from exchange.n2net.net (unverified [207.166.203.3])
by mail1.n2net.net (SurgeMail 7.3e2) with ESMTP (TLS) id 150168777-1907077
for <surgemail-list@netwin.co.nz>; Tue, 03 Apr 2018 11:36:00 -0400
X-Return-Path: JimL
X-Received: from EXCHANGE.n2net.local ([2002:cfa6:cb03::cfa6:cb03]) by
EXCHANGE.n2net.local ([::1]) with mapi id 14.03.0389.001; Tue, 3 Apr 2018
11:35:59 -0400
From: Jim Lohiser
To: "surgemail-list@netwin.co.nz" <surgemail-list@netwin.co.nz>
Subject: [SurgeMail List] Phishing Allowed Due To Incorrect From Header Parsing
Thread-Topic: Phishing Allowed Due To Incorrect From Header Parsing
Thread-Index: AdPLX9jI5fWs/SQpRNWQ1wdyGfEHVw==
Date: Tue, 3 Apr 2018 15:35:59 +0000
Message-ID: <508C36E21EBFB540AAB1EF2568A614795699DF93@EXCHANGE.n2net.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
X-x-originating-ip: [192.168.91.8]
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-X-Originating-IP: 207.166.203.3
X-Country: code=US country="United States" ip=207.166.203.3
X-Originating-IP: 207.166.203.21
X-Country: code=US country="United States" ip=207.166.203.21
X-ORBS-Accept: dnswl_none
X-Rcpt-To: <surgemail-list@netwin.co.nz>
X-SpamDetect: **: 2.0 sd=2.0 lv=0.00 nok=1/0 m=1 nf=0 Close 0.04(X-myrbl:Color=white) 0.07(dnswl_none) 0.90(X-Phrase:isspam) 0.84(X-Mash:sameip) 0.32(X-Verify-Helo:+OK) 0.38(X-Country:States) 0.40(genuine) 0.41(dkimok) 0.45(X-LangGuess:English) 0.52(X-NotAscii:us-ascii) 0.51(spfpass) Saned 5.0 Sval 2.0 bsan 5.0 Moved 5.0->2.0 Sval 2.0
X-NotAscii: charset=us-ascii
X-Mash: sameip
X-LangGuess: English
X-Probe: +OK skipped, known ip address
X-Phrase: IsSpam score=1.00
X-Verify-Helo: +OK mail1.n2net.net
Authentication-Results: netwin.co.nz header.from=JimL@n2net.net; dkim=pass (good signature)
X-Encryption: SSL encrypted
X-MyRbl: Color=White Age=223 Spam=0 Notspam=0 Stars=0 Good=55 Friend=55 Surbl=0 Catch=0 r=0 ip=207.166.203.21
X-IP-stats: Incoming Outgoing Last 0, First 223, in=26649, out=166, spam=0 Known=true ip=207.166.203.21
List-Unsubscribe: <mailto:surgemail-list-leave@netwin.co.nz?subject=unsubscribe>
X-Mailing-List: surgemail-list@netwin.co.nz
List-ID: <surgemail-list@netwin.co.nz>
Precedence: bulk
Reply-To: surgemail-list@netwin.co.nz
NetWin,
A customer is reporting phishing messages that are slipping through the spam filters in SurgeMail. I had them send the headers for an example message. It appears that SurgeMail is incorrectly parsing the From header and that is allowing the message to slip through. A copy of the From header and the spam log for this message is included below.
From: "towens@" <somedomain.tld steven-girard@Bbox.fr>
2018-04-03 08:39:32.00 ALLOWED [150150307] ip(194.158.98.45) from(steven-girard@bbox.fr,towens@somedomain.tld) subject(inv # xz-9988187676) friend is known (friend_known.deliver_local wild (*@somedomain.tld) in users friend.lst)
It looks like the spammers are sending bad From headers in order to intentionally trick your spam filter. How can we prevent this from happening?
We have had similar issues in the past with SurgeMail parsing using the "display" portion of From headers instead of only using the actual email address and this has caused other problems, including blocking emails from the Wall Street Journal. Can the From header parsing be made more strict so that it *ONLY* looks at the email address portion of the From header?
Thanks,
Jim L
N2Net
|