• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3684
  • Last Modified:

blocking phishing spam from a fake domain with just one letter different from our domain.

We use GFI Mail Essential, a few interesting spams from the same spammer passed all spam filter and delivered to our financial controller. I posted the email at the bottom of this. Basically the spammer created a fake domain and actually registered (even paying and doing home work for this spam), and sent an email to our financial controller to wire money. The sender name is the same as our president and the email address is just one letter different with our domain name.
I guess the spammer actually did some lInkedin search to find our company management list then created a domain adding 'i' and created email server account and all the hard works to send this spam.

So technically this domain and email server is legit and will pass our GFI Mail Essential spam filtering such as SPF check, DNS & phishing database since it's new domain, etc.

How can I block this type of emails from  a  domain which is technically all legit, never has been in any spam database, but just one letter 'i' is different from our domain name?

Process a wire for $207,398.49 to the attached instructions now, code to admin expenses. Confirm when you have it sent.


-------- Original Message --------
Subject:               (no subject)
Date:     2014-08-14 16:11


Per our conversation, attached is the wiring instructions for the payment. Let me know when done.


X-Antivirus: AVG for E-mail
Microsoft Mail Internet Headers Version 2.0
Received: from smtprelay.b.hostedemail.com ([]) by mail.COMPANY_DOMAIN with Microsoft SMTPSVC(6.0.3790.4675);
                Thu, 14 Aug 2014 10:21:14 -0400
Received: from filter.hostedemail.com (b-bigip1 [])
                by smtprelay02.b.hostedemail.com (Postfix) with ESMTP id 57116D39D6
                for <COMPANY_CFO_NAME_UPN@COMPANY_DOMAIN>; Thu, 14 Aug 2014 14:21:14 +0000 (UTC)
X-Spam-Summary: 30,2,0,,d41d8cd98f00b204,COMPANY_PRESIDENT_NAME_UPN@FAKEDOMAIN.com,:,RULES_HIT:41:152:355:379:582:602:800:871:960:962:973:988:989:1000:1152:1189:1260:1313:1314:1345:1381:1433:1434:1437:1516:1517:1518:1541:1566:1571:1575:1589:1594:1711:1714:1730:1764:1776:1792:2197:2198:2199:2200:2527:2528:2557:2559:2562:2909:3138:3139:3140:3141:3142:3653:3769:3865:3867:3871:3872:3873:4321:5007:6117:6119:6261:6264:6291:6506:6618:6663:6668:6669:6678:6747:6748:7281:7576:7802:7875:7903:8603:9007:9009:9545:10004:10214:10229:10394:10400:10402:10407:10482:10848:11473:11604:11658:11914:12043:12049:12166:12340:12517:12519:12555:12740:13095:13139:13848:14036:14096:19901:19997:21080,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:none,Custom_rules:0:0:0
X-HE-Tag: lift01_ab83d633b42c
X-Filterd-Recvd-Size: 229603
Received: from mail.FAKEDOMAIN.com (imap-ext [])
                (Authenticated sender: webmail@COMPANY_PRESIDENT_NAME_UPN@FAKEDOMAIN.com)
                by omf13.b.hostedemail.com (Postfix) with ESMTPA
                for <COMPANY_CFO_NAME_UPN@COMPANY_DOMAIN>; Thu, 14 Aug 2014 14:21:13 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/mixed;
Date: Thu, 14 Aug 2014 16:21:13 +0200
Subject: Fwd: (no subject)
Message-ID: <332cee7dcc54a2d48d39c74f8dc4243f@FAKEDOMAIN.com>
User-Agent: Roundcube Webmail/1.0.1
X-Originating-IP: []
X-OriginalArrivalTime: 14 Aug 2014 14:21:14.0882 (UTC) FILETIME=[0185BE20:01CFB7CB]

Content-Type: multipart/alternative;

Content-Transfer-Encoding: 7bit
Content-Type: text/plain

Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: base64
Content-Type: application/pdf;
Content-Disposition: attachment;

  • 6
  • 4
  • 3
7 Solutions
Even if this domain is legitimate from a spam filter point of view, you can still block it from your mail server because its domain name is different from yours; whether by one character or ten characters is irrelevant.

I don't know the policies of your organisation, but you can block this dodgy domain at the server, or presumably you can tell GFI Mail Essentials to treat all mail from that domain as spam based purely on its domain name rather than its content.

You could also do a Whois lookup to find out where the domain is being hosted, although you'll probably find that it's somewhere where the forces of law and order are a bit thin on the ground.
Svet PaperovIT ManagerCommented:
Short answer: you can’t. Even if you block one, this won’t stop the attacker to create and use a new one.

Your user is subject of targeted social engineering attack. This kind of attacks cannot be stopped by technical means. The only way is to educate the users to distinguish legit mail from a fake one.

If the environment is very sensible, you could opt-in for mail encryption and digital signatures.

As a workaround, while looking for a long-term solution, you could create mail rules for the targeted user to flag the good e-mails.
Svet Paperov is correct in what he says; I omitted to say that the procedure I outlined above would have to be repeated for every new attack using this technique, which needless to say will become quite tiresome.

The price of freedom is eternal vigilance...
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

crcsupportAuthor Commented:
I blocked the domain, so the spam will not come to our company. But there are two concerns.

1. What if they create domain with a different letter, ex) companyname.com and fake domain is companyyname.com

2. I also concern if the spammer uses the fake domain with our clients or any entity in public representing our company.

For this reason, I submitted the case to the fake domain registrar to see how they handle it.
also, we have to look into the process of how we communicate with our clients for sensitive information.

I wonder if any of you encountered this type of phishing email solely targetting a specific business entity and how you handled it.
crcsupportAuthor Commented:
Is there any technology that can tell our clients if the email is actually from us, not from this fake domain?
Human beings are still better than technology at detecting fraudulent emails, but only if those human beings are educated and alert. You caught this attempt at fraud before it did any damage; your customers should be just as alert.

However, you might want to advise your clients of this nearly-your-domain threat, and any subsequent ones, as the possibilities for damage to the company/client relationship are substantial if you don't. If the cybercriminals can't fool you into parting with money they might settle for trying to ruin the company's reputation instead.
crcsupportAuthor Commented:
I agree manual inspection is still better filtering spams, but sometimes, you made mistake and later you found it's wrong, but it's too late to get back  the sent email with my credit card information. This can happen to our clients even though we alert them.
So, I wonder if there's any email technology available to verify if the email our clients receive is actually from us.
Is there any email technology other than just creating a signature in outlook or using company template word document with a company letter head?
Svet PaperovIT ManagerCommented:
All banks and other financial institutions have this problem with their clients. The only thing they can do is to communicate each major thread and educated the clients no to respond to suspicious e-mails.

The register might or might not do something but this is a never ending game.

Your best strategy will be digital signing and encryption even with your clients.
If there is I'm not aware of it. However, by advising your clients of this spurious domain (and any others like it) they can block emails from it with their own filters. Not a perfect solution, I agree, but a whole lot better than saying nothing and waiting for the fertiliser to hit the fan.
crcsupportAuthor Commented:
Svet Paperov,
can you give me links to digital signing and encryption service? I don't know what it is.
crcsupportAuthor Commented:
For Digital ID,
I guess it's only for Outlook users for both sender and recipient.

Svet PaperovIT ManagerCommented:
Symantec Digital ID is an example http://www.symantec.com/en/ca/digital-id but there are other solutions as well.

More about securing e-mail in Outlook 2010 with S/MIME http://office.microsoft.com/en-ca/outlook-help/secure-email-messages-by-using-a-digital-signature-HP010355563.aspx or via OWA http://technet.microsoft.com/en-us/library/bb738140(v=exchg.141).aspx   

Unfortunately, I cannot advise you further because I don’t have particular experience with those technologies except for receiving encrypted e-mails from time to time (may be until the moment when our organization becomes a victim of a similar attack).
crcsupportAuthor Commented:
OK, thanks.
I will keep this post for a while and see what others do to verify sender to recipient.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now