Mailing List Archive

How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.]
I am certain many of you have seen this, but how do you block / bounce said
below e-mail via exim using spamassassin / clamd ?

Using FreeBSD 11.2 ports of Exim.



----- Forwarded message from doctor@nk.ca -----

Date: 27 Jan 2019 07:21:14 -0300
From: doctor@nk.ca
To: doctor@nk.ca
Subject: Your account has been hacked! You need to unlock.
Subject: {SPAM?} Your account has been hacked! You need to unlock.
X-Mailer: Microsoft Outlook 14.0

Hello!

I have very bad news for you.
12/10/2018 - on this day I hacked your OS and got full access to your account doctor@nk.ca

So, you can change the password, yes... But my malware intercepts it every time.

How I made it:
In the software of the router, through which you went online, was a vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
I'm talk you about sites for adults.

I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!

And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!

I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.
I think $639 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!

Pay ONLY in Bitcoins!
My BTC wallet: 145SmyE7DBEQExsnXZobojbQqr5UdgbCHh

You do not know how to use bitcoins?
Enter a query in any search engine: "how to replenish btc wallet".
It's extremely easy

For this payment I give you two days (48 hours).
As soon as this letter is opened, the timer will work.

After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.
If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your "enjoys".

I hope you understand your situation.
- Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)
- Do not try to contact me (this is not feasible, I sent you an email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.

P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!
This is the word of honor hacker

I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.

Do not hold evil! I just do my job.
Have a nice day!


----- End forwarded message -----

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
Birthdate: 29 Jan 1969 Redhill, Surrey, England, UK

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
On 27/01/2019 12:33, The Doctor via Exim-users wrote:
> I am certain many of you have seen this, but how do you block / bounce said
> below e-mail via exim using spamassassin / clamd ?

You don't even seen those two. Pick a couple of likely
words from the $h_subject: and deny.

They're lucrative, hence popular, hence mutating. You'll
have to track the changes and adjust with them.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
On 27 Jan 2019, at 12:33, The Doctor via Exim-users <exim-users@exim.org> wrote:
> am certain many of you have seen this, but how do you block / bounce said
> below e-mail via exim using spamassassin / clamd ?

Install at least the ‘phish’ database from SaneSecurity into ClamAV and let it do the heavy lifting with its’ Fake.Coin signatures. As Jeremy mentioned, doing it manually is a whack-a-mole job.

You won’t catch all of them all of the time, but you’ll get rid of a lot. On Friday & Saturday we rejected nearly 40000 & 30000 messages respectively on that detection alone (with no complaints), and we’re up to 10000 today already.

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
Am 27.01.19 um 14:42 schrieb Graeme Fowler via Exim-users:
> On 27 Jan 2019, at 12:33, The Doctor via Exim-users <exim-users@exim.org> wrote:
>> am certain many of you have seen this, but how do you block / bounce said
>> below e-mail via exim using spamassassin / clamd ?
> Install at least the ‘phish’ database from SaneSecurity into ClamAV and let it do the heavy lifting with its’ Fake.Coin signatures. As Jeremy mentioned, doing it manually is a whack-a-mole job.
>
> You won’t catch all of them all of the time, but you’ll get rid of a lot. On Friday & Saturday we rejected nearly 40000 & 30000 messages respectively on that detection alone (with no complaints), and we’re up to 10000 today already.
>
> Graeme
I guess, you are not using spamhaus or a similar dns ip blocking service,
as the sheer amount of "got hacked" fraud messages is insane itselft.

@All: Do your mailservers a favour:

Do not waste cpu cycles on spamassassin & co checks, if you can avoid
those spammers, when they try to connect.

best regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
On 27 Jan 2019, at 17:30, Cyborg via Exim-users <exim-users@exim.org> wrote:
> I guess, you are not using spamhaus or a similar dns ip blocking service,
> as the sheer amount of "got hacked" fraud messages is insane itselft.

You guess incorrectly.

Part of my day job is running the email infrastructure for a fairly large UK university. Today’s rejection stats for our staff email domain run at approx:

* 50% rejected at connect time, whether for DNSBL lookups or other reputation services including our own in-house one
* 20% invalid/rubbish/known bad EHLO/HELO
* 15% rejected for invalid recipients or unverifiable senders
* 15% for content-based problems - SpamAssassin, rspamd, malware, other lookups

That’s a fairly quiet day. On weekdays we can reject over 90% of all the connections or messages that hit us, into the top hundreds of thousands or low millions per day.

We’re of such a scale that we can’t use free DNSBL services, in the main. Encouraging people to use the free services is all very well but at scale they’ll end up being banned from them (or worst case getting a positive response for every lookup in order to discourage them).

As an aside, the SaneSecurity signatures include an awful lot more than just malware but should be used with care as some of the sig files are documented as having a high FP rate.

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
Personally, I have an Exim filter that rejects any message
containing the word "bitcoin" in $message_body. This won't be
useful for you if you actually use bitcoins for anything, but it
works for me.

Ellen
--
mailto:ellen@ekrus.org

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
Its simple.

Insert a rule, which disallows messages that are originating from your
domain but aren't authorized to relay.
This check can be done both on MAIL FROM and Mime From level.

Something like this in acl_mail:

accept
authenticated = *
sender_domains = nk.ca
set acl_m0 = authorizedrelay
deny
message = You can't spoof the domains this server is authorative for
sender_domains = nk.ca

then in acl_data:

deny
message = You can't spoof the MIME From this server is authorative for
condition = ${if match {$h_from:}{^(?i).*<.*@(.*\\.nk.ca>\$}{yes}{no}}
condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}


That will block these form of spam that spoof your sender.

Den sön 27 jan. 2019 kl 13:44 skrev The Doctor via Exim-users
<exim-users@exim.org>:
>
> I am certain many of you have seen this, but how do you block / bounce said
> below e-mail via exim using spamassassin / clamd ?
>
> Using FreeBSD 11.2 ports of Exim.
>
>
>
> ----- Forwarded message from doctor@nk.ca -----
>
> Date: 27 Jan 2019 07:21:14 -0300
> From: doctor@nk.ca
> To: doctor@nk.ca
> Subject: Your account has been hacked! You need to unlock.
> Subject: {SPAM?} Your account has been hacked! You need to unlock.
> X-Mailer: Microsoft Outlook 14.0
>
> Hello!
>
> I have very bad news for you.
> 12/10/2018 - on this day I hacked your OS and got full access to your account doctor@nk.ca
>
> So, you can change the password, yes... But my malware intercepts it every time.
>
> How I made it:
> In the software of the router, through which you went online, was a vulnerability.
> I just hacked this router and placed my malicious code on it.
> When you went online, my trojan was installed on the OS of your device.
>
> After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).
>
> A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
> But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
> I'm talk you about sites for adults.
>
> I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!
>
> And I got an idea....
> I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
> After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
> Turned out amazing! You are so spectacular!
>
> I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.
> I think $639 is a very, very small amount for my silence.
> Besides, I have been spying on you for so long, having spent a lot of time!
>
> Pay ONLY in Bitcoins!
> My BTC wallet: 145SmyE7DBEQExsnXZobojbQqr5UdgbCHh
>
> You do not know how to use bitcoins?
> Enter a query in any search engine: "how to replenish btc wallet".
> It's extremely easy
>
> For this payment I give you two days (48 hours).
> As soon as this letter is opened, the timer will work.
>
> After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.
> If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your "enjoys".
>
> I hope you understand your situation.
> - Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)
> - Do not try to contact me (this is not feasible, I sent you an email from your account)
> - Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.
>
> P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!
> This is the word of honor hacker
>
> I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.
>
> Do not hold evil! I just do my job.
> Have a nice day!
>
>
> ----- End forwarded message -----
>
> --
> Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
> Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
> https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
> Birthdate: 29 Jan 1969 Redhill, Surrey, England, UK
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
Am Sonntag, 27. Januar 2019, 20:56:03 CET schrieb Ellen Van Landingham via
Exim-users:
> Personally, I have an Exim filter that rejects any message
> containing the word "bitcoin" in $message_body. This won't be
> useful for you if you actually use bitcoins for anything, but it
> works for me.

This is usually a very bad idea - even for pure personal usage, as there are
many ham mails around where these word could be found in their content (i.e.
incl. well known newspapers, financial infos and online shopping e-commerce
who offer payment by bitcoin (or describe why not in their notification mails)
etc. - or your own list mail here f.i....). On the other hand, i've seen a
lot of spam which contains "hot" terms/words in a mutated / non-official way -
i.e. "bitc0in" or "bitco1n"...

fighting spam in a reliable way is a "science by itself" (as the spammer
business is still huge and clever) - unfortunately simple dictionary filters
are not working reliable anymore since decades. we've seen customers who
build such simple word filters (by sieve or similiar) byself and complained
monthes later about "lost" important mails...


hth
best regards,

niels.
--
---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---








--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
On Sun, 27 Jan 2019 at 22:58, Graeme Fowler via Exim-users <
exim-users@exim.org> wrote:

> On 27 Jan 2019, at 17:30, Cyborg via Exim-users <exim-users@exim.org>
> wrote:
> > I guess, you are not using spamhaus or a similar dns ip blocking service,
> > as the sheer amount of "got hacked" fraud messages is insane itselft.
>
> You guess incorrectly.
>
> Part of my day job is running the email infrastructure for a fairly large
> UK university. Today’s rejection stats for our staff email domain run at
> approx:
>
> * 50% rejected at connect time, whether for DNSBL lookups or other
> reputation services including our own in-house one
> * 20% invalid/rubbish/known bad EHLO/HELO
> * 15% rejected for invalid recipients or unverifiable senders
> * 15% for content-based problems - SpamAssassin, rspamd, malware, other
> lookups
>

Are you using spamassassin+rspamd together in the same server? How? Or you
run your mails through several servers?


>
> That’s a fairly quiet day. On weekdays we can reject over 90% of all the
> connections or messages that hit us, into the top hundreds of thousands or
> low millions per day.
>
> We’re of such a scale that we can’t use free DNSBL services, in the main.
> Encouraging people to use the free services is all very well but at scale
> they’ll end up being banned from them (or worst case getting a positive
> response for every lookup in order to discourage them).
>
> As an aside, the SaneSecurity signatures include an awful lot more than
> just malware but should be used with care as some of the sig files are
> documented as having a high FP rate.
>

I am following this advise for sure. Already looking into it.



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
On 28 Jan 2019, at 10:41, Odhiambo Washington <odhiambo@gmail.com> wrote:
> Are you using spamassassin+rspamd together in the same server? How? Or you run your mails through several servers?

At the top of the config (global setting):

spamd_address = $acl_m_spamengine

And in the appropriate ACL (pruned somewhat for readability):

## Rspamd
warn set acl_m_spamengine = $acl_m_spamengineaddress 11333 variant=rspamd

warn condition = ${if <{$message_size}{$acl_m_checklimit}{yes}{no}}
!condition = <several exception conditions>
spam = nobody:true/defer_ok
set acl_m_rspamd = spam_score=$spam_score spam_score_int=$spam_score_int $spam_action

## SpamAssassin
warn set acl_m_spamengine = /var/run/spamassassin/spamd.sock

warn condition = ${if <{$message_size}{$acl_m_checklimit}{yes}{no}}
!condition = <several exception conditions>
spam = nobody:true/defer_ok
set acl_m_sa = spam_score=$spam_score spam_score_int=$spam_score_int

...and then we do extracts of the scores from the two variables, combine them with a load of other logic and make a decision on whether to accept or reject.

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
On 28 January 2019 3:53:49 pm AEDT, Sebastian Nielsen via Exim-users <exim-users@exim.org> wrote:
>Its simple.
>
>Insert a rule, which disallows messages that are originating from your
>domain but aren't authorized to relay.
>This check can be done both on MAIL FROM and Mime From level.
>

You probably also want to do some kind of verifiable signature in the envelope (i.e. BATV) so that legit emails that are forwarded back to you can be allowed through. It will also help against backscatter from spam campaigns that forge addresses in your domain as bounces can be rejected if you have signed all the outgoing envelopes and it's going to a regular email address.

>Something like this in acl_mail:
>
> accept
> authenticated = *
> sender_domains = nk.ca
> set acl_m0 = authorizedrelay
> deny
> message = You can't spoof the domains this server is authorative for
> sender_domains = nk.ca
>
>then in acl_data:
>
> deny
> message = You can't spoof the MIME From this server is authorative for
> condition = ${if match {$h_from:}{^(?i).*<.*@(.*\\.nk.ca>\$}{yes}{no}}
> condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}
>
>

I'd echo the sentiment of the warning above. Sign your outgoing mail with dkim/arc and allow the ones where the signature still matches back in. Things like mailing lists would be rejected otherwise with the above rule. There is still the danger that the signatures get damaged in transit due to encoding changes or alterations of the subject or the addition of a footer. You may want/have to keep track of these lists and exempt them from the above policy.

>That will block these form of spam that spoof your sender.
>
>Den sön 27 jan. 2019 kl 13:44 skrev The Doctor via Exim-users
><exim-users@exim.org>:
>>
>> I am certain many of you have seen this, but how do you block /
>bounce said
>> below e-mail via exim using spamassassin / clamd ?
>>
>> Using FreeBSD 11.2 ports of Exim.
>>
>>
>>
>> ----- Forwarded message from doctor@nk.ca -----
>>
>> Date: 27 Jan 2019 07:21:14 -0300
>> From: doctor@nk.ca
>> To: doctor@nk.ca
>> Subject: Your account has been hacked! You need to unlock.
>> Subject: {SPAM?} Your account has been hacked! You need to unlock.
>> X-Mailer: Microsoft Outlook 14.0
>>
>> Hello!
>>
>> I have very bad news for you.
>> 12/10/2018 - on this day I hacked your OS and got full access to your
>account doctor@nk.ca
>>
>> So, you can change the password, yes... But my malware intercepts it
>every time.
>>
>> How I made it:
>> In the software of the router, through which you went online, was a
>vulnerability.
>> I just hacked this router and placed my malicious code on it.
>> When you went online, my trojan was installed on the OS of your
>device.
>>
>> After that, I made a full dump of your disk (I have all your address
>book, history of viewing sites, all files, phone numbers and addresses
>of all your contacts).
>>
>> A month ago, I wanted to lock your device and ask for a not big
>amount of btc to unlock.
>> But I looked at the sites that you regularly visit, and I was shocked
>by what I saw!!!
>> I'm talk you about sites for adults.
>>
>> I want to say - you are a BIG pervert. Your fantasy is shifted far
>away from the normal course!
>>
>> And I got an idea....
>> I made a screenshot of the adult sites where you have fun (do you
>understand what it is about, huh?).
>> After that, I made a screenshot of your joys (using the camera of
>your device) and glued them together.
>> Turned out amazing! You are so spectacular!
>>
>> I'm know that you would not like to show these screenshots to your
>friends, relatives or colleagues.
>> I think $639 is a very, very small amount for my silence.
>> Besides, I have been spying on you for so long, having spent a lot of
>time!
>>
>> Pay ONLY in Bitcoins!
>> My BTC wallet: 145SmyE7DBEQExsnXZobojbQqr5UdgbCHh
>>
>> You do not know how to use bitcoins?
>> Enter a query in any search engine: "how to replenish btc wallet".
>> It's extremely easy
>>
>> For this payment I give you two days (48 hours).
>> As soon as this letter is opened, the timer will work.
>>
>> After payment, my virus and dirty screenshots with your enjoys will
>be self-destruct automatically.
>> If I do not receive from you the specified amount, then your device
>will be locked, and all your contacts will receive a screenshots with
>your "enjoys".
>>
>> I hope you understand your situation.
>> - Do not try to find and destroy my virus! (All your data, files and
>screenshots is already uploaded to a remote server)
>> - Do not try to contact me (this is not feasible, I sent you an email
>from your account)
>> - Various security services will not help you; formatting a disk or
>destroying a device will not help, since your data is already on a
>remote server.
>>
>> P.S. You are not my single victim. so, I guarantee you that I will
>not disturb you again after payment!
>> This is the word of honor hacker
>>
>> I also ask you to regularly update your antiviruses in the future.
>This way you will no longer fall into a similar situation.
>>
>> Do not hold evil! I just do my job.
>> Have a nice day!
>>
>>
>> ----- End forwarded message -----
>>
>> --
>> Member - Liberal International This is doctor@@nl2k.ab.ca Ici
>doctor@@nl2k.ab.ca
>> Yahweh, Queen & country!Never Satan President Republic!Beware
>AntiChrist rising!
>> https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53
>on Atheism
>> Birthdate: 29 Jan 1969 Redhill, Surrey, England, UK
>>
>> --
>> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>
>--
>## List details at https://lists.exim.org/mailman/listinfo/exim-users
>## Exim details at http://www.exim.org/
>## Please use the Wiki with this list - http://wiki.exim.org/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
On 27/01/2019 13:42, Graeme Fowler via Exim-users wrote:
> On 27 Jan 2019, at 12:33, The Doctor via Exim-users <exim-users@exim.org> wrote:
>> am certain many of you have seen this, but how do you block / bounce said
>> below e-mail via exim using spamassassin / clamd ?
> Install at least the ‘phish’ database from SaneSecurity into ClamAV and let it do the heavy lifting with its’ Fake.Coin signatures. As Jeremy mentioned, doing it manually is a whack-a-mole job.
>
> You won’t catch all of them all of the time, but you’ll get rid of a lot. On Friday & Saturday we rejected nearly 40000 & 30000 messages respectively on that detection alone (with no complaints), and we’re up to 10000 today already.
>
> Graeme

Graeme,

Would you mind posting a link to where to get this from and/or a few
lines of 'how to' since when I go to SaneSecurity I get redirected to
ExtremeShock and can't find anything?

Mike


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
IMHO a mailing list or forwarder service should NEVER use the senders
adress and "impersonate" the sender. Better to replace it with the
mailing list adress (some mailing lists do this) and forwardes should
replace the sender's adress with the adress of the forwarding account.

Den tors 31 jan. 2019 kl 23:32 skrev Richard James Salts via
Exim-users <exim-users@exim.org>:
>
>
>
> On 28 January 2019 3:53:49 pm AEDT, Sebastian Nielsen via Exim-users <exim-users@exim.org> wrote:
> >Its simple.
> >
> >Insert a rule, which disallows messages that are originating from your
> >domain but aren't authorized to relay.
> >This check can be done both on MAIL FROM and Mime From level.
> >
>
> You probably also want to do some kind of verifiable signature in the envelope (i.e. BATV) so that legit emails that are forwarded back to you can be allowed through. It will also help against backscatter from spam campaigns that forge addresses in your domain as bounces can be rejected if you have signed all the outgoing envelopes and it's going to a regular email address.
>
> >Something like this in acl_mail:
> >
> > accept
> > authenticated = *
> > sender_domains = nk.ca
> > set acl_m0 = authorizedrelay
> > deny
> > message = You can't spoof the domains this server is authorative for
> > sender_domains = nk.ca
> >
> >then in acl_data:
> >
> > deny
> > message = You can't spoof the MIME From this server is authorative for
> > condition = ${if match {$h_from:}{^(?i).*<.*@(.*\\.nk.ca>\$}{yes}{no}}
> > condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}
> >
> >
>
> I'd echo the sentiment of the warning above. Sign your outgoing mail with dkim/arc and allow the ones where the signature still matches back in. Things like mailing lists would be rejected otherwise with the above rule. There is still the danger that the signatures get damaged in transit due to encoding changes or alterations of the subject or the addition of a footer. You may want/have to keep track of these lists and exempt them from the above policy.
>
> >That will block these form of spam that spoof your sender.
> >
> >Den sön 27 jan. 2019 kl 13:44 skrev The Doctor via Exim-users
> ><exim-users@exim.org>:
> >>
> >> I am certain many of you have seen this, but how do you block /
> >bounce said
> >> below e-mail via exim using spamassassin / clamd ?
> >>
> >> Using FreeBSD 11.2 ports of Exim.
> >>
> >>
> >>
> >> ----- Forwarded message from doctor@nk.ca -----
> >>
> >> Date: 27 Jan 2019 07:21:14 -0300
> >> From: doctor@nk.ca
> >> To: doctor@nk.ca
> >> Subject: Your account has been hacked! You need to unlock.
> >> Subject: {SPAM?} Your account has been hacked! You need to unlock.
> >> X-Mailer: Microsoft Outlook 14.0
> >>
> >> Hello!
> >>
> >> I have very bad news for you.
> >> 12/10/2018 - on this day I hacked your OS and got full access to your
> >account doctor@nk.ca
> >>
> >> So, you can change the password, yes... But my malware intercepts it
> >every time.
> >>
> >> How I made it:
> >> In the software of the router, through which you went online, was a
> >vulnerability.
> >> I just hacked this router and placed my malicious code on it.
> >> When you went online, my trojan was installed on the OS of your
> >device.
> >>
> >> After that, I made a full dump of your disk (I have all your address
> >book, history of viewing sites, all files, phone numbers and addresses
> >of all your contacts).
> >>
> >> A month ago, I wanted to lock your device and ask for a not big
> >amount of btc to unlock.
> >> But I looked at the sites that you regularly visit, and I was shocked
> >by what I saw!!!
> >> I'm talk you about sites for adults.
> >>
> >> I want to say - you are a BIG pervert. Your fantasy is shifted far
> >away from the normal course!
> >>
> >> And I got an idea....
> >> I made a screenshot of the adult sites where you have fun (do you
> >understand what it is about, huh?).
> >> After that, I made a screenshot of your joys (using the camera of
> >your device) and glued them together.
> >> Turned out amazing! You are so spectacular!
> >>
> >> I'm know that you would not like to show these screenshots to your
> >friends, relatives or colleagues.
> >> I think $639 is a very, very small amount for my silence.
> >> Besides, I have been spying on you for so long, having spent a lot of
> >time!
> >>
> >> Pay ONLY in Bitcoins!
> >> My BTC wallet: 145SmyE7DBEQExsnXZobojbQqr5UdgbCHh
> >>
> >> You do not know how to use bitcoins?
> >> Enter a query in any search engine: "how to replenish btc wallet".
> >> It's extremely easy
> >>
> >> For this payment I give you two days (48 hours).
> >> As soon as this letter is opened, the timer will work.
> >>
> >> After payment, my virus and dirty screenshots with your enjoys will
> >be self-destruct automatically.
> >> If I do not receive from you the specified amount, then your device
> >will be locked, and all your contacts will receive a screenshots with
> >your "enjoys".
> >>
> >> I hope you understand your situation.
> >> - Do not try to find and destroy my virus! (All your data, files and
> >screenshots is already uploaded to a remote server)
> >> - Do not try to contact me (this is not feasible, I sent you an email
> >from your account)
> >> - Various security services will not help you; formatting a disk or
> >destroying a device will not help, since your data is already on a
> >remote server.
> >>
> >> P.S. You are not my single victim. so, I guarantee you that I will
> >not disturb you again after payment!
> >> This is the word of honor hacker
> >>
> >> I also ask you to regularly update your antiviruses in the future.
> >This way you will no longer fall into a similar situation.
> >>
> >> Do not hold evil! I just do my job.
> >> Have a nice day!
> >>
> >>
> >> ----- End forwarded message -----
> >>
> >> --
> >> Member - Liberal International This is doctor@@nl2k.ab.ca Ici
> >doctor@@nl2k.ab.ca
> >> Yahweh, Queen & country!Never Satan President Republic!Beware
> >AntiChrist rising!
> >> https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53
> >on Atheism
> >> Birthdate: 29 Jan 1969 Redhill, Surrey, England, UK
> >>
> >> --
> >> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> >> ## Exim details at http://www.exim.org/
> >> ## Please use the Wiki with this list - http://wiki.exim.org/
> >
> >--
> >## List details at https://lists.exim.org/mailman/listinfo/exim-users
> >## Exim details at http://www.exim.org/
> >## Please use the Wiki with this list - http://wiki.exim.org/
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
On Fri, Feb 01, 2019 at 09:25:56AM +0000, Mike Tubby via Exim-users wrote:
>
> On 27/01/2019 13:42, Graeme Fowler via Exim-users wrote:
> > On 27 Jan 2019, at 12:33, The Doctor via Exim-users <exim-users@exim.org> wrote:
> >> am certain many of you have seen this, but how do you block / bounce said
> >> below e-mail via exim using spamassassin / clamd ?
> > Install at least the ???phish??? database from SaneSecurity into ClamAV and let it do the heavy lifting with its??? Fake.Coin signatures. As Jeremy mentioned, doing it manually is a whack-a-mole job.
> >
> > You won???t catch all of them all of the time, but you???ll get rid of a lot. On Friday & Saturday we rejected nearly 40000 & 30000 messages respectively on that detection alone (with no complaints), and we???re up to 10000 today already.
> >
> > Graeme
>
> Graeme,
>
> Would you mind posting a link to where to get this from and/or a few
> lines of 'how to' since when I go to SaneSecurity I get redirected to
> ExtremeShock and can't find anything?
>

Right now, I have got this working via a FreeBSD port.

What platform are you on?

> Mike
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
Birthdate: 29 Jan 1969 Redhill, Surrey, England, UK

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
On Fri, 1 Feb 2019, Mike Tubby via Exim-users wrote:

> From: Mike Tubby via Exim-users <exim-users@exim.org>
> To: exim-users@exim.org
> Date: Fri, 1 Feb 2019 09:25:56
> Subject: Re: [exim] How to block using exim re:[.doctor@nk.ca: Your account has
> been hacked! You need to unlock.]

...

> Would you mind posting a link to where to get this from and/or a few
> lines of 'how to' since when I go to SaneSecurity I get redirected to
> ExtremeShock and can't find anything?

Haven't used ClamAV for a few years, so can't help with the "how to",
but the links:

https://sanesecurity.org/

https://sanesecurity.org/usage/signatures/

work for me and the second link lists the signature databases.

"ExtremeShock" looks to provide, via github, the download
script, and configuration details, for the signature databases.
--
Dennis Davis <dennisdavis@fastmail.fm>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.] [ In reply to ]
As Dennis said:

On 2 Feb 2019, at 18:10, Dennis Davis via Exim-users <exim-users@exim.org> wrote:
> Haven't used ClamAV for a few years, so can't help with the "how to",
> but the links:
>
> https://sanesecurity.org/
>
> https://sanesecurity.org/usage/signatures/
>
> work for me and the second link lists the signature databases.

...the docs available at sanesecurity.org work perfectly. You will need to tune them to fit your own environment though.

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/