Differences

This shows you the differences between two versions of the page.

--- public:emai:malware [2021-10-21 12:55] – [Dealing with malware, spam, suspicious content] vesely
+++ public:emai:malware [2021-11-19 08:13] – [Monitoring and filtering agenda] vesely
@@ Line 1: / Line 1: @@
 ====== Dealing with malware, spam, suspicious content ======
-<faicon fa hand-o-right> [[:public:emai:malware#monitoring_and_filtering_agenda|Skip right to mail filtering agenda paragraph]]
+<faicon fa fa-hand-o-right> [[:public:emai:malware#monitoring_and_filtering_agenda|Skip right to mail filtering agenda paragraph]]
 ----
@@ Line 44: / Line 44: @@
   * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs.
   * [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying)
-  * [[:public:emai:malware#suspicious_content_html_links_docs|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes
+  * [[:public:emai:malware#suspicious_content_html_links_docs_macro|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes
   * [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font> - Some spammers conceal spam text as an image or PDF document.
   * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics.
+===== Possible Spoof =====
+//Added subject tag: **[IPt:Possible Spoof]** //
+see [[https://en.wikipedia.org/wiki/Email_spoofing|https://en.wikipedia.org/wiki/Email_spoofing]]
+Email spoofing is the creation of email messages with a forged sender address.
+It usually happens when a sender uses different email address in "From:" field from the envelope email address (MAIL FROM:)
+**Legacy "legitimate use"**  - In the early Internet, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's SMTP server to send email from the user's foreign address. Since most servers were configured as "open relays", this was a common practice. As spam email became an annoying problem, these sorts of "legitimate" uses fell out of favor.
+**Malicious use of spoofing**  - Phishing and business email compromise scams generally involve an element of email spoofing. Email spoofing has been responsible for public incidents with serious business and financial consequences.
+**Example of spoof email:**
+MAIL FROM: **johndoe2<font inherit/inherit;;#2980b9;;inherit>@gmail.com</font>** \\
+From: **john.doe<font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font>** \\
+To: **jane.dow<font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font>**
+Such email is suspicious. Some user with an account at Gmail (johndoe2@gmail.com) set his profile to use institutional email address (john.doe@cerge-ei.cz). \\
+Problem is that such email is not sent (hence authorised) by cerge-ei.cz email server but it is sent by some third party server(google server in this case).
 ===== SPF =====
@@ Line 195: / Line 218: @@
 ===== Suspicious =====
-==== Suspicious content (HTML links, docs) ====
+==== Suspicious content (HTML links, docs, macro) ====
 //Added subject tag: **[Suspicious]** //