Hi.
A customer has been subject to fraud emails today. The emails look like they come from the boss and request the accounts dept transfer money. They look very genuine and a dodgy email address is only visible to the end user if they click reply.
I thought I had everything configured correctly to stop this sort these sort of emails getting through and am wondering if something is malfunctioning.
SPF is configured for customer.com but there is no mention of it in header, not even in regards badpersondomain.com having no SPF record.
Can anyone help?
Header is below with obvious privacy changes.
A customer has been subject to fraud emails today. The emails look like they come from the boss and request the accounts dept transfer money. They look very genuine and a dodgy email address is only visible to the end user if they click reply.
I thought I had everything configured correctly to stop this sort these sort of emails getting through and am wondering if something is malfunctioning.
SPF is configured for customer.com but there is no mention of it in header, not even in regards badpersondomain.com having no SPF record.
Can anyone help?
Header is below with obvious privacy changes.
Code:
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Tue, 21 Aug 2018 08:31:22 +0100
Received: from xxxxxxx.prod.phx3.secureserver.net ([216.69.xxx.xx]:41336 helo=p3plwbeout25-01.prod.phx3.secureserver.net)
by myserver.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.86)
(envelope-from <[email protected]>)
id 1fs18J-1001jA-W0
for [email protected]; Tue, 21 Aug 2018 08:31:21 +0100
Received: from xxxxxxxxx.prod.phx3.secureserver.net ([10.36.152.31])
by :WBEOUT: with SMTP
id s179favlaUbxes179f5RO3; Tue, 21 Aug 2018 00:30:07 -0700
X-SID: s179favlaUbxe
Received: (qmail 94736 invoked by uid 99); 21 Aug 2018 07:30:07 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 89.238.167.168
User-Agent: Workspace Webmail 6.9.46
Message-Id: <[email protected]mail25.godaddy.com>
From: "Boss Man" <[email protected]>
X-Sender: [email protected]
Reply-To: "Boss Man" <[email protected]>
To: [email protected]
Subject: Payments
Date: Tue, 21 Aug 2018 00:30:04 -0700
Mime-Version: 1.0
X-CMAE-Envelope: MS4wfOmiOJC3WMsezNfrdAKrBSynNJFF+qHFf4SBf+lKhca2CnkToJD5lJV8ylStzGOCRNKpRfRThRu0HujQn1WyNbyKpaR3FTx8U4V4X68+a
NIFDKH6xj1oII9Rtz8yplauRkxP+F+y33P54lOKD4SzGlowoNuxkgoBssE8GAiMuutjvx+Wl6vJ3QoLU1gWo5PRA0v+dL03Rw9zwkoPHo4g2tfaq8DOmZzwr
X-Spam-Status: No, score=2.6
X-Spam-Score: 26
X-Spam-Bar: ++
X-Ham-Report: Spam detection software, running on the system "myserver.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Hi, can you make some payments for me? [...]
Content analysis details: (2.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.5 KAM_COUK Scoring .co.uk emails higher due to poor registry security.
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4934]
0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
-0.5 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
2.1 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
Last edited by a moderator:
