Compromised servers and workstations tend to use their own hostname as is, which is often not an FQDN. + Blacklist the email if the sending server does not identify itself (in the EHLO/HELO command) using a fully qualified domain name. + Make sure you have the recommended DNSBLs and SURBLs enabled: Main: 628-056.6667 Fax: 628-056.6452 <- both of these are made upīesides connecting ClamAV to ORF - as suggested by Norbert - I would recommend the following: Thank you for your business - we appreciate it very much. i can't use keyword blacklists because the bodies are all different i can't use sender-blacklist because the from address is always random i can't use SPF because the from address isn't the real from address
the body is never the same, nor are the links, or attachments the DISPLAY NAMES are copied from the hacked contacts of the victim the smtp-envelope address, reply-to are all randomly different hacked accounts the ip address is different every time (and not belonging to the FROM spoof)
#Spf pass gmail hack update#
For the last month, we're noticing A LOT of emails claiming to be invoices, or having links because "our remittance address has changed", or asking to update an employees ACH payroll info.Īs far as i can tell, some account in the world was hacked (not on our system) and the hacker is sending emails FROM those contacts TO other contacts, hoping they'll be more trusted since they probably know each other.