Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
public:emai:malware [2021-10-21 13:29] – vesely | public:emai:malware [2021-11-19 08:13] – [Monitoring and filtering agenda] vesely |
---|
* [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs. | * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs. |
* [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying) | * [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying) |
* [[:public:emai:malware#suspicious_content_html_links_docs|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes | * [[:public:emai:malware#suspicious_content_html_links_docs_macro|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes |
* [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font> - Some spammers conceal spam text as an image or PDF document. | * [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font> - Some spammers conceal spam text as an image or PDF document. |
* [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics. | * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics. |
//Added subject tag: **[IPt:Possible Spoof]** // | //Added subject tag: **[IPt:Possible Spoof]** // |
| |
see https://en.wikipedia.org/wiki/Email_spoofing | see [[https://en.wikipedia.org/wiki/Email_spoofing|https://en.wikipedia.org/wiki/Email_spoofing]] |
| |
Email spoofing is the creation of email messages with a forged sender address. | Email spoofing is the creation of email messages with a forged sender address. |
| |
| It usually happens when a sender uses different email address in "From:" field from the envelope email address (MAIL FROM:) |
| |
| **Legacy "legitimate use"** - In the early Internet, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's SMTP server to send email from the user's foreign address. Since most servers were configured as "open relays", this was a common practice. As spam email became an annoying problem, these sorts of "legitimate" uses fell out of favor. |
| |
| **Malicious use of spoofing** - Phishing and business email compromise scams generally involve an element of email spoofing. Email spoofing has been responsible for public incidents with serious business and financial consequences. |
| |
| **Example of spoof email:** |
| |
| MAIL FROM: **johndoe2<font inherit/inherit;;#2980b9;;inherit>@gmail.com</font>** \\ |
| From: **john.doe<font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font>** \\ |
| To: **jane.dow<font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font>** |
| |
| Such email is suspicious. Some user with an account at Gmail (johndoe2@gmail.com) set his profile to use institutional email address (john.doe@cerge-ei.cz). \\ |
| Problem is that such email is not sent (hence authorised) by cerge-ei.cz email server but it is sent by some third party server(google server in this case). |
| |
===== SPF ===== | ===== SPF ===== |
===== Suspicious ===== | ===== Suspicious ===== |
| |
==== Suspicious content (HTML links, docs) ==== | ==== Suspicious content (HTML links, docs, macro) ==== |
| |
//Added subject tag: **[Suspicious]** // | //Added subject tag: **[Suspicious]** // |