Kitz Forum
Chat => Tech Chat => Topic started by: sevenlayermuddle on February 14, 2017, 12:20:10 PM
-
Just a word of warning....
Last year I got a quote from a local company to do some work. In the end I declined their quote, went with another company.
But last week in my spam folder I found a very convincing email from the first company, subject 'RE: Your Invoice'. Everything looked correct, company logo, names, phone numbers, and all headers OK, it really did appear to be from the Company.
It contained a link supposedly to an invoice and that link was identified by Google as suspect, hence marked as spam. I don't know what would then have happened if I'd opened the link, I guess either malware payload, or just inviting me to pay cash into their bank.
I have now phoned the company who apologised and confirmed they are aware they had recently been hacked in some bad way. But the point is, if I had actually employed them to do the work and was expecting an invoice, I have to admit.... I may well have been taken in. :o
-
None of us can afford to be complacent, can we? Most scams are quite obvious, but from time to time a very persuasive one turns up. You have to be vigilant all the time.
-
I must admit I always open my own bookmark when requested to contact a company via an email no matter who they are, I never these days click on a link and that even goes for my bank & credit card company. If it comes from a company I've never had dealings with it goes in the trash folder.
I must admit that since my hosting company move me to Krystal their email spam trap is 100% better than the old one, I'm finding 20-30 emails a day quarantined which so far I've reviewed and it has been 100% correct. So far virtually nothing is getting through to me. They use something called SpamExperts.
Stuart
-
That's good advice Stuart.
But the problem is, the majority of small businesses these days do like being paid via online transfers, and they do send their perfectly legitimate invoices via email. You don't have to hit 'reply', you just have to make the payment, typed in by your own hand, to the sort code and account shown on the invoice. And if the invoice is from a company that's been genuinely employed, for an amount that's expected, I think a lot of people would simply pay. But of course, the sort code & account are fake, they are the crook's bank account.
Worse still, I think it's treated as theft rather than banking fraud, so the bank won't refund your money, and the genuine company that did the work will still want paid. :'(
FWIW, my own last line of defence is that as far as i can get away with it, I don't use online banking. I write a cheque and either hand it over face to face, or post it to the company's office address. I'm not popular for that as online payments are a lot more convenient for the recipient, but nobody has yet turned me down for the work needing done. :-[
-
A tip is to hover over the link in the email, and it will show the "true" domain name where its redirected to not the fake name visible in the email text. You can do this without clicking on it.
The screenie I attached here I hovered over the Final Fantasy VIII link at top and url showed at bottom inside the circle I drawn.
-
7LM surely a phonecall to the company you have to pay confirming details is sufficient?
I got an email at work the other day from a large local company we used in the past saying some of its customers had received fake letters saying that it's bank account had changed, when it hadn't.
-
This is a really good example of why all companies should be using DMARC email authentication.
-
Hi
Dmarc would help, as would spf and do/dkims but where a users email account has been hacked, these records would only server to prove the email was genuine.
There is no substitute for common sense, vigilance and always double check by phone, using your known number (not a number taken from the email), to verbally confirm bank detail changes.
I have seen this happen
Many thanks
John
-
In this case, SPF and DKIM both passed authentication. As d2d4j suggests, the crooks had probably broken into the company's genuine online email account.
In this day and age of telecomms deregulation, I don't completely trust phone numbers either. Can there be any guarantee you call hasn't somehow been illegally forwarded to another (crooked) line?
-
Very true. If they're sending from the company's actual infrastructure then email authentication isn't going to help.
-
I generally examine the raw source of suspicious emails. My experience has been that the earlier adopters of SPF and DKIM tended to be the scammers before legitimate senders got their act together (if they have). DMARC works if the email is sent from the prime web presence of a company. However I find it tricky to distinguish between bona fide third party emailing services and spammers.
Does anyone know of a white list of trusted mass emailers?
-
Yep this is why I changed the default spamassassin behaviour to not provide negative scoring for pass dkim/spf (higher score is used to mark spam). Instead I give them a neutral 0 score. As the frequency of spam delivered from hosts that pass dkim/spf is getting higher by the day.
-
UKServers, discussed in earlier thread, handles my email and they use spamassasin, which is server-side software. I have spamassassin’s threshold figure set quite low, and have a gap between "marking" and nuking emails (on the server side). It is set to block exes too, so naive users can't receive malware in straight attachments, although I forget what happens about zip files or ridiculous things like Office documents and their insane embedded programs (macros / VBA programs).
Neither attachments nor malicious web stuff are issues here in Weaver-Land as everything is like Fort Knox and users can't run anything they have tried to download anyway.
I really need to read up on DKIM and DMARC.
I publish SPF. Q: Does anyone know if spamassassin takes it into account on inbound email by default? I haven't seen any parameters relating to it for inbound email in UKServers' UI.
I have my own very small server-side white- and blacklists which are just built up based on experience not on external data sources.
I would be very grateful to hear about any tips for reliable blacklists. UKServers already uses several of these public databases optionally, and I have them all turned on, despite the health warnings. Q: Could anyone help with any suggestions of known persistent nuisances?
I would have to think about whitelist databases. Q: Any thoughts?
Q: Did someone say that scammers publish SPF declarations?
I wish that my email service had a facility where I could much more easily block nuisance emails server-side, in one-click fashion. This is asking for the moon on a stick. Email clients need an enhanced UI, then we need a protocol for talking to a SP’s server, and then finally the server-side engine to implement the rules. Because spammers keep rotating “From:” addresses, content-based checking would be much more useful in such a one-click system, so we would need to either upload the whole nuisance email or, far better, send either a UID if possible or a hash. Then the server could derive some kind of filter entry based on the entire thing plus its headers / metadata.
At least a "nuke emails _like_ this one" facility that is wholly server-side, including a UI provided by their server would be doable, just not one-click. It would require that the server hold copies of recently received emails somewhere for a while even if the client had supposedly emptied the server out.
I ought to have some kind of UI covering (i) what to do when SPF checks fail, and (ii) some marking of emails that have failed, if we let failed ones through. Does anyone know about the availability of such stuff on servers?
[Moderator edited to merge three consecutive posts into one.]
-
Hi weaver
I hope you don't mind, but your posts are entering in on multiple things a mail server does
A lot depends upon how a mail server is setup, which any reputable ESP, would not divulge
A basic shared mail server could do the following
Full server wide enforcement
Domain level enforcement
User level enforcement
The level of enforcement is set so as the user has partial control, domain level higher control and server wide full control. However, server wide has to take into account one persons spam may not be another person spam, if you see what I mean
You will have no control over any SA plugins, only server admins have this control, but we use a variety of plugins, spf razor pyzor etc...
Access to control these are at user level, from webmail access, settings, spam
Also, yes, spammers are aware of all blocking/checking a mail server does, and a cost of a domain is very cheap, so can set all dns records up.
The idea of spf, dkims/do and dmarc records is to tell the server if email is genuinely been sent from an authorised sending server, and if it is not, what should the mail server do with the email. So this is a way to stop spammers impersonating another domain, if dns records exist. A word or warning, if using these dns records, check and recheck them, or if wrong, you email will most likely fail to be received
There's a lot more but time is short sorry, and your touching on lots of different topics
Many thanks
John
-
Hi weaver
Sorry, quickly, you set the action for spf when you create the record, soft, soft fail, hard fail
Many thanks
John
-
John, that will be what you recommend that receivers, do then. I was thinking about a UI for the receiving end.
-
Hi weaver
Many thanks, sorry I get confused or am slow understanding sorry
The mail servers would have already classified the email, but on the user end, in their email client, a user should be able to set their own rules for email classification e.g. Outlook does
If using imap client, then there should be 2 special folders, usually spam and ham, so any spam or unwanted email just have to sent to spam folder, but usually, you need to send good email to ham folder, so the basian systems know what's good and bad, and is trained correctly
The above applies on mobiles, iPad web based access etc...
Many thanks
John
-
Worth empahising that the fake invoice that triggered this thread would not have been trapped by any of the authentication methods. Gmail did identify it as spam, not because of anything in the headers, but only because it contaned a hyperlink to an address that Google had identified as being dodgy.
It wasn't actually spam in the normal sense, it was evidently sent from a genuine account that been hacked. And carefully crafted to target the organisation's customers on an individual level, rather than a mass dispatch. More of a social engineering exploit, rather than spam.
There is a danger, in deceiving ourselves that spam filters can bet rid of all nasty emails, we may become overconfident and more vulnerable to such personal , 'non-spam' attacks. Imho.
-
Agreed, 7LM.
I'm generally trusting of people unless I have reason to think otherwise, but when it comes to the internet and email I'm the ultimate cynic - it's the only safe way.
-
@Mods! Too OT then delete.
Recently I received a package from one of those claims outfits. I have never, and will never communicate with such vultures. It had an anonymous email address I use. How the devil did the get that gen?
-
Sadly spam is more and more commonly been sent from legit email accounts whether its by using hacked accounts like this case or some other means, by legit I mean where has proper SPF, DKIM, RDNS etc. and as such passes compliance checks, then the only way left to filter the spam is via reputation systems and scanning the email body itself.
Since the way to pass filters is all public, then sadly spammers also have access to that information and as such can learn how to avoid been marked as spam, its a constant game of whack a mole.
We are also seeing over the years various anti spam services been shut down, the latest one been the sought honeypot which has just been closed without a reason given, just a note on the spamassassin page saying since dec 2016 it is no longer updated. I expect likely denial of service attacks are involved.
-
I wonder if social network technology could be used to fight spam. If you form a group with your trusted friends, then one person gets some spam, you have it uploaded to a server, original headers and all, then content- and meta-data-based deductions are made based on it for look-alike spam matching and all of your friends get the new spam-matching db rule sent to their mail servers, or you blacklist an email address or domain or regex and publish that to your friends. So it's a rule-sharing system.
A variant that would work for non-trusted groups would be a vote-based system, but only if identities are checked and strict measures can be implemented to prevent false blacklisting for malicious purposes by creating a large number of bogus users or having bots as users. It would have to be a network of trust relationships possibly. One good thing would be to encourage users to separate out "simply unwanted" mail that is not truly spam in the legal sense of UCE or whatever but is an annoyance to them personally, vs true spam vs malicious email. There would have to be a lot of blocks against malicious or simply unwise blocking based on databases that are constantly updated to protect the system. For example, we don't want someone to block the entire house.com domain because they received a nuisance email from HP that might or might not technically qualify as true spam, it is just damned annoying, user never signed up for it, or can't remember having done so, maybe it's sneaky small print or literally illegal. But in that case we don't permit something that broad because "domain=*.hp.com" is on a whitelist (non-spammer _organisations_) but an email address-specific or content-matching blacklist rule would be allowed for that particular email. Perhaps someone has already done this.
-
Has anybody seen this (https://www.theguardian.com/technology/2017/mar/06/email-addresses-spam-leak-river-city-media)?
-
Wow.
-
Has anybody seen this (https://www.theguardian.com/technology/2017/mar/06/email-addresses-spam-leak-river-city-media)?
Hmm, I wonder if The Gruniad has fallen for a trick here. Following that link, which is to The Guardian...
According to security researchers at MacKeeper
Mackeeper is one of these packages that, whilst technically legal, often seems to get installed unexpectedly on the back of either some unrelated package, or as part of a bigger malware bundle. It then starts warning about doom and gloom about to befall OS X, even though the only risk is from the malware that slipped in alongside Mackeeper.
I personally, would not trust anything that they have to say.
-
See more here re MacKeeper.
https://blog.malwarebytes.com/puppum/2016/08/pup-friday-mackeeper/
it's all a bit near the knuckle for me as I (/we) were bitten by exactly that OS X malware attack just last week. As above, I found MacKeeper and another malware bundle were the root of the symptoms, and both had gained access to the system on the back of a bogus flash update. See my post
http://forum.kitz.co.uk/index.php/topic,19430.0.html
-
I'm afraid I would never buy an OSX box. Done a really good job of scaring me off there. iOS - yes.
-
I'm afraid I would never buy an OSX box. Done a really good job of scaring me off there. iOS - yes.
That is your choice, but hopefully not made just because The Guardian may have been fooled into publishing a story about email spam, from a source that I associate with Malware and would not trust. You can't blame that on OS X?
Perssonally, I still feel much safer with my Mac than either windows or Linux boxes. The malware in question tricked the user into responding to a prompt to manually install it, authenticating by password, unlike windows malware that usually gets in totally unseen ivia some underlying OS vulnerability.
-
Hmm, I wonder if The Gruniad has fallen for a trick here. Following that link, which is to The Guardian...
Mackeeper is one of these packages that, whilst technically legal, often seems to get installed unexpectedly on the back of either some unrelated package, or as part of a bigger malware bundle. It then starts warning about doom and gloom about to befall OS X, even though the only risk is from the malware that slipped in alongside Mackeeper.
I personally, would not trust anything that they have to say.
FWIW also here (http://www.itpro.co.uk/data-leakage/28268/spammers-leak-database-of-14-billion-users).
-
When it comes to spam email lists, I strongly suspect the main culprits are the individuals themselves, not being sufficiently defensive.
This afternoon I bought some stuff in Halfords. At the till, they were asking people if they had an email address "for the receipt". The correct answer is, of course, "I do have an email address but I am unwilling to tell you what it is". Unsurprisingly though, the three people in front of me in the queue meekly complied, without even asking any questions about privacy policies.
That was the third time this week I've been asked for an email address, others were at a railway station when buying a travel card, and at an opticians having an eye test. Same answer each time, "I am unwilling to tell you...". Companies would not be harvesting email addresses unless they planned to spam you with reminders or special offers or, worse, to sell your email on to other spammers. And even if they don't sell it on, a rogue employee might raid the list and sell it, or their servers might get hacked.
I must be doing something right because I have been using exactly the same private email since 1999, yet the spam count for the last 30 days stands at just 10 messages . Not too bad, really. ;)
-
Perssonally, I still feel much safer with my Mac than either windows or Linux boxes.
Not sure I understand why you feel Mac OSX is better than Linux since a whole load of it under the covers is in fact Linux. Security on Linux when properly set up is pretty good, certainly better than Windows.
Stuart
-
Not sure I understand why you feel Mac OSX is better than Linux since a whole load of it under the covers is in fact Linux. Security on Linux when properly set up is pretty good, certainly better than Windows.
Stuart
Actually it is more Unix under the skin, rather than Linux.
I do agree though that the pecking order in terms of scurity would be from Microsoft (least secure) to either OS X or Linux at the other end. Both OS X and Linux are good choices for the security conscious, imho.
I personally choose OS X, largely based on a personal hunch/mistrust that the Linux 'open' model is just too open, with no real vetting of the skills of the authors. Much of OS X is open source too but, unlike Linux, a major and reputable vendor is willing to act as software publisher, and to take respnsibility as commercial entity with whom the buck stops if things go wrong.
I emphasise again though, I do respect Linux, my OS X allegiance is largely a personal thing. :)
-
Sevenlayermuddle speaks wisdom. I just lie about my email address, or give a real address of another one of my mailboxes which is disposable in the sense that I just delete it when it starts to receive nuisance email.
-
All good practice, Weaver.
Another closely telated problem of course is harvesting of phone numbers. And sometimes, websites won't take an order, or a hotel booking, unless you give a phone number, "just in case there is a problem". Rubbish. They want your phone number because it is of commercial resale value, especially as they will also be able to sell the name and address associated with it.
My own tactic then is to simply omit the last digit. Much better than giving a made-up number that might actually belong to some other poor soul, yet still ensures the data harvester will be frustrated.