[MASOCH-L] Envio de fraude pelo outlook.com

Leandro Carlos Rodrigues leandro at allchemistry.com.br
Thu Dec 17 17:02:20 -03 2015


Mais um caso:

     From MAILER-DAEMON Thu Dec 17 16:58:19 2015
    Return-path: <>
    Envelope-to: xxx at allchemistry.com.br
    Received: from mail-db3hn0246.outbound.protection.outlook.com ([157.55.234.246] helo=emea01-db3-obe.outbound.protection.outlook.com)
    	by allchem.allchemistry.com.br with esmtp (Exim 4.80)
    	id 1a9dkc-0000hB-7o
    	for xxx at allchemistry.com.br; Thu, 17 Dec 2015 16:58:19 -0200
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
      d=jtestero.onmicrosoft.com; s=selector1-jtestero-onmicrosoft-com;
      h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version;
      bh=zwv17tOmJRqpNE9BtniBP91hP+UBRAtCQE0h3zZQ4Zo=;
      b=mkF8Q9iti54Z7+1lX7zRd4iTNHUob+4WH868/cubdc05pAxZ+Xy90VJlrENL+QhsugD+9kSq7Zl2F1bfnhjYqmhoOzT8AUERasN7G9rE99u2/ry+qql8qxCmmi0kUJSmZ+iukeCoBbKL50rdkr4lRkWNWOJ22DHI1Hh5tKEllt8=
    Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>;
    Received: from DAMMAIL01.TAJDEED.COM (212.12.190.113) by
      HE1PR05MB1401.eurprd05.prod.outlook.com (10.162.251.11) with Microsoft SMTP
      Server (TLS) id 15.1.361.13; Thu, 17 Dec 2015 18:57:58 +0000
    Content-Type: text/plain; charset="utf-8"
    MIME-Version: 1.0
    Content-Transfer-Encoding: quoted-printable
    Content-Description: Mail message body
    Subject: Attn: Your Reply
    To: Recipients
    From: <>
    Date: Thu, 17 Dec 2015 21:56:55 +0300
    Reply-To: <jamesmnkosi2 at aol.com>
    X-Originating-IP: [212.12.190.113]
    X-ClientProxiedBy: AM3PR08CA0024.eurprd08.prod.outlook.com (25.160.207.162) To
      HE1PR05MB1401.eurprd05.prod.outlook.com (25.162.251.11)
    Message-ID: <HE1PR05MB14019650CB8922DA7F65D657B8E00 at HE1PR05MB1401.eurprd05.prod.outlook.com>
    X-Microsoft-Exchange-Diagnostics: 1;HE1PR05MB1401;2:9dTa9h9bzINbxGpQt0MJk18LupP7UQ3CfRn+jaGz1wGoqKFNsm/bOdD9jzzYWTZBEkWD7/vuGrM5hp7qlwwHXQa7KLES7yrzvEiILnmcmS6w49n82ENSK6/Vnz9cQHk14wKL4umniYPrDl6ZTy95kg==;3:lMGjrJQIL6cOPa/w5aO8VxMUVmci5nEC5AarrfogGS37qgIsZtU8g0t6oVazU5su0C/Vnv93Wjh9Kr+7xvBTFXFjC1gLMvS0y6auG1Ri+mUHD1pVsTJfDWf7xKiSWO2y;25:wBiBfaf3+1nV2YrdKJkZdMYcjWgWbz6rPqXMbtAGpCj7krOLjtV+3gMmAujGj6GdmaGIlNNHsd++X1qWQrgc8Le6ZxQWZ+DBtg4lgARxMuaQR23UH/q/32qWTRAjH2mZ5GQUIzrPMaRAfGK2BFuTtlzJjKHZWutBnlutmjPKV7Idi+cpqoMP6mV/Gw4eMxbSSDeEsyf5BR9TY/uVOw5UHQn2G5tfsOpnraz9LhFyLoN6q9Wt91M+7B47cEaXXUnzWwOfR8djZNYqITYSWIvPDw==
    X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:HE1PR05MB1401;
    X-Microsoft-Antispam-PRVS: <HE1PR05MB1401787A4B73C5430EF4CE36B8E00 at HE1PR05MB1401.eurprd05.prod.outlook.com>
    X-Exchange-Antispam-Report-Test: UriScan:;
    X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046)(6009046)(6011046);SRVR:HE1PR05MB1401;BCL:0;PCL:0;RULEID:;SRVR:HE1PR05MB1401;
    X-Microsoft-Exchange-Diagnostics:
    	1;HE1PR05MB1401;4:j81WDELvyiWtwqn3NSFhXtEELQSi0TUmPoGJBmnFO023g5izY2q9FnevtOTuxOSZaC9IhOWLUN4gl6+Ck5Eqpr4D6e3o+Xo6l+6f4JkAICwFIB3WSvG5QbAth93cnSi48R0mU1oKQaugNGfI/yrxSPs6Pp2NTxCesd1Ncqb4BG5KIZZsYBJ/VKxfZvpgaPaZXQi8CPgaxYoMa84lQdEeaqJMKd5H3P3MnRI7ypk3EKgzmwhnvyv+s+oMfq8nyYEPofCstd+HjD23TWAdp2hAtrV0V711RTORxqnqU1CTP9DL9LrxjpxD4HbAvl2UUIh6MBQN7RmfLwUHHwBVtkXJ+cHJadCieFlg0sSnmtGL29Efrxveq0xqZ3f7o1HU4uCrXEoOEKJooK6M//vReVJbteMtGvB9WzZKsZN1Tshkeek=;23:56JoQ+bo3UcUnXit4LJ5pXo4oDKdVfyaJehc3J92JvViq7FrJawdZvU5wxPv6aDylSMQB7L94DziQ7F7C3gFLEEGvztG0szAuYgHXg4Mz0B54JNFMn1SgucHc9yFFWA3FdllXh6GrdWnZog9zH2sSIKdUDx3whCXmJ0n/GMmup2zLyUYM3GYoATTAS7e4uViVAYB9E2lZ9PtLRA9LTWbP7Li2cb7HB4uQNxgdoIDaP0Z9ljqQiZiZun495G98wSREZ4IjmzZhi5OADlTtDGfdw==;5:QpE3UG8a64i272BP4B0sYTzli7PbiMHvTKE4I9S+VWJDOL9uf3SQRi/rhDpcwIzEq9CCDJV9ha8NGUTlc1du6CtABrJO/Qs8EE7cR8rI5RnGOnuQP149QlrXFeGhLIbXzzT7s1akid7n5xBksL0AOQ==;24:zWMtDqBxdyjcSdyN1e47EYtKKJpnTVvhMQ86fONJXkilYpZIrUoDoP3Dw//vV4Tx9do9WArdg65vpy0fv5v0lw==
    X-Forefront-PRVS: 07935ACF08
    X-Forefront-Antispam-Report: SFV:SPM;SFS:(10009020)(6009001)(5005620100007);DIR:OUT;SFP:1501;SCL:9;SRVR:HE1PR05MB1401;H:DAMMAIL01.TAJDEED.COM;FPR:;SPF:None;PTR:InfoNoRecords;LANG:en;
    Received-SPF: None (protection.outlook.com: DAMMAIL01.TAJDEED.COM does not
      designate permitted sender hosts)
    SpamDiagnosticOutput: 1:22
    SpamDiagnosticMetadata: 00000000%2D0000%2D0000%2D0000%2D000000000000
    X-OriginatorOrg: jtestero.onmicrosoft.com
    X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Dec 2015 18:57:58.3904
      (UTC)
    X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
    X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR05MB1401
    Received-SPFBL: NONE http://matrix.spfbl.net/spam/ECb99svbwFhPhA9dQq2t5dlt4ZHjjhaFXZNuv5qKCzMiPlNvH5gKzQM03dL2cKaz40MshCEyu6AB25WhYP1zrg6hNq+rbEZshHaoYtUfkJb+CoDwEUjLbkHbEJ0VWU3Ag6y9C3a9VWbUEpdrb7w1GhBDffYCm8F8+grWpEQN6hc=
    X-Allchem-Rule: suspect content message.
    X-Spam-Flag: YES
    X-Antivirus: AVG for E-mail 2016.0.7303 [4489/11198]
    X-AVG-ID: ID27567EAF-75F8B2E2

Até agora esta batendo aqui. lembrando que o critério é:

  * Return-path equals "<>"
  *  From not contains "@"
  * Received contains ".outlook.com"

Alguém já conseguiu confirmar?

Leandro Carlos Rodrigues
TI All Chemistry do Brasil
(11) 3014-7100

Em 15/12/2015 09:52, Leandro Carlos Rodrigues escreveu:
> Pessoal,
>
> Acabei de me deparar com um caso interessante. A mensagem foi enviada 
> pelo sistema outlook.com <http://outlook.com>, porém sem remetente e 
> sem campo From:
>
> From MAILER-DAEMON Mon Dec 14 08:39:33 2015
> Return-path: <>
> Envelope-to:xxx at allchemistry.com.br <mailto:xxx at allchemistry.com.br>
> Received: frommail-db3hn0251.outbound.protection.outlook.com 
> <http://mail-db3hn0251.outbound.protection.outlook.com> 
> ([157.55.234.251] helo=emea01-db3-obe.outbound.protection.outlook.com 
> <http://emea01-db3-obe.outbound.protection.outlook.com>)
>     byallchem.allchemistry.com.br 
> <http://allchem.allchemistry.com.br>  with esmtp (Exim 4.80)
>     id 1a8QXE-0004J5-VV
>     forxxx at allchemistry.com.br <mailto:xxx at allchemistry.com.br>; Mon, 
> 14 Dec 2015 08:39:33 -0200
> Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>;
> Received: from [10.0.0.218] (169.0.153.62) by
>  DB5PR09MB0568.eurprd09.prod.outlook.com 
> <http://DB5PR09MB0568.eurprd09.prod.outlook.com> (10.161.200.28) with 
> Microsoft SMTP
>  Server (TLS) id 15.1.337.19; Mon, 14 Dec 2015 10:38:59 +0000
> Content-Type: text/plain; charset="utf-8"
> MIME-Version: 1.0
> Content-Transfer-Encoding: quoted-printable
> Content-Description: Mail message body
> Subject: Mrs.Maria Shawaan
> To: Recipients
> From: <>
> Date: Mon, 14 Dec 2015 00:38:41 -0800
> X-Originating-IP: [169.0.153.62]
> X-ClientProxiedBy:AM3PR05CA0076.eurprd05.prod.outlook.com 
> <http://AM3PR05CA0076.eurprd05.prod.outlook.com> (25.162.114.44) To
>  DB5PR09MB0568.eurprd09.prod.outlook.com 
> <http://DB5PR09MB0568.eurprd09.prod.outlook.com> (25.161.200.28)
> Message-ID: 
> <DB5PR09MB0568D773AB99D3A490EEE929B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com 
> <mailto:DB5PR09MB0568D773AB99D3A490EEE929B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com>> 
>
> X-Microsoft-Exchange-Diagnostics:
>     1;DB5PR09MB0568;2:2B39zZSPWUFhCq/1rMttoF1Mz6Phw0yhNkh8UT3gtiRQ2wtL+IjTQYwmH/ftdipYvCV2LzfieDK9/HdfTpKi4t6/ORH4TR/3hmJyY334fTKcjTwcW8vESAYn7SAMYIEh2REJHuNZ5px4R+uXXopd5Q==;3:NtsJTrwZ9WmgLHXBrHZu8pVWsjWF+4U10JowrFA+wB84u7KrYeh0hYU3TiZ3GCf0RxCnN9zSkzeheAQXF2IGGhCgmXv9RoZrYGjfKZ1iJgAWau0qCXLs30xM2mAJNGNM;25:wzboQRaDO/pHsat4NincWut27ml1WNl5KujV1gbLY0g+u4/HaBL1yr6CASX4KJNjWRkKq5v3kkaqLvdNu0BD6f4boQ0iCHykiG/9CyJCrnP5ecDs/y0r2lg+s6/Who2Jgi4DesJE42uufg9ffBuN8Oy8+qtFJb9NZQGFa0WTCfOSNVZZxm7+nicnqtE4yl+2RilsIBlSZMtsaXpa0Lm0dVYkHkBoWsQpdb8UNA2ki7wEg38w1GyyZ1yhmTcRAfENrbHTGdvkKmXtMiJIsesB5w==;4:FsdGB/P/A/iNQ7RebyQM8EJFKiGApOhc02xuspgzvNF1tdzkX0sZEoMpWH4x8xJsjF+NhIOcteMJEKZ5+BHaGSKls3STvFguyD0sphA5aObuRXF6NB5Viv9oxagcxWsyR5fqOrdLcuzOlzC+PxaIEffwmEd7xYLj6lAScNWBKzEXSGV3ciKRkK7hr6b6AmFd8WwSp9ZgxfeO+eOV+rAUFFgCKYoqNcuuJII3YI5raKyzHZ7XnEWa1XWDVvvQHp6krG3bYOF8NewvublXhkgyjX1/aqjRGLyOA62sH3TCRxcyYSMihxhWu2UhZzndRxMrXCNCr6UyEF2IXapb2GjNLCQBiuGAHfzSHLodgentZI78ED+kqD2Py0AOS29ATx/p 
>
> X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB5PR09MB0568;
> X-Microsoft-Antispam-PRVS: 
> <DB5PR09MB056801D8CE74116A198FE5D3B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com 
> <mailto:DB5PR09MB056801D8CE74116A198FE5D3B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com>> 
>
> X-Exchange-Antispam-Report-Test: UriScan:;
> X-Exchange-Antispam-Report-CFA-Test: 
> BCL:0;PCL:0;RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046);SRVR:DB5PR09MB0568;BCL:0;PCL:0;RULEID:;SRVR:DB5PR09MB0568;
> X-Forefront-PRVS: 0790FB1F33
> X-Forefront-Antispam-Report: 
> SFV:SPM;SFS:(10019020)(6009001)(6049001)(5005620100007);DIR:OUT;SFP:1501;SCL:9;SRVR:DB5PR09MB0568;H:[10.0.0.218];FPR:;SPF:None;PTR:InfoNoRecords;LANG:en;
> Received-SPF: None (protection.outlook.com 
> <http://protection.outlook.com>: [10.0.0.218] does not designate
>  permitted sender hosts)
> X-Microsoft-Exchange-Diagnostics: 
> 1;DB5PR09MB0568;23:8n9wbLZJPNu60xy4mlC6o5EPo6P3GJTdZsAcIZwkxevFOhw2GIAFySIQQkAVcNTYkaq3CuKBn8o1yHiBrg2UE+kbQL8U+1R3z9l5rvSgsHe3slWAGPRLWDBP68QNQjPvoiRl8fZZO+AcQpymquyEeFFtQksztQYENhC9UUPvbGKB/N7XwHaLks2L+p8WIp7fcGQb1we+oUBumQq4LYoG+rx0Q6udfHGvu28fwGEjEAKJoh79sv2/1mOqazKvhpKo8W2R8i1dKY9KFbmVVyGkpJu11kYOa/GEGjpSiRVoZFY=;5:fK+NQb7+BOWnjyDnAD20kr2UTqNSqmAPLtBEJxPvnLxi8uthvvOWDUVIrAiGxR+O75RlzVKWCb3nDoLJloSIBZHlu9aL9Lw8NVbvC0M0D0f+CQOIAuu4KHQrU7knWjrXZLk82cP8xM2ZsSmhrjsRow==;24:hwR2bFS3MRCxgTYtm3OwC+S36zksHPWQ0+dxjBNHzRjefl8CXLado22vSCysUhu4OK7v8HJZMUNdLDmMe2EOkQ==
> SpamDiagnosticOutput: 1:22
> SpamDiagnosticMetadata: 00000000%2D0000%2D0000%2D0000%2D000000000000
> X-OriginatorOrg:TicoTato480.onmicrosoft.com 
> <http://TicoTato480.onmicrosoft.com>
> X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2015 10:38:59.8962
>  (UTC)
> X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
> X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR09MB0568
> Received-SPFBL: 
> NONEhttp://matrix.spfbl.net/spam/lG8rXFqVQh7HAx2ABAgZj1NqT8Y+UVR+72saM7ElUEtoyvHFOsSxrmxLZymRxjiV40MshCEyu6AB25WhYP1zrg6hNq+rbEZshHaoYtUfkJZWWPT+TuOLL/xXqY75BC1d 
> X-Allchem-Rule 
> <http://matrix.spfbl.net/spam/lG8rXFqVQh7HAx2ABAgZj1NqT8Y+UVR+72saM7ElUEtoyvHFOsSxrmxLZymRxjiV40MshCEyu6AB25WhYP1zrg6hNq+rbEZshHaoYtUfkJZWWPT+TuOLL/xXqY75BC1dX-Allchem-Rule>: 
> suspect content message.
> X-Spam-Flag: YES
>
> Quando vi isso, me veio a ideia de pesquisar na base de dados de 
> e-mails recebidos aqui usando os seguintes critérios:
>
>  * Return-path equals "<>"
>  *  From not contains "@"
>  * Received contains ".outlook.com <http://outlook.com>"
>
> Bingo! Todos os casos assim foram SPAM (todos fraude), sem exceção. 
> Gostaria de pedir para vocês fazerem a mesma pesquisa nos históricos 
> de vocês para a gente confirmar uma nova regra de bloqueio na seção 
> DATA que estou bolando aqui. Abraços,
>
> Leandro Carlos Rodrigues
> TI All Chemistry do Brasil
> (11) 3014-7100
> __
> masoch-l list
> https://eng.registro.br/mailman/listinfo/masoch-l




More information about the masoch-l mailing list