[MASOCH-L] Envio de fraude pelo outlook.com
Leandro Carlos Rodrigues
leandro at allchemistry.com.br
Thu Dec 17 17:02:20 -03 2015
Mais um caso:
From MAILER-DAEMON Thu Dec 17 16:58:19 2015
Return-path: <>
Envelope-to: xxx at allchemistry.com.br
Received: from mail-db3hn0246.outbound.protection.outlook.com ([157.55.234.246] helo=emea01-db3-obe.outbound.protection.outlook.com)
by allchem.allchemistry.com.br with esmtp (Exim 4.80)
id 1a9dkc-0000hB-7o
for xxx at allchemistry.com.br; Thu, 17 Dec 2015 16:58:19 -0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=jtestero.onmicrosoft.com; s=selector1-jtestero-onmicrosoft-com;
h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=zwv17tOmJRqpNE9BtniBP91hP+UBRAtCQE0h3zZQ4Zo=;
b=mkF8Q9iti54Z7+1lX7zRd4iTNHUob+4WH868/cubdc05pAxZ+Xy90VJlrENL+QhsugD+9kSq7Zl2F1bfnhjYqmhoOzT8AUERasN7G9rE99u2/ry+qql8qxCmmi0kUJSmZ+iukeCoBbKL50rdkr4lRkWNWOJ22DHI1Hh5tKEllt8=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>;
Received: from DAMMAIL01.TAJDEED.COM (212.12.190.113) by
HE1PR05MB1401.eurprd05.prod.outlook.com (10.162.251.11) with Microsoft SMTP
Server (TLS) id 15.1.361.13; Thu, 17 Dec 2015 18:57:58 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: Attn: Your Reply
To: Recipients
From: <>
Date: Thu, 17 Dec 2015 21:56:55 +0300
Reply-To: <jamesmnkosi2 at aol.com>
X-Originating-IP: [212.12.190.113]
X-ClientProxiedBy: AM3PR08CA0024.eurprd08.prod.outlook.com (25.160.207.162) To
HE1PR05MB1401.eurprd05.prod.outlook.com (25.162.251.11)
Message-ID: <HE1PR05MB14019650CB8922DA7F65D657B8E00 at HE1PR05MB1401.eurprd05.prod.outlook.com>
X-Microsoft-Exchange-Diagnostics: 1;HE1PR05MB1401;2:9dTa9h9bzINbxGpQt0MJk18LupP7UQ3CfRn+jaGz1wGoqKFNsm/bOdD9jzzYWTZBEkWD7/vuGrM5hp7qlwwHXQa7KLES7yrzvEiILnmcmS6w49n82ENSK6/Vnz9cQHk14wKL4umniYPrDl6ZTy95kg==;3:lMGjrJQIL6cOPa/w5aO8VxMUVmci5nEC5AarrfogGS37qgIsZtU8g0t6oVazU5su0C/Vnv93Wjh9Kr+7xvBTFXFjC1gLMvS0y6auG1Ri+mUHD1pVsTJfDWf7xKiSWO2y;25:wBiBfaf3+1nV2YrdKJkZdMYcjWgWbz6rPqXMbtAGpCj7krOLjtV+3gMmAujGj6GdmaGIlNNHsd++X1qWQrgc8Le6ZxQWZ+DBtg4lgARxMuaQR23UH/q/32qWTRAjH2mZ5GQUIzrPMaRAfGK2BFuTtlzJjKHZWutBnlutmjPKV7Idi+cpqoMP6mV/Gw4eMxbSSDeEsyf5BR9TY/uVOw5UHQn2G5tfsOpnraz9LhFyLoN6q9Wt91M+7B47cEaXXUnzWwOfR8djZNYqITYSWIvPDw==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:HE1PR05MB1401;
X-Microsoft-Antispam-PRVS: <HE1PR05MB1401787A4B73C5430EF4CE36B8E00 at HE1PR05MB1401.eurprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046)(6009046)(6011046);SRVR:HE1PR05MB1401;BCL:0;PCL:0;RULEID:;SRVR:HE1PR05MB1401;
X-Microsoft-Exchange-Diagnostics:
1;HE1PR05MB1401;4:j81WDELvyiWtwqn3NSFhXtEELQSi0TUmPoGJBmnFO023g5izY2q9FnevtOTuxOSZaC9IhOWLUN4gl6+Ck5Eqpr4D6e3o+Xo6l+6f4JkAICwFIB3WSvG5QbAth93cnSi48R0mU1oKQaugNGfI/yrxSPs6Pp2NTxCesd1Ncqb4BG5KIZZsYBJ/VKxfZvpgaPaZXQi8CPgaxYoMa84lQdEeaqJMKd5H3P3MnRI7ypk3EKgzmwhnvyv+s+oMfq8nyYEPofCstd+HjD23TWAdp2hAtrV0V711RTORxqnqU1CTP9DL9LrxjpxD4HbAvl2UUIh6MBQN7RmfLwUHHwBVtkXJ+cHJadCieFlg0sSnmtGL29Efrxveq0xqZ3f7o1HU4uCrXEoOEKJooK6M//vReVJbteMtGvB9WzZKsZN1Tshkeek=;23:56JoQ+bo3UcUnXit4LJ5pXo4oDKdVfyaJehc3J92JvViq7FrJawdZvU5wxPv6aDylSMQB7L94DziQ7F7C3gFLEEGvztG0szAuYgHXg4Mz0B54JNFMn1SgucHc9yFFWA3FdllXh6GrdWnZog9zH2sSIKdUDx3whCXmJ0n/GMmup2zLyUYM3GYoATTAS7e4uViVAYB9E2lZ9PtLRA9LTWbP7Li2cb7HB4uQNxgdoIDaP0Z9ljqQiZiZun495G98wSREZ4IjmzZhi5OADlTtDGfdw==;5:QpE3UG8a64i272BP4B0sYTzli7PbiMHvTKE4I9S+VWJDOL9uf3SQRi/rhDpcwIzEq9CCDJV9ha8NGUTlc1du6CtABrJO/Qs8EE7cR8rI5RnGOnuQP149QlrXFeGhLIbXzzT7s1akid7n5xBksL0AOQ==;24:zWMtDqBxdyjcSdyN1e47EYtKKJpnTVvhMQ86fONJXkilYpZIrUoDoP3Dw//vV4Tx9do9WArdg65vpy0fv5v0lw==
X-Forefront-PRVS: 07935ACF08
X-Forefront-Antispam-Report: SFV:SPM;SFS:(10009020)(6009001)(5005620100007);DIR:OUT;SFP:1501;SCL:9;SRVR:HE1PR05MB1401;H:DAMMAIL01.TAJDEED.COM;FPR:;SPF:None;PTR:InfoNoRecords;LANG:en;
Received-SPF: None (protection.outlook.com: DAMMAIL01.TAJDEED.COM does not
designate permitted sender hosts)
SpamDiagnosticOutput: 1:22
SpamDiagnosticMetadata: 00000000%2D0000%2D0000%2D0000%2D000000000000
X-OriginatorOrg: jtestero.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Dec 2015 18:57:58.3904
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR05MB1401
Received-SPFBL: NONE http://matrix.spfbl.net/spam/ECb99svbwFhPhA9dQq2t5dlt4ZHjjhaFXZNuv5qKCzMiPlNvH5gKzQM03dL2cKaz40MshCEyu6AB25WhYP1zrg6hNq+rbEZshHaoYtUfkJb+CoDwEUjLbkHbEJ0VWU3Ag6y9C3a9VWbUEpdrb7w1GhBDffYCm8F8+grWpEQN6hc=
X-Allchem-Rule: suspect content message.
X-Spam-Flag: YES
X-Antivirus: AVG for E-mail 2016.0.7303 [4489/11198]
X-AVG-ID: ID27567EAF-75F8B2E2
Até agora esta batendo aqui. lembrando que o critério é:
* Return-path equals "<>"
* From not contains "@"
* Received contains ".outlook.com"
Alguém já conseguiu confirmar?
Leandro Carlos Rodrigues
TI All Chemistry do Brasil
(11) 3014-7100
Em 15/12/2015 09:52, Leandro Carlos Rodrigues escreveu:
> Pessoal,
>
> Acabei de me deparar com um caso interessante. A mensagem foi enviada
> pelo sistema outlook.com <http://outlook.com>, porém sem remetente e
> sem campo From:
>
> From MAILER-DAEMON Mon Dec 14 08:39:33 2015
> Return-path: <>
> Envelope-to:xxx at allchemistry.com.br <mailto:xxx at allchemistry.com.br>
> Received: frommail-db3hn0251.outbound.protection.outlook.com
> <http://mail-db3hn0251.outbound.protection.outlook.com>
> ([157.55.234.251] helo=emea01-db3-obe.outbound.protection.outlook.com
> <http://emea01-db3-obe.outbound.protection.outlook.com>)
> byallchem.allchemistry.com.br
> <http://allchem.allchemistry.com.br> with esmtp (Exim 4.80)
> id 1a8QXE-0004J5-VV
> forxxx at allchemistry.com.br <mailto:xxx at allchemistry.com.br>; Mon,
> 14 Dec 2015 08:39:33 -0200
> Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>;
> Received: from [10.0.0.218] (169.0.153.62) by
> DB5PR09MB0568.eurprd09.prod.outlook.com
> <http://DB5PR09MB0568.eurprd09.prod.outlook.com> (10.161.200.28) with
> Microsoft SMTP
> Server (TLS) id 15.1.337.19; Mon, 14 Dec 2015 10:38:59 +0000
> Content-Type: text/plain; charset="utf-8"
> MIME-Version: 1.0
> Content-Transfer-Encoding: quoted-printable
> Content-Description: Mail message body
> Subject: Mrs.Maria Shawaan
> To: Recipients
> From: <>
> Date: Mon, 14 Dec 2015 00:38:41 -0800
> X-Originating-IP: [169.0.153.62]
> X-ClientProxiedBy:AM3PR05CA0076.eurprd05.prod.outlook.com
> <http://AM3PR05CA0076.eurprd05.prod.outlook.com> (25.162.114.44) To
> DB5PR09MB0568.eurprd09.prod.outlook.com
> <http://DB5PR09MB0568.eurprd09.prod.outlook.com> (25.161.200.28)
> Message-ID:
> <DB5PR09MB0568D773AB99D3A490EEE929B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com
> <mailto:DB5PR09MB0568D773AB99D3A490EEE929B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com>>
>
> X-Microsoft-Exchange-Diagnostics:
> 1;DB5PR09MB0568;2:2B39zZSPWUFhCq/1rMttoF1Mz6Phw0yhNkh8UT3gtiRQ2wtL+IjTQYwmH/ftdipYvCV2LzfieDK9/HdfTpKi4t6/ORH4TR/3hmJyY334fTKcjTwcW8vESAYn7SAMYIEh2REJHuNZ5px4R+uXXopd5Q==;3:NtsJTrwZ9WmgLHXBrHZu8pVWsjWF+4U10JowrFA+wB84u7KrYeh0hYU3TiZ3GCf0RxCnN9zSkzeheAQXF2IGGhCgmXv9RoZrYGjfKZ1iJgAWau0qCXLs30xM2mAJNGNM;25:wzboQRaDO/pHsat4NincWut27ml1WNl5KujV1gbLY0g+u4/HaBL1yr6CASX4KJNjWRkKq5v3kkaqLvdNu0BD6f4boQ0iCHykiG/9CyJCrnP5ecDs/y0r2lg+s6/Who2Jgi4DesJE42uufg9ffBuN8Oy8+qtFJb9NZQGFa0WTCfOSNVZZxm7+nicnqtE4yl+2RilsIBlSZMtsaXpa0Lm0dVYkHkBoWsQpdb8UNA2ki7wEg38w1GyyZ1yhmTcRAfENrbHTGdvkKmXtMiJIsesB5w==;4:FsdGB/P/A/iNQ7RebyQM8EJFKiGApOhc02xuspgzvNF1tdzkX0sZEoMpWH4x8xJsjF+NhIOcteMJEKZ5+BHaGSKls3STvFguyD0sphA5aObuRXF6NB5Viv9oxagcxWsyR5fqOrdLcuzOlzC+PxaIEffwmEd7xYLj6lAScNWBKzEXSGV3ciKRkK7hr6b6AmFd8WwSp9ZgxfeO+eOV+rAUFFgCKYoqNcuuJII3YI5raKyzHZ7XnEWa1XWDVvvQHp6krG3bYOF8NewvublXhkgyjX1/aqjRGLyOA62sH3TCRxcyYSMihxhWu2UhZzndRxMrXCNCr6UyEF2IXapb2GjNLCQBiuGAHfzSHLodgentZI78ED+kqD2Py0AOS29ATx/p
>
> X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB5PR09MB0568;
> X-Microsoft-Antispam-PRVS:
> <DB5PR09MB056801D8CE74116A198FE5D3B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com
> <mailto:DB5PR09MB056801D8CE74116A198FE5D3B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com>>
>
> X-Exchange-Antispam-Report-Test: UriScan:;
> X-Exchange-Antispam-Report-CFA-Test:
> BCL:0;PCL:0;RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046);SRVR:DB5PR09MB0568;BCL:0;PCL:0;RULEID:;SRVR:DB5PR09MB0568;
> X-Forefront-PRVS: 0790FB1F33
> X-Forefront-Antispam-Report:
> SFV:SPM;SFS:(10019020)(6009001)(6049001)(5005620100007);DIR:OUT;SFP:1501;SCL:9;SRVR:DB5PR09MB0568;H:[10.0.0.218];FPR:;SPF:None;PTR:InfoNoRecords;LANG:en;
> Received-SPF: None (protection.outlook.com
> <http://protection.outlook.com>: [10.0.0.218] does not designate
> permitted sender hosts)
> X-Microsoft-Exchange-Diagnostics:
> 1;DB5PR09MB0568;23:8n9wbLZJPNu60xy4mlC6o5EPo6P3GJTdZsAcIZwkxevFOhw2GIAFySIQQkAVcNTYkaq3CuKBn8o1yHiBrg2UE+kbQL8U+1R3z9l5rvSgsHe3slWAGPRLWDBP68QNQjPvoiRl8fZZO+AcQpymquyEeFFtQksztQYENhC9UUPvbGKB/N7XwHaLks2L+p8WIp7fcGQb1we+oUBumQq4LYoG+rx0Q6udfHGvu28fwGEjEAKJoh79sv2/1mOqazKvhpKo8W2R8i1dKY9KFbmVVyGkpJu11kYOa/GEGjpSiRVoZFY=;5:fK+NQb7+BOWnjyDnAD20kr2UTqNSqmAPLtBEJxPvnLxi8uthvvOWDUVIrAiGxR+O75RlzVKWCb3nDoLJloSIBZHlu9aL9Lw8NVbvC0M0D0f+CQOIAuu4KHQrU7knWjrXZLk82cP8xM2ZsSmhrjsRow==;24:hwR2bFS3MRCxgTYtm3OwC+S36zksHPWQ0+dxjBNHzRjefl8CXLado22vSCysUhu4OK7v8HJZMUNdLDmMe2EOkQ==
> SpamDiagnosticOutput: 1:22
> SpamDiagnosticMetadata: 00000000%2D0000%2D0000%2D0000%2D000000000000
> X-OriginatorOrg:TicoTato480.onmicrosoft.com
> <http://TicoTato480.onmicrosoft.com>
> X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2015 10:38:59.8962
> (UTC)
> X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
> X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR09MB0568
> Received-SPFBL:
> NONEhttp://matrix.spfbl.net/spam/lG8rXFqVQh7HAx2ABAgZj1NqT8Y+UVR+72saM7ElUEtoyvHFOsSxrmxLZymRxjiV40MshCEyu6AB25WhYP1zrg6hNq+rbEZshHaoYtUfkJZWWPT+TuOLL/xXqY75BC1d
> X-Allchem-Rule
> <http://matrix.spfbl.net/spam/lG8rXFqVQh7HAx2ABAgZj1NqT8Y+UVR+72saM7ElUEtoyvHFOsSxrmxLZymRxjiV40MshCEyu6AB25WhYP1zrg6hNq+rbEZshHaoYtUfkJZWWPT+TuOLL/xXqY75BC1dX-Allchem-Rule>:
> suspect content message.
> X-Spam-Flag: YES
>
> Quando vi isso, me veio a ideia de pesquisar na base de dados de
> e-mails recebidos aqui usando os seguintes critérios:
>
> * Return-path equals "<>"
> * From not contains "@"
> * Received contains ".outlook.com <http://outlook.com>"
>
> Bingo! Todos os casos assim foram SPAM (todos fraude), sem exceção.
> Gostaria de pedir para vocês fazerem a mesma pesquisa nos históricos
> de vocês para a gente confirmar uma nova regra de bloqueio na seção
> DATA que estou bolando aqui. Abraços,
>
> Leandro Carlos Rodrigues
> TI All Chemistry do Brasil
> (11) 3014-7100
> __
> masoch-l list
> https://eng.registro.br/mailman/listinfo/masoch-l
More information about the masoch-l
mailing list