[MASOCH-L] Envio de fraude pelo outlook.com
Leandro Carlos Rodrigues
leandro at allchemistry.com.br
Tue Dec 15 09:52:59 BRST 2015
Pessoal,
Acabei de me deparar com um caso interessante. A mensagem foi enviada
pelo sistema outlook.com <http://outlook.com>, porém sem remetente e sem
campo From:
From MAILER-DAEMON Mon Dec 14 08:39:33 2015
Return-path: <>
Envelope-to:xxx at allchemistry.com.br <mailto:xxx at allchemistry.com.br>
Received: frommail-db3hn0251.outbound.protection.outlook.com
<http://mail-db3hn0251.outbound.protection.outlook.com> ([157.55.234.251] helo=emea01-db3-obe.outbound.protection.outlook.com
<http://emea01-db3-obe.outbound.protection.outlook.com>)
byallchem.allchemistry.com.br <http://allchem.allchemistry.com.br> with esmtp (Exim 4.80)
id 1a8QXE-0004J5-VV
forxxx at allchemistry.com.br <mailto:xxx at allchemistry.com.br>; Mon, 14 Dec 2015 08:39:33 -0200
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>;
Received: from [10.0.0.218] (169.0.153.62) by
DB5PR09MB0568.eurprd09.prod.outlook.com
<http://DB5PR09MB0568.eurprd09.prod.outlook.com> (10.161.200.28) with Microsoft SMTP
Server (TLS) id 15.1.337.19; Mon, 14 Dec 2015 10:38:59 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: Mrs.Maria Shawaan
To: Recipients
From: <>
Date: Mon, 14 Dec 2015 00:38:41 -0800
X-Originating-IP: [169.0.153.62]
X-ClientProxiedBy:AM3PR05CA0076.eurprd05.prod.outlook.com
<http://AM3PR05CA0076.eurprd05.prod.outlook.com> (25.162.114.44) To
DB5PR09MB0568.eurprd09.prod.outlook.com
<http://DB5PR09MB0568.eurprd09.prod.outlook.com> (25.161.200.28)
Message-ID: <DB5PR09MB0568D773AB99D3A490EEE929B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com
<mailto:DB5PR09MB0568D773AB99D3A490EEE929B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com>>
X-Microsoft-Exchange-Diagnostics:
1;DB5PR09MB0568;2:2B39zZSPWUFhCq/1rMttoF1Mz6Phw0yhNkh8UT3gtiRQ2wtL+IjTQYwmH/ftdipYvCV2LzfieDK9/HdfTpKi4t6/ORH4TR/3hmJyY334fTKcjTwcW8vESAYn7SAMYIEh2REJHuNZ5px4R+uXXopd5Q==;3:NtsJTrwZ9WmgLHXBrHZu8pVWsjWF+4U10JowrFA+wB84u7KrYeh0hYU3TiZ3GCf0RxCnN9zSkzeheAQXF2IGGhCgmXv9RoZrYGjfKZ1iJgAWau0qCXLs30xM2mAJNGNM;25:wzboQRaDO/pHsat4NincWut27ml1WNl5KujV1gbLY0g+u4/HaBL1yr6CASX4KJNjWRkKq5v3kkaqLvdNu0BD6f4boQ0iCHykiG/9CyJCrnP5ecDs/y0r2lg+s6/Who2Jgi4DesJE42uufg9ffBuN8Oy8+qtFJb9NZQGFa0WTCfOSNVZZxm7+nicnqtE4yl+2RilsIBlSZMtsaXpa0Lm0dVYkHkBoWsQpdb8UNA2ki7wEg38w1GyyZ1yhmTcRAfENrbHTGdvkKmXtMiJIsesB5w==;4:FsdGB/P/A/iNQ7RebyQM8EJFKiGApOhc02xuspgzvNF1tdzkX0sZEoMpWH4x8xJsjF+NhIOcteMJEKZ5+BHaGSKls3STvFguyD0sphA5aObuRXF6NB5Viv9oxagcxWsyR5fqOrdLcuzOlzC+PxaIEffwmEd7xYLj6lAScNWBKzEXSGV3ciKRkK7hr6b6AmFd8WwSp9ZgxfeO+eOV+rAUFFgCKYoqNcuuJII3YI5raKyzHZ7XnEWa1XWDVvvQHp6krG3bYOF8NewvublXhkgyjX1/aqjRGLyOA62sH3TCRxcyYSMihxhWu2UhZzndRxMrXCNCr6UyEF2IXapb2GjNLCQBiuGAHfzSHLodgentZI78ED+kqD2Py0AOS29ATx/p
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB5PR09MB0568;
X-Microsoft-Antispam-PRVS: <DB5PR09MB056801D8CE74116A198FE5D3B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com
<mailto:DB5PR09MB056801D8CE74116A198FE5D3B8ED0 at DB5PR09MB0568.eurprd09.prod.outlook.com>>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046);SRVR:DB5PR09MB0568;BCL:0;PCL:0;RULEID:;SRVR:DB5PR09MB0568;
X-Forefront-PRVS: 0790FB1F33
X-Forefront-Antispam-Report: SFV:SPM;SFS:(10019020)(6009001)(6049001)(5005620100007);DIR:OUT;SFP:1501;SCL:9;SRVR:DB5PR09MB0568;H:[10.0.0.218];FPR:;SPF:None;PTR:InfoNoRecords;LANG:en;
Received-SPF: None (protection.outlook.com <http://protection.outlook.com>: [10.0.0.218] does not designate
permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;DB5PR09MB0568;23:8n9wbLZJPNu60xy4mlC6o5EPo6P3GJTdZsAcIZwkxevFOhw2GIAFySIQQkAVcNTYkaq3CuKBn8o1yHiBrg2UE+kbQL8U+1R3z9l5rvSgsHe3slWAGPRLWDBP68QNQjPvoiRl8fZZO+AcQpymquyEeFFtQksztQYENhC9UUPvbGKB/N7XwHaLks2L+p8WIp7fcGQb1we+oUBumQq4LYoG+rx0Q6udfHGvu28fwGEjEAKJoh79sv2/1mOqazKvhpKo8W2R8i1dKY9KFbmVVyGkpJu11kYOa/GEGjpSiRVoZFY=;5:fK+NQb7+BOWnjyDnAD20kr2UTqNSqmAPLtBEJxPvnLxi8uthvvOWDUVIrAiGxR+O75RlzVKWCb3nDoLJloSIBZHlu9aL9Lw8NVbvC0M0D0f+CQOIAuu4KHQrU7knWjrXZLk82cP8xM2ZsSmhrjsRow==;24:hwR2bFS3MRCxgTYtm3OwC+S36zksHPWQ0+dxjBNHzRjefl8CXLado22vSCysUhu4OK7v8HJZMUNdLDmMe2EOkQ==
SpamDiagnosticOutput: 1:22
SpamDiagnosticMetadata: 00000000%2D0000%2D0000%2D0000%2D000000000000
X-OriginatorOrg:TicoTato480.onmicrosoft.com <http://TicoTato480.onmicrosoft.com>
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2015 10:38:59.8962
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR09MB0568
Received-SPFBL: NONEhttp://matrix.spfbl.net/spam/lG8rXFqVQh7HAx2ABAgZj1NqT8Y+UVR+72saM7ElUEtoyvHFOsSxrmxLZymRxjiV40MshCEyu6AB25WhYP1zrg6hNq+rbEZshHaoYtUfkJZWWPT+TuOLL/xXqY75BC1d
X-Allchem-Rule
<http://matrix.spfbl.net/spam/lG8rXFqVQh7HAx2ABAgZj1NqT8Y+UVR+72saM7ElUEtoyvHFOsSxrmxLZymRxjiV40MshCEyu6AB25WhYP1zrg6hNq+rbEZshHaoYtUfkJZWWPT+TuOLL/xXqY75BC1dX-Allchem-Rule>: suspect content message.
X-Spam-Flag: YES
Quando vi isso, me veio a ideia de pesquisar na base de dados de e-mails
recebidos aqui usando os seguintes critérios:
* Return-path equals "<>"
* From not contains "@"
* Received contains ".outlook.com <http://outlook.com>"
Bingo! Todos os casos assim foram SPAM (todos fraude), sem exceção.
Gostaria de pedir para vocês fazerem a mesma pesquisa nos históricos de
vocês para a gente confirmar uma nova regra de bloqueio na seção DATA
que estou bolando aqui. Abraços,
Leandro Carlos Rodrigues
TI All Chemistry do Brasil
(11) 3014-7100
More information about the masoch-l
mailing list