New Phishing emails targetting organisation and getting through filter
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
New Phishing emails targetting organisation and getting... - 26.Oct.2009 9:58:08 AM
|
|
|
TimBoothby
Posts: 4
Joined: 26.Oct.2009
Status: offline
|
Hi,
Over the last couple of weeks I've seen some new (to me) phishing scams, which worryingly are getting through the MailEssentials phishing filter. I have been forwarding these to phishing@gfi.com, and after a while GFI does start catching them, but not before a number have got through. Is there anything more I can do to stop these?
The emails purport to come from our orginaisations tech support. Fortunately I'm in a small organisation and users have been recognising these as suspicious but I can well imagine people falling for these in a bigger organisation where the IT department isn't personally known to the end users. The first one links to a patch.exe, the second takes you to an OWA login page presumably to steal users login details.
Three examples are below.
Thanks,
Tim
quote:
-----Original Message-----
From: administrator [mailto:administrator@mydomain.uk]
Sent: 26 October 2009 2:44 PM
To: Fire Services
Subject: System Upgrade
Attention!
On October 30, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
http://updates.mydomain.uk.secure.www-administrators.com/ssl/id=759396878-legit.user@mydomain.uk-patch20780.exe
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
quote:
From: no-reply@mydomain.uk [mailto:no-reply@mydomain.uk]
Sent: 20 October 2009 3:26 PM
To: Legit User
Subject: The settings for the legit.user@mydomain.uk were changed
Dear user of the mydomain.uk mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (legit.user@mydomain.uk) settings were changed. In order to apply the new set of settings click on the following link:
http://mydomain.uk/owa/service_directory/settings.php?email=legit.user@mydomain.uk&from=mydomain.uk&fromname=legit.user
Best regards, mydomain.uk Technical Support.
quote:
From: Microsoft Update Center [mailto:noreply@microsoft.com]
Sent: 23 October 2009 11:00
To: legit.user@mydomain.uk
Subject: Microsoft Outlook Critical Update
Critical Update
Update for Microsoft Outlook / Outlook Express (KB910721)
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest level of security and stability.
Instructions
• To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:
http://update.microsoft.com/microsoftofficeupdate/KB910737/default.aspx?ln=en-us&email=legit.user@mydomain.uk&id=68151580281227697544831721989980745522388
Quick Details
• File Name: officexp-KB910721-FullFile-ENU.exe
• Version: 1.5
• Date Published: Fri, 23 Oct 2009 11:59:57 +0200
• Language: English
• File Size: 100 KB
System Requirements
• Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
• This update applies to the following product: Microsoft Outlook / Outlook Express
|
|
|
|
|
RE: New Phishing emails targetting organisation and get... - 26.Oct.2009 1:43:41 PM
|
|
|
CC801340
Posts: 6
Joined: 30.Mar.2005
Status: offline
|
I've also had the same mail get through ME today and land directly into a users Inbox.
Any advice on how to stop them?
|
|
|
|
|
RE: New Phishing emails targetting organisation and get... - 26.Oct.2009 2:48:29 PM
|
|
|
remushociota
Posts: 125
Joined: 14.Mar.2007
Status: offline
|
I get hit with them as well.
I was told to drop them in the bayesian filter learning folder "this is spam".
We will see if it helps or not.
|
|
|
|
|
RE: New Phishing emails targetting organisation and get... - 26.Oct.2009 3:14:55 PM
|
|
|
RSP
Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
Could these (mostly) be stopped by SPF? What does the dashboard say about them?
_____________________________
Disclaimer: I don't work for GFI, I just use their products.
|
|
|
|
|
RE: New Phishing emails targetting organisation and get... - 26.Oct.2009 5:25:05 PM
|
|
|
remushociota
Posts: 125
Joined: 14.Mar.2007
Status: offline
|
the spf is not effective against them as it passes the test. The reply address is the spammers one and it gets through. It is not like the old self-spam ones.
|
|
|
|
|
RE: New Phishing emails targetting organisation and get... - 27.Oct.2009 4:12:33 AM
|
|
|
TimBoothby
Posts: 4
Joined: 26.Oct.2009
Status: offline
|
quote:
What does the dashboard say about them?
Good question, the most recent one is showing as Whitelisted, presumably as the from address was spoofed as administrator@mydomain.uk. I've got *@mydomain.com in the whitelist, the rationale for this being that when there are false positives users will often retrieve a mail from their spam folder and want to forward it to other people. Is there a better way of handling this sitution?
Thinking about it, this configuration is probably a hangover from when I first installed GFI many years ago, when all the Exchange services were on a single box. Now GFI is running on an edge transport server, so if I removed *@mydomain.com from the whitelist presumably users would be able to forward spam emails as they would not pass through GFI assuming it ignores outbound mails?
The older emails have "fallen off" the dashboard.
< Message edited by TimBoothby -- 27.Oct.2009 4:18:19 AM >
|
|
|
|
|
RE: New Phishing emails targetting organisation and get... - 27.Oct.2009 4:25:25 AM
|
|
|
RSP
Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
Yikes! That whitelist entry will be the reason you're getting spam.
In your setup as you described, there is no reason to have your own domain in the whitelist. I assume mydomain.com=mydomain.uk?
Even with ME and Exchange on a single box, there are very few reasons to have your own domain whitelisted, as it's a big "hole" in your spam defences.
Take the entry out and see how it changes the situation.
_____________________________
Disclaimer: I don't work for GFI, I just use their products.
|
|
|
|
|
RE: New Phishing emails targetting organisation and get... - 27.Oct.2009 10:08:39 AM
|
|
|
TimBoothby
Posts: 4
Joined: 26.Oct.2009
Status: offline
|
Ok, thanks for the advice, I've removed the whitelist entry. The odd thing is the vast majority of spam and phishing emails were being caught. Anyway, hopefully it will be even better now!
|
|
|
|
|
RE: New Phishing emails targetting organisation and get... - 27.Oct.2009 11:12:02 AM
|
|
|
RSP
Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
It will depend on the order of your modules, but most have whitelists at high priority.
_____________________________
Disclaimer: I don't work for GFI, I just use their products.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
