[MASOCH-L] Envio de fraude pelo outlook.com
Leandro Carlos Rodrigues
leandro at allchemistry.com.br
Tue Dec 15 10:01:43 -03 2015
Desconsiderem os "http://". Problema de copy/paste.
Leandro Carlos Rodrigues
TI All Chemistry do Brasil
(11) 3014-7100
Em 15/12/2015 09:52, Leandro Carlos Rodrigues escreveu:
> Pessoal,
>
> Acabei de me deparar com um caso interessante. A mensagem foi enviada
> pelo sistema outlook.com <http://outlook.com>, porém sem remetente e
> sem campo From:
>
> From MAILER-DAEMON Mon Dec 14 08:39:33 2015
> Return-path: <>
> Envelope-to:xxx at allchemistry.com.br <mailto:xxx at allchemistry.com.br>
> Received: frommail-db3hn0251.outbound.protection.outlook.com
> <http://mail-db3hn0251.outbound.protection.outlook.com>
> ([157.55.234.251] helo=emea01-db3-obe.outbound.protection.outlook.com
> <http://emea01-db3-obe.outbound.protection.outlook.com>)
> byallchem.allchemistry.com.br
> <http://allchem.allchemistry.com.br> with esmtp (Exim 4.80)
> id 1a8QXE-0004J5-VV
> forxxx at allchemistry.com.br <mailto:xxx at allchemistry.com.br>; Mon,
> 14 Dec 2015 08:39:33 -0200
> Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>;
> Received: from [10.0.0.218] (169.0.153.62) by
> DB5PR09MB0568.eurprd09.prod.outlook.com
> <http://DB5PR09MB0568.eurprd09.prod.outlook.com> (10.161.200.28) with
> Microsoft SMTP
> Server (TLS) id 15.1.337.19; Mon, 14 Dec 2015 10:38:59 +0000
> Content-Type: text/plain; charset="utf-8"
> MIME-Version: 1.0
> Content-Transfer-Encoding: quoted-printable
> Content-Description: Mail message body
> Subject: Mrs.Maria Shawaan
> To: Recipients
> From: <>
> Date: Mon, 14 Dec 2015 00:38:41 -0800
> X-Originating-IP: [169.0.153.62]
> X-ClientProxiedBy:AM3PR05CA0076.eurprd05.prod.outlook.com
> <http://AM3PR05CA0076.eurprd05.prod.outlook.com> (25.162.114.44) To
> DB5PR09MB0568.eurprd09.prod.outlook.com
> <http://DB5PR09MB0568.eurprd09.prod.outlook.com> (25.161.200.28)
> Message-ID:
> <DB5PR09MB0568D773AB99D3A490EEE929B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com
> <mailto:DB5PR09MB0568D773AB99D3A490EEE929B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com>>
>
> X-Microsoft-Exchange-Diagnostics:
> 1;DB5PR09MB0568;2:2B39zZSPWUFhCq/1rMttoF1Mz6Phw0yhNkh8UT3gtiRQ2wtL+IjTQYwmH/ftdipYvCV2LzfieDK9/HdfTpKi4t6/ORH4TR/3hmJyY334fTKcjTwcW8vESAYn7SAMYIEh2REJHuNZ5px4R+uXXopd5Q==;3:NtsJTrwZ9WmgLHXBrHZu8pVWsjWF+4U10JowrFA+wB84u7KrYeh0hYU3TiZ3GCf0RxCnN9zSkzeheAQXF2IGGhCgmXv9RoZrYGjfKZ1iJgAWau0qCXLs30xM2mAJNGNM;25:wzboQRaDO/pHsat4NincWut27ml1WNl5KujV1gbLY0g+u4/HaBL1yr6CASX4KJNjWRkKq5v3kkaqLvdNu0BD6f4boQ0iCHykiG/9CyJCrnP5ecDs/y0r2lg+s6/Who2Jgi4DesJE42uufg9ffBuN8Oy8+qtFJb9NZQGFa0WTCfOSNVZZxm7+nicnqtE4yl+2RilsIBlSZMtsaXpa0Lm0dVYkHkBoWsQpdb8UNA2ki7wEg38w1GyyZ1yhmTcRAfENrbHTGdvkKmXtMiJIsesB5w==;4:FsdGB/P/A/iNQ7RebyQM8EJFKiGApOhc02xuspgzvNF1tdzkX0sZEoMpWH4x8xJsjF+NhIOcteMJEKZ5+BHaGSKls3STvFguyD0sphA5aObuRXF6NB5Viv9oxagcxWsyR5fqOrdLcuzOlzC+PxaIEffwmEd7xYLj6lAScNWBKzEXSGV3ciKRkK7hr6b6AmFd8WwSp9ZgxfeO+eOV+rAUFFgCKYoqNcuuJII3YI5raKyzHZ7XnEWa1XWDVvvQHp6krG3bYOF8NewvublXhkgyjX1/aqjRGLyOA62sH3TCRxcyYSMihxhWu2UhZzndRxMrXCNCr6UyEF2IXapb2GjNLCQBiuGAHfzSHLodgentZI78ED+kqD2Py0AOS29ATx/p
>
> X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB5PR09MB0568;
> X-Microsoft-Antispam-PRVS:
> <DB5PR09MB056801D8CE74116A198FE5D3B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com
> <mailto:DB5PR09MB056801D8CE74116A198FE5D3B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com>>
>
> X-Exchange-Antispam-Report-Test: UriScan:;
> X-Exchange-Antispam-Report-CFA-Test:
> BCL:0;PCL:0;RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046);SRVR:DB5PR09MB0568;BCL:0;PCL:0;RULEID:;SRVR:DB5PR09MB0568;
> X-Forefront-PRVS: 0790FB1F33
> X-Forefront-Antispam-Report:
> SFV:SPM;SFS:(10019020)(6009001)(6049001)(5005620100007);DIR:OUT;SFP:1501;SCL:9;SRVR:DB5PR09MB0568;H:[10.0.0.218];FPR:;SPF:None;PTR:InfoNoRecords;LANG:en;
> Received-SPF: None (protection.outlook.com
> <http://protection.outlook.com>: [10.0.0.218] does not designate
> permitted sender hosts)
> X-Microsoft-Exchange-Diagnostics:
> 1;DB5PR09MB0568;23:8n9wbLZJPNu60xy4mlC6o5EPo6P3GJTdZsAcIZwkxevFOhw2GIAFySIQQkAVcNTYkaq3CuKBn8o1yHiBrg2UE+kbQL8U+1R3z9l5rvSgsHe3slWAGPRLWDBP68QNQjPvoiRl8fZZO+AcQpymquyEeFFtQksztQYENhC9UUPvbGKB/N7XwHaLks2L+p8WIp7fcGQb1we+oUBumQq4LYoG+rx0Q6udfHGvu28fwGEjEAKJoh79sv2/1mOqazKvhpKo8W2R8i1dKY9KFbmVVyGkpJu11kYOa/GEGjpSiRVoZFY=;5:fK+NQb7+BOWnjyDnAD20kr2UTqNSqmAPLtBEJxPvnLxi8uthvvOWDUVIrAiGxR+O75RlzVKWCb3nDoLJloSIBZHlu9aL9Lw8NVbvC0M0D0f+CQOIAuu4KHQrU7knWjrXZLk82cP8xM2ZsSmhrjsRow==;24:hwR2bFS3MRCxgTYtm3OwC+S36zksHPWQ0+dxjBNHzRjefl8CXLado22vSCysUhu4OK7v8HJZMUNdLDmMe2EOkQ==
> SpamDiagnosticOutput: 1:22
> SpamDiagnosticMetadata: 00000000%2D0000%2D0000%2D0000%2D000000000000
> X-OriginatorOrg:TicoTato480.onmicrosoft.com
> <http://TicoTato480.onmicrosoft.com>
> X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2015 10:38:59.8962
> (UTC)
> X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
> X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR09MB0568
> Received-SPFBL:
> NONEhttp://matrix.spfbl.net/spam/lG8rXFqVQh7HAx2ABAgZj1NqT8Y+UVR+72saM7ElUEtoyvHFOsSxrmxLZymRxjiV40MshCEyu6AB25WhYP1zrg6hNq+rbEZshHaoYtUfkJZWWPT+TuOLL/xXqY75BC1d
> X-Allchem-Rule
> <http://matrix.spfbl.net/spam/lG8rXFqVQh7HAx2ABAgZj1NqT8Y+UVR+72saM7ElUEtoyvHFOsSxrmxLZymRxjiV40MshCEyu6AB25WhYP1zrg6hNq+rbEZshHaoYtUfkJZWWPT+TuOLL/xXqY75BC1dX-Allchem-Rule>:
> suspect content message.
> X-Spam-Flag: YES
>
> Quando vi isso, me veio a ideia de pesquisar na base de dados de
> e-mails recebidos aqui usando os seguintes critérios:
>
> * Return-path equals "<>"
> * From not contains "@"
> * Received contains ".outlook.com <http://outlook.com>"
>
> Bingo! Todos os casos assim foram SPAM (todos fraude), sem exceção.
> Gostaria de pedir para vocês fazerem a mesma pesquisa nos históricos
> de vocês para a gente confirmar uma nova regra de bloqueio na seção
> DATA que estou bolando aqui. Abraços,
>
> Leandro Carlos Rodrigues
> TI All Chemistry do Brasil
> (11) 3014-7100
> __
> masoch-l list
> https://eng.registro.br/mailman/listinfo/masoch-l
More information about the masoch-l
mailing list