crcsupport
asked on
blocking phishing spam from a fake domain with just one letter different from our domain.
We use GFI Mail Essential, a few interesting spams from the same spammer passed all spam filter and delivered to our financial controller. I posted the email at the bottom of this. Basically the spammer created a fake domain and actually registered (even paying and doing home work for this spam), and sent an email to our financial controller to wire money. The sender name is the same as our president and the email address is just one letter different with our domain name.
I guess the spammer actually did some lInkedin search to find our company management list then created a domain adding 'i' and created email server account and all the hard works to send this spam.
So technically this domain and email server is legit and will pass our GFI Mail Essential spam filtering such as SPF check, DNS & phishing database since it's new domain, etc.
How can I block this type of emails from a domain which is technically all legit, never has been in any spam database, but just one letter 'i' is different from our domain name?
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -------
COMPANY_CONTROLLER_NAME
Process a wire for $207,398.49 to the attached instructions now, code to admin expenses. Confirm when you have it sent.
COMPANY_PRESIDENT_NAME
-------- Original Message --------
Subject: (no subject)
Date: 2014-08-14 16:11
From: COMPANY_CEO_NAME <COMPANY_CEO_NAME_UPN@COMP ANY_DOMAIN >
To: COMPANY_PRESIDENT_NAME <COMPANY_PRESIDENT_NAME_UP N@COMPANY_ DOMAIN>
COMPANY_PRESIDENT_NAME,
Per our conversation, attached is the wiring instructions for the payment. Let me know when done.
COMPANY_CEO_NAME
X-Antivirus: AVG for E-mail
Microsoft Mail Internet Headers Version 2.0
Received: from smtprelay.b.hostedemail.co m ([64.98.42.211]) by mail.COMPANY_DOMAIN with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 14 Aug 2014 10:21:14 -0400
Received: from filter.hostedemail.com (b-bigip1 [10.5.19.254])
by smtprelay02.b.hostedemail. com (Postfix) with ESMTP id 57116D39D6
for <COMPANY_CFO_NAME_UPN@COMP ANY_DOMAIN >; Thu, 14 Aug 2014 14:21:14 +0000 (UTC)
X-Session-Marker:
64617669642E65636B73746569 6E4076616C 6569726167 6C6F62616C 2E636F6D
X-Spam-Summary: 30,2,0,,d41d8cd98f00b204,C OMPANY_PRE SIDENT_NAM E_UPN@FAKE DOMAIN.com ,:,RULES_H IT:41:152: 355:379:58 2:602:800: 871:960:96 2:973:988: 989:1000:1 152:1189:1 260:1313:1 314:1345:1 381:1433:1 434:1437:1 516:1517:1 518:1541:1 566:1571:1 575:1589:1 594:1711:1 714:1730:1 764:1776:1 792:2197:2 198:2199:2 200:2527:2 528:2557:2 559:2562:2 909:3138:3 139:3140:3 141:3142:3 653:3769:3 865:3867:3 871:3872:3 873:4321:5 007:6117:6 119:6261:6 264:6291:6 506:6618:6 663:6668:6 669:6678:6 747:6748:7 281:7576:7 802:7875:7 903:8603:9 007:9009:9 545:10004: 10214:1022 9:10394:10 400:10402: 10407:1048 2:10848:11 473:11604: 11658:1191 4:12043:12 049:12166: 12340:1251 7:12519:12 555:12740: 13095:1313 9:13848:14 036:14096: 19901:1999 7:21080,0, RBL:none,C acheIP:non e,Bayesian :0.5,0.5,0 .5,Netchec k:none,Dom ainCache:0 ,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:n one,Custom _rules:0:0 :0
X-HE-Tag: lift01_ab83d633b42c
X-Filterd-Recvd-Size: 229603
Received: from mail.FAKEDOMAIN.com (imap-ext [64.98.36.5])
(Authenticated sender: webmail@COMPANY_PRESIDENT_ NAME_UPN@F AKEDOMAIN. com)
by omf13.b.hostedemail.com (Postfix) with ESMTPA
for <COMPANY_CFO_NAME_UPN@COMP ANY_DOMAIN >; Thu, 14 Aug 2014 14:21:13 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_dc1c8cbdede6d8 79a60ceafe 0e90c4c4"
Date: Thu, 14 Aug 2014 16:21:13 +0200
From: COMPANY_PRESIDENT_NAME <COMPANY_PRESIDENT_NAME_UP N@FAKEDOMA IN.com>
To: COMPANY_CFO_NAME_UPN@COMPA NY_DOMAIN
Subject: Fwd: (no subject)
Message-ID: <332cee7dcc54a2d48d39c74f8 dc4243f@FA KEDOMAIN.c om>
X-Sender: COMPANY_PRESIDENT_NAME_UPN @FAKEDOMAI N.com
User-Agent: Roundcube Webmail/1.0.1
X-Originating-IP: [50.115.35.196]
Return-Path: COMPANY_PRESIDENT_NAME_UPN @FAKEDOMAI N.com
X-OriginalArrivalTime: 14 Aug 2014 14:21:14.0882 (UTC) FILETIME=[0185BE20:01CFB7C B]
--=_dc1c8cbdede6d879a60cea fe0e90c4c4
Content-Type: multipart/alternative;
boundary="=_9971c7f2b2e401 7d6b9194ee 062eaaf7"
--=_9971c7f2b2e4017d6b9194 ee062eaaf7
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
--=_9971c7f2b2e4017d6b9194 ee062eaaf7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8
--=_9971c7f2b2e4017d6b9194 ee062eaaf7 --
--=_dc1c8cbdede6d879a60cea fe0e90c4c4
Content-Transfer-Encoding: base64
Content-Type: application/pdf;
name="ORIENT JOY HOLDING LIMITED WIRING INSTRUCTION.pdf"
Content-Disposition: attachment;
filename="ORIENT JOY HOLDING LIMITED WIRING INSTRUCTION.pdf";
size=165306
--=_dc1c8cbdede6d879a60cea fe0e90c4c4 —
I guess the spammer actually did some lInkedin search to find our company management list then created a domain adding 'i' and created email server account and all the hard works to send this spam.
So technically this domain and email server is legit and will pass our GFI Mail Essential spam filtering such as SPF check, DNS & phishing database since it's new domain, etc.
How can I block this type of emails from a domain which is technically all legit, never has been in any spam database, but just one letter 'i' is different from our domain name?
--------------------------
COMPANY_CONTROLLER_NAME
Process a wire for $207,398.49 to the attached instructions now, code to admin expenses. Confirm when you have it sent.
COMPANY_PRESIDENT_NAME
-------- Original Message --------
Subject: (no subject)
Date: 2014-08-14 16:11
From: COMPANY_CEO_NAME <COMPANY_CEO_NAME_UPN@COMP
To: COMPANY_PRESIDENT_NAME <COMPANY_PRESIDENT_NAME_UP
COMPANY_PRESIDENT_NAME,
Per our conversation, attached is the wiring instructions for the payment. Let me know when done.
COMPANY_CEO_NAME
X-Antivirus: AVG for E-mail
Microsoft Mail Internet Headers Version 2.0
Received: from smtprelay.b.hostedemail.co
Thu, 14 Aug 2014 10:21:14 -0400
Received: from filter.hostedemail.com (b-bigip1 [10.5.19.254])
by smtprelay02.b.hostedemail.
for <COMPANY_CFO_NAME_UPN@COMP
X-Session-Marker:
64617669642E65636B73746569
X-Spam-Summary: 30,2,0,,d41d8cd98f00b204,C
X-HE-Tag: lift01_ab83d633b42c
X-Filterd-Recvd-Size: 229603
Received: from mail.FAKEDOMAIN.com (imap-ext [64.98.36.5])
(Authenticated sender: webmail@COMPANY_PRESIDENT_
by omf13.b.hostedemail.com (Postfix) with ESMTPA
for <COMPANY_CFO_NAME_UPN@COMP
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_dc1c8cbdede6d8
Date: Thu, 14 Aug 2014 16:21:13 +0200
From: COMPANY_PRESIDENT_NAME <COMPANY_PRESIDENT_NAME_UP
To: COMPANY_CFO_NAME_UPN@COMPA
Subject: Fwd: (no subject)
Message-ID: <332cee7dcc54a2d48d39c74f8
X-Sender: COMPANY_PRESIDENT_NAME_UPN
User-Agent: Roundcube Webmail/1.0.1
X-Originating-IP: [50.115.35.196]
Return-Path: COMPANY_PRESIDENT_NAME_UPN
X-OriginalArrivalTime: 14 Aug 2014 14:21:14.0882 (UTC) FILETIME=[0185BE20:01CFB7C
--=_dc1c8cbdede6d879a60cea
Content-Type: multipart/alternative;
boundary="=_9971c7f2b2e401
--=_9971c7f2b2e4017d6b9194
Content-Transfer-Encoding:
Content-Type: text/plain
--=_9971c7f2b2e4017d6b9194
Content-Transfer-Encoding:
Content-Type: text/html; charset=UTF-8
--=_9971c7f2b2e4017d6b9194
--=_dc1c8cbdede6d879a60cea
Content-Transfer-Encoding:
Content-Type: application/pdf;
name="ORIENT JOY HOLDING LIMITED WIRING INSTRUCTION.pdf"
Content-Disposition: attachment;
filename="ORIENT JOY HOLDING LIMITED WIRING INSTRUCTION.pdf";
size=165306
--=_dc1c8cbdede6d879a60cea
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is there any technology that can tell our clients if the email is actually from us, not from this fake domain?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I agree manual inspection is still better filtering spams, but sometimes, you made mistake and later you found it's wrong, but it's too late to get back the sent email with my credit card information. This can happen to our clients even though we alert them.
So, I wonder if there's any email technology available to verify if the email our clients receive is actually from us.
Is there any email technology other than just creating a signature in outlook or using company template word document with a company letter head?
So, I wonder if there's any email technology available to verify if the email our clients receive is actually from us.
Is there any email technology other than just creating a signature in outlook or using company template word document with a company letter head?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Svet Paperov,
can you give me links to digital signing and encryption service? I don't know what it is.
can you give me links to digital signing and encryption service? I don't know what it is.
ASKER
For Digital ID,
I guess it's only for Outlook users for both sender and recipient.
http://office.microsoft.com/en-us/outlook-help/secure-messages-with-a-digital-signature-HP001230539.aspx
I guess it's only for Outlook users for both sender and recipient.
http://office.microsoft.com/en-us/outlook-help/secure-messages-with-a-digital-signature-HP001230539.aspx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, thanks.
I will keep this post for a while and see what others do to verify sender to recipient.
I will keep this post for a while and see what others do to verify sender to recipient.
ASKER
1. What if they create domain with a different letter, ex) companyname.com and fake domain is companyyname.com
2. I also concern if the spammer uses the fake domain with our clients or any entity in public representing our company.
For this reason, I submitted the case to the fake domain registrar to see how they handle it.
also, we have to look into the process of how we communicate with our clients for sensitive information.
I wonder if any of you encountered this type of phishing email solely targetting a specific business entity and how you handled it.