Phishing in Zimbra
marsupilami1947
Posted messages
392
Registration date
Status
Membre
Last intervention
-
Pierr10 Posted messages 13769 Registration date Status Modérateur Last intervention -
Pierr10 Posted messages 13769 Registration date Status Modérateur Last intervention -
Hello,
For the past two weeks, I have been receiving several phishing messages every day that all have the same sender email structure and the same content.
Email: xxxxxx@free.fr where xxxxx is a sequence of more or less random characters.
The subject of the messages is also a random sequence of characters.
The day before yesterday, I received 8 messages, and last night I received 4.
I did not find any filter to prevent these messages.
Does anyone have any ideas on how to automatically eliminate these messages?
Thank you for your help.
Configuration: Windows / Firefox 87.0
For the past two weeks, I have been receiving several phishing messages every day that all have the same sender email structure and the same content.
Email: xxxxxx@free.fr where xxxxx is a sequence of more or less random characters.
The subject of the messages is also a random sequence of characters.
The day before yesterday, I received 8 messages, and last night I received 4.
I did not find any filter to prevent these messages.
Does anyone have any ideas on how to automatically eliminate these messages?
Thank you for your help.
Configuration: Windows / Firefox 87.0
4 réponses
Hello,
While browsing through the Newsgroups, I found a filter to create in Zimbra. Here is the text I copied:
To create the filter in Zimbra:
Which gives:
For the action to be taken, I advise against selecting "Delete". It's better to send it to spam just in case the filter is too aggressive!
So far it seems to be working.
What is well conceived is clearly stated,
And the words to say it come easily.
(Boileau)
While browsing through the Newsgroups, I found a filter to create in Zimbra. Here is the text I copied:
2 conditions (make sure to select "If ALL of the following conditions are
met")
Header named | X-Originating-IP | matches exactly | []
Header named | Message-Id | matches the wildcard characters | <*JavaMail.root@zimbra*.priv.proxad.net>
Without the | I used them to separate the filter fields.
The logic of the filter: the 2nd condition indicates a message claiming
to be sent by one of Free's Zimbra servers
The first is a header found in spam, while the
true Zimbra servers put the IP address of the web client that used
Zimbra.
To create the filter in Zimbra:
Which gives:
For the action to be taken, I advise against selecting "Delete". It's better to send it to spam just in case the filter is too aggressive!
So far it seems to be working.
What is well conceived is clearly stated,
And the words to say it come easily.
(Boileau)
Hello,
Check this link found on the CCM Forum... https://forums.commentcamarche.net/forum/affich-35362978-je-suis-submerge-par-les-spams and see if you can configure your Zimbra mail.
--
ASUS ROG G752 VSK | QuadCore Intel i7 7700HQ | 32 GB-DDR4 | 2 SSD M.2 500 GB | 2 HDD Seagate 2TB | GeForce GTX 1070M 8 GB | 17.3" screen (120 Hz) | DirectX 12 | Windows 10 (x64)
Check this link found on the CCM Forum... https://forums.commentcamarche.net/forum/affich-35362978-je-suis-submerge-par-les-spams and see if you can configure your Zimbra mail.
--
ASUS ROG G752 VSK | QuadCore Intel i7 7700HQ | 32 GB-DDR4 | 2 SSD M.2 500 GB | 2 HDD Seagate 2TB | GeForce GTX 1070M 8 GB | 17.3" screen (120 Hz) | DirectX 12 | Windows 10 (x64)
pistouri
Posted messages
19008
Registration date
Status
Contributeur
Last intervention
Ambassadeur
8 719
Hello,
I've been receiving the same message in my messaging apps for a few days.
Do not click on unsubscribe because it opens a ransom page and blocks your PC.
Restart Explorer through the task manager if it's too late with --► explorer.exe
File-►Run a new task
I'm with FREE.
I reported the source code to Signal Spam
Extract of the source code, because it is very long.
I blocked the domain name and the sender in the junk folder with Windows Mail.
Why report your spam?
==► How to report an email or a URL?
An email consists of 2 elements:
Report with a reporting module
Install the module for Mac Mail
Install the module for Outlook
Install the module for Safari
Install the module for Firefox
Install the module for Google Chrome
Install the module for Opera
Install the module for Thunderbird
Report without a reporting module
If you do not wish to, or cannot use one of our reporting modules, you need to copy and paste the source code of the email you wish to report into the form in your personal space.
List your webmail or messaging software below and click on it to access the tutorial:
Gmail
Laposte.net
Mac Mail
Numericable
Orange
Outlook.com
SFR
Thunderbird
Yahoo
To be continued:
A+
I've been receiving the same message in my messaging apps for a few days.
Do not click on unsubscribe because it opens a ransom page and blocks your PC.
Restart Explorer through the task manager if it's too late with --► explorer.exe
File-►Run a new task
I'm with FREE.
I reported the source code to Signal Spam
Extract of the source code, because it is very long.
I blocked the domain name and the sender in the junk folder with Windows Mail.
Why report your spam?
Reporting spam helps gather all the technical information needed to identify a spammer, whether the report concerns marketing abuse or a cyber-crime spam. Signal Spam handles the qualification of your report and redistributes useful information in the fight against spam.
==► How to report an email or a URL?
An email consists of 2 elements:
Headers. This is the technical part that you do not see. It requires manipulation to access it.
The body of the message. This is simply the content you read when you open an email.
These 2 elements together form what we call the source code of an email.
This is what you need to provide us to report an email.
Report with a reporting module
Install the module for Mac Mail
Install the module for Outlook
Install the module for Safari
Install the module for Firefox
Install the module for Google Chrome
Install the module for Opera
Install the module for Thunderbird
Report without a reporting module
If you do not wish to, or cannot use one of our reporting modules, you need to copy and paste the source code of the email you wish to report into the form in your personal space.
List your webmail or messaging software below and click on it to access the tutorial:
Gmail
Laposte.net
Mac Mail
Numericable
Orange
Outlook.com
SFR
Thunderbird
Yahoo
To be continued:
A+
Hello,
Thank you for your response.
Since each message is from a different sender, I assume we need to report all the messages to Signal Spam.
There was a time when I reported to Signal Spam, but since I never received any feedback, I stopped doing it. I did report to Phishinginitiative, but without much hope either.
I don't have Windows Mail, but Zimbra as my email client.
You mentioned "domain name," can you tell me what that is? Does this name appear in the source code you sent me?
Thank you for your response.
Since each message is from a different sender, I assume we need to report all the messages to Signal Spam.
There was a time when I reported to Signal Spam, but since I never received any feedback, I stopped doing it. I did report to Phishinginitiative, but without much hope either.
I don't have Windows Mail, but Zimbra as my email client.
You mentioned "domain name," can you tell me what that is? Does this name appear in the source code you sent me?
Hello marsupo,
Any email providers have the ''spam'' section to sort out junk emails, phishing, scams of all kinds, and other similar stuff, which is convenient.
Zimbra tested once or twice, the FREE Webmail didn't convince me.
I have encountered this kind of fraudulent email before, and so far Signal Spam, without wanting to overly praise them, has blocked them a few days later.
On this last instance, I inundated them with source codes, because it’s not the sender's name that blocks but the domain name.
For example, domain name = @free.fr
The polluting sender can thus change their email address name at will, likely using aliases, but not @free.fr
And there are other specific lines in the source code that Signal Spam uses to filter and block this kind of polluter.
Any email providers have the ''spam'' section to sort out junk emails, phishing, scams of all kinds, and other similar stuff, which is convenient.
Zimbra tested once or twice, the FREE Webmail didn't convince me.
I have encountered this kind of fraudulent email before, and so far Signal Spam, without wanting to overly praise them, has blocked them a few days later.
On this last instance, I inundated them with source codes, because it’s not the sender's name that blocks but the domain name.
For example, domain name = @free.fr
The polluting sender can thus change their email address name at will, likely using aliases, but not @free.fr
And there are other specific lines in the source code that Signal Spam uses to filter and block this kind of polluter.
Hello pistouri,
Thank you for the clarifications.
I haven't identified a "spam" section in Zimbra, but I know how to set up filters. The problem is that when faced with these messages, I didn't know how to set up a filter. I implemented the filter found by Pierr10, and it works very well.
I am now going to report to Signalspam to see if they can do something about a spam that changes its sender, subject, and unsubscribe link each time. The only common point we've found is that the unsubscribe link always contains the word "club."
I don't want to block the "@free.fr" domain, as that would block all messages from this domain, spam or not.
Have a nice day.
Thank you for the clarifications.
I haven't identified a "spam" section in Zimbra, but I know how to set up filters. The problem is that when faced with these messages, I didn't know how to set up a filter. I implemented the filter found by Pierr10, and it works very well.
I am now going to report to Signalspam to see if they can do something about a spam that changes its sender, subject, and unsubscribe link each time. The only common point we've found is that the unsubscribe link always contains the word "club."
I don't want to block the "@free.fr" domain, as that would block all messages from this domain, spam or not.
Have a nice day.
Hello and thank you Xileh
this is indeed the first example I receive "morgan" I followed the recommendations and I am waiting to see the results
thanks again
see you later
this is indeed the first example I receive "morgan" I followed the recommendations and I am waiting to see the results
thanks again
see you later
Hello
No problem...
And for those wondering about the reason for this thank you, it's because I suggested to laroute to come to this topic, following his question here:
https://forums.commentcamarche.net/forum/affich-37157477-impossible-de-d-eliminer-ces-emails-ils-reviennent-a-chaque-fois
No problem...
And for those wondering about the reason for this thank you, it's because I suggested to laroute to come to this topic, following his question here:
https://forums.commentcamarche.net/forum/affich-37157477-impossible-de-d-eliminer-ces-emails-ils-reviennent-a-chaque-fois
Thank you for your response, I followed your advice and set up this filter, I am waiting to see if it works effectively.
Result: All the spams that I had reintegrated were returned to the spam folder and only those. So no errors or omissions.
I had the idea for the first line, but it wasn't restrictive enough, and there was likely to be quite a few mistakes.
It seems that this issue also exists with Orange messaging (and probably others). We should be able to create similar filters.
I think that in any case, this phishing campaign will stop on its own in a few days or a few weeks at most. It will be replaced by something else. (Previously, we had the fake messages coming from the town hall of La Suze-sur-Sarthe).
Have a good evening!
A big thank you Pierr10, the filter worked, I have 4 messages this morning in my "filtered" folder, and they are indeed the ones I wanted to eliminate.
Congratulations.