Odd behaviour with phishing message

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
MK
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Odd behaviour with phishing message

MK
This seems like it may be related (or could be a new bug) to one reported earlier.

A user connects, sends mail.  I attach the maillog here and the redacted headers from that message which ended up delivered in a user's inbox.  I'm monitoring if I can find any further mail from them to find the debug log, but I doubt it.

The mail goes through, but no X-ASSP header is added after the first Received header.  Moreover, the headers appear to be out of order in some weird way.
Odd that the X-Assp header isn't in there.  Odd that the headers in the resulting mail message appear out of order.

I don't know this is much to go by, but of course open to suggestiosn here...



==========================
Jul-18-17 12:28:21 [Worker_2] Connected: session:7FC4BF5721B0 218.4.45.155:52784 > 123.123.123.123:25 > suede.mydomain.com:12225
Jul-18-17 12:28:22 [Worker_2] 218.4.45.155 info: got STARTTLS request from 218.4.45.155
Jul-18-17 12:28:23 m1-95303-10942 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> Message-Score: added -10 (tlsValencePB) for SSL-TLS-connection-OK, total score for this message is now -10
Jul-18-17 12:28:24 m1-95303-10942 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] recipient delayed: [hidden email]
Jul-18-17 12:28:24 m1-95303-10942 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] [SMTP Status] 451 4.7.1 Please try again later
Jul-18-17 12:28:24 m1-95303-10942 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] info: PB-IP-Score for '218.4.45.0' is 0, added -10 in this session
Jul-18-17 12:28:24 m1-95303-10942 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] disconnected: session:7FC4BF5721B0 218.4.45.155 - processing time 3 seconds
Jul-18-17 12:35:39 [Worker_2] Connected: session:7FC4A8A62BA0 218.4.45.155:53610 > 123.123.123.123:25 > suede.mydomain.com:12225
Jul-18-17 12:35:39 [Worker_2] 218.4.45.155 info: got STARTTLS request from 218.4.45.155
Jul-18-17 12:35:40 m1-95740-12534 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> Message-Score: added -10 (tlsValencePB) for SSL-TLS-connection-OK, total score for this message is now -10
Jul-18-17 12:35:54 m1-95740-12534 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] [scoring] SPF: none ip=218.4.45.155 mailfrom=[hidden email] helo=mail.longliqicom.com
Jul-18-17 12:35:55 m1-95740-12534 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] [monitoring] SenderBase -- Blocked IP-Country CN (CHINA TELECOM)
Jul-18-17 12:35:55 m1-95740-12534 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] HMM-Check has given less than 6 results - using monitoring mode only
Jul-18-17 12:35:55 m1-95740-12534 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] HMM Check [monitoring] - Prob: 0.66667 => spam - answer/query relation: 1% of 76
Jul-18-17 12:35:55 m1-95740-12534 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] Bayesian Check [scoring] - Prob: 0.00000 => ham - answer/query relation: 36% of 65
Jul-18-17 12:35:56 m1-95740-12534 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] [Plugin] calling plugin ASSP_Razor
Jul-18-17 12:35:56 m1-95740-12534 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] Message-Score: added 15 (ASSP_RazorValencePB) for ASSP_Razor: [scoring] 'razor check failed', total score for this message is now 5
Jul-18-17 12:35:56 m1-95740-12534 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] deleting spamming safelisted tuplet: (218.4.45.0,longliqicom.com) age: 16s
Jul-18-17 12:35:56 m1-95740-12534 [Worker_2] [TLS-in] [razor] 218.4.45.155 <[hidden email]> to: [hidden email] [Plugin] calling plugin ASSP_DCC
Jul-18-17 12:35:56 m1-95740-12534 [Worker_2] [TLS-in] [MessageOK] 218.4.45.155 <[hidden email]> to: [hidden email] message ok [1]
Jul-18-17 12:35:56 m1-95740-12534 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] info: start damping on closing connection (1)
Jul-18-17 12:35:57 m1-95740-12534 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] finished message - received DATA size: 4.22 kByte - sent DATA size: 4.78 kByte
Jul-18-17 12:35:57 m1-95740-12534 [Worker_2] [TLS-in] 218.4.45.155 <[hidden email]> to: [hidden email] disconnected: session:7FC4A8A62BA0 218.4.45.155 - processing time 18 seconds
==========================
Received: from Mail.longrich.com ([218.4.45.155] helo=mail.longliqicom.com)
by suede.mydomain.com with SMTPS(TLSv1 DHE-RSA-AES128-SHA) (2.5.6); 18 Jul 2017 12:35:39 -0400
Received: from localhost (longliqi.cn [127.0.0.1])
by mail.longliqicom.com (EMOS V1.5 (Postfix)) with ESMTP id 094F0660860C;
Mon, 17 Jul 2017 11:02:18 -0400 (EST)
Received: (qmail 15043 invoked by uid 113); 18 Jul 2017 12:35:56 -0400
Received: from 127.0.0.1  (EHLO suede.mydomain.com) (123.123.123.123)
  by mta1010.rog.mail.gq1.yahoo.com with SMTPS; Tue, 18 Jul 2017 12:35:58 -0400
Received: from smtp.longliqicom.com (unknown [14.160.52.166])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.longliqicom.com (EMOS V1.5 (Postfix)) with ESMTPSA id 7069F6608609;
Mon, 17 Jul 2017 11:02:05 -0400 (EST)
Received: from mail.longliqicom.com ([127.0.0.1])
by localhost (longliqicom.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id LeCoKceCptql; Mon, 17 Jul 2017 11:02:17 -0400 (EST)
Received: (simscan 1.4.1 ppid 14865 pid 14880 t 15.2065s)
 (scanners:  clamav: 0.99.2/m:58/d:23542); 18 Jul 0117 12:35:41 -0400
Received: from suede.mydomain.com (HELO mail.longliqicom.com) (123.123.123.123)
  by suede.mydomain.com with SMTP; 18 Jul 2017 12:35:41 -0400
Received: (qmail 15045 invoked by uid 113); 18 Jul 2017 12:35:56 -0400
From: "SENDER SENDER" <[hidden email]>
To: "Recipient" <[hidden email]>,
"Recipient" <[hidden email]>,
"Recipient" <[hidden email]>,
"Recipient" <[hidden email]>,
"Recipient" <[hidden email]>,
"Recipient" <[hidden email]>,
"Recipient" <[hidden email]>,
"Recipient" <[hidden email]>,
"Recipient" <[hidden email]>,
"Recipient" <[hidden email]>
Subject: 1
Date: Tue, 18 Jul 2017 12:27:56 -0400
Message-ID: <[hidden email]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00F0_01D2FFD1.37211B50"
X-Mailer: Microsoft Outlook 16.0
X-Originating-IP: [123.123.123.123]
Thread-Index: AQHRIRnZh0TqKO1YufW/UHVymvFwHQ==
==========================


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Odd behaviour with phishing message

Colin
Interestingly I’ve had this reported to me today as well.

There was a message from the beginning of the month about this but I was
away and don’t think anyone picked it up.

In all cases, the message is a message that has been greylisted
according to the logs yet it has been delivered to the recipient.

Here’s an example:

2017-07-18 22:20:23 m1-12823-00551 [Worker_3] [TLS-in] 89.253.223.149
<[hidden email]> [SMTP Reply] 250 OK
2017-07-18 22:20:23 m1-12823-00551 [Worker_3] [TLS-in] 89.253.223.149
<[hidden email]> adding new triplet:
(89.253.223.0,[hidden email],[hidden email]) on host
my.servername.tld
2017-07-18 22:20:23 m1-12823-00551 [Worker_3] [TLS-in] 89.253.223.149
<[hidden email]> to: [hidden email] recipient delaying
queued: [hidden email]
2017-07-18 22:20:23 m1-12823-00551 [Worker_3] [TLS-in] 89.253.223.149
<[hidden email]> to: [hidden email] [SMTP Reply] 250 Accepted
2017-07-18 22:20:23 m1-12823-00551 [Worker_3] [TLS-in] 89.253.223.149
<[hidden email]> to: [hidden email] recipient delayed:
[hidden email]
2017-07-18 22:20:23 m1-12823-00551 [Worker_3] [TLS-in] 89.253.223.149
<[hidden email]> to: [hidden email] [SMTP Status] 451 4.7.1
Greylisting, Please try again after 1 minute

Received message headers:

Received: from server.recipient.tld (1.1.1.1) by
server.recipient.tld (1.1.1.1) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.1.845.34
via Mailbox Transport; Tue, 18 Jul 2017 22:25:37 +0100
Received: from server.recipient.tld (1.1.1.1) by
server.recipient.tld (1.1.1.1) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.1.845.34; Tue, 18 Jul 2017 22:25:37 +0100
Received: from my.server.name (2.2.2.2 ) by
server.recipient.tld (1.1.1.1) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.1.845.34
via Frontend Transport; Tue, 18 Jul 2017 22:25:36 +0100
Received: from [127.0.0.1] (helo=vps-1033709-9570.host4g.ru)
                 by my.server.name with esmtp (Exim 4.86_2)
                 (envelope-from <[hidden email]>)
                 id 1dXa0l-00031j-1Q
                 for [hidden email]; Tue, 18 Jul 2017 22:26:34 +0100
Received: from vps-1033709-9570.host4g.ru ([89.253.223.149]
helo=vps-1033709-9570.host4g.ru)
                 by my.server.name with SMTPS(TLSv1_2
ECDHE-RSA-AES128-GCM-SHA256) (2.5.6); 18 Jul 2017 22:26:30 +0100
Received: by vps-1033709-9570.host4g.ru (Postfix, from userid 48)
                 id 88D4B2029E6F; Wed, 19 Jul 2017 00:20:20 +0300 (MSK)
From: Joseph C. <[hidden email]>
To: Recipient Name <[hidden email]>
Subject: [ Possibly Spam ] Enjoy your life, let's program works!
Thread-Topic: [ Possibly Spam ] Enjoy your life, let's program works!
Thread-Index: AQHTAAxl0AYbou0ktEiU2mMiTdVDrw==
Date: Tue, 18 Jul 2017 21:20:20 +0000
Message-ID: <[hidden email]>
Content-Language: en-GB
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: server.recipient.tld
X-MS-Has-Attach:
X-MS-Exchange-Organization-Network-Message-Id:
76a6f9b5-1c7b-4506-cc1a-08d4ce23882f
X-MS-TNEF-Correlator:
x-assp-envelope-from: [hidden email]
x-assp-intended-for: [hidden email]
x-php-originating-script: 48:ewocuqmz.php(1166) : runtime-created
function(1)
: eval()'d code(1) : eval()'d code
x-spam-status: yes
x-mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
Content-Type: multipart/alternative;
boundary="_000_8b391e9f77fb7215610f423dcbce06aalakomventru_"
MIME-Version: 1.0


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Odd behaviour with phishing message

James Moe-2
On 07/20/2017 02:25 AM, Colin wrote:

> 2017-07-18 22:20:23 m1-12823-00551 [Worker_3] [TLS-in] 89.253.223.149
> <[hidden email]> to: [hidden email] recipient delayed:
> [hidden email]

> 2017-07-18 22:20:23 m1-12823-00551 [Worker_3] [TLS-in] 89.253.223.149
> <[hidden email]> to: [hidden email] [SMTP Status] 451 4.7.1
> Greylisting, Please try again after 1 minute
>
  This only indicates the message was delayed. Where are the logs when
the sender retried to send it?

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Odd behaviour with phishing message

Colin
Hi James,

Thanks for the reply, it turns out that I'm seeing odd behaviour for
this recipient as they are in ptrSpamLovers.

The behaviour isn't what I would have expected - I see these in the
collected message:

X-Assp-allLovePTRSpam: 1
X-Assp-allLoveSpam: 1

They are not in spamLovers, so apparently them being in PTR spam lovers
also adds them to the main spam lovers. The message concerned didn't
actually have a failed PTR so I wouldn't have expected it to be bypass
the spam filtering.

All the best,

Colin.

On 20/07/2017 21:30, James Moe wrote:

> On 07/20/2017 02:25 AM, Colin wrote:
>
>> 2017-07-18 22:20:23 m1-12823-00551 [Worker_3] [TLS-in] 89.253.223.149
>> <[hidden email]> to: [hidden email] recipient delayed:
>> [hidden email]
>> 2017-07-18 22:20:23 m1-12823-00551 [Worker_3] [TLS-in] 89.253.223.149
>> <[hidden email]> to: [hidden email] [SMTP Status] 451 4.7.1
>> Greylisting, Please try again after 1 minute
>>
>    This only indicates the message was delayed. Where are the logs when
> the sender retried to send it?
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Loading...