Phishing in Zimbra

marsupilami1947 Posted messages 392 Registration date   Status Member Last intervention   -  
Pierr10 Posted messages 13830 Registration date   Status Moderator Last intervention   -
Hello,
For the past two weeks, I have been receiving several phishing messages every day that all have the same sender email structure and the same content.
Email: xxxxxx@free.fr where xxxxx is a sequence of more or less random characters.
The subject of the messages is also a random sequence of characters.

The day before yesterday, I received 8 messages, and last night I received 4.
I did not find any filter to prevent these messages.

Does anyone have any ideas on how to automatically eliminate these messages?

Thank you for your help.




Configuration: Windows / Firefox 87.0

4 answers

  1. Pierr10 Posted messages 13830 Registration date   Status Moderator Last intervention   5 840
     
    Hello,

    While browsing through the Newsgroups, I found a filter to create in Zimbra. Here is the text I copied:
    2 conditions (make sure to select "If ALL of the following conditions are
    met")

    Header named | X-Originating-IP | matches exactly | []
    Header named | Message-Id | matches the wildcard characters | <*JavaMail.root@zimbra*.priv.proxad.net>

    Without the | I used them to separate the filter fields.
    The logic of the filter: the 2nd condition indicates a message claiming
    to be sent by one of Free's Zimbra servers
    The first is a header found in spam, while the
    true Zimbra servers put the IP address of the web client that used
    Zimbra.


    To create the filter in Zimbra:
    Which gives:

    For the action to be taken, I advise against selecting "Delete". It's better to send it to spam just in case the filter is too aggressive!

    So far it seems to be working.

    What is well conceived is clearly stated,
    And the words to say it come easily.
    (Boileau)
    2
    1. marsupilami1947 Posted messages 392 Registration date   Status Member Last intervention   11
       
      Hello,
      Thank you for your response, I followed your advice and set up this filter, I am waiting to see if it works effectively.
      0
    2. Pierr10 Posted messages 13830 Registration date   Status Moderator Last intervention   5 840 > marsupilami1947 Posted messages 392 Registration date   Status Member Last intervention  
       
      To test the filter, I reintegrated the messages that were in the spam folder into the received messages and applied the filter to the received messages.

      Result: All the spams that I had reintegrated were returned to the spam folder and only those. So no errors or omissions.
      0
    3. pistouri Posted messages 19008 Registration date   Status Contributor Last intervention   8 723 > Pierr10 Posted messages 13830 Registration date   Status Moderator Last intervention  
       
      Good job Pierrot on the Zimbra filter.
      0
    4. Pierr10 Posted messages 13830 Registration date   Status Moderator Last intervention   5 840 > pistouri Posted messages 19008 Registration date   Status Contributor Last intervention  
       
      I mostly had the knack for looking in the right place!
      I had the idea for the first line, but it wasn't restrictive enough, and there was likely to be quite a few mistakes.

      It seems that this issue also exists with Orange messaging (and probably others). We should be able to create similar filters.

      I think that in any case, this phishing campaign will stop on its own in a few days or a few weeks at most. It will be replaced by something else. (Previously, we had the fake messages coming from the town hall of La Suze-sur-Sarthe).

      Have a good evening!
      0
    5. marsupilami1947 Posted messages 392 Registration date   Status Member Last intervention   11 > Pierr10 Posted messages 13830 Registration date   Status Moderator Last intervention  
       
      Hello,
      A big thank you Pierr10, the filter worked, I have 4 messages this morning in my "filtered" folder, and they are indeed the ones I wanted to eliminate.
      Congratulations.
      0
  2. Panth33ra Posted messages 23138 Registration date   Status Member Last intervention   Ambassadeur 2 365
     
    Hello,
    Check this link found on the CCM Forum... https://forums.commentcamarche.net/forum/affich-35362978-je-suis-submerge-par-les-spams and see if you can configure your Zimbra mail.

    --
    ASUS ROG G752 VSK | QuadCore Intel i7 7700HQ | 32 GB-DDR4 | 2 SSD M.2 500 GB | 2 HDD Seagate 2TB | GeForce GTX 1070M 8 GB | 17.3" screen (120 Hz) | DirectX 12 | Windows 10 (x64)
    0
    1. marsupilami1947 Posted messages 392 Registration date   Status Member Last intervention   11
       
      I was the one who sent this message in 2018.
      Here, it's a different problem, as the sender is never the same.
      0
      1. Panth33ra Posted messages 23138 Registration date   Status Member Last intervention   2 365 > marsupilami1947 Posted messages 392 Registration date   Status Member Last intervention  
         
        Zimbra messaging is configured like all the others.
        0
      2. marsupilami1947 Posted messages 392 Registration date   Status Member Last intervention   11 > Panth33ra Posted messages 23138 Registration date   Status Member Last intervention  
         
        Hello,
        What should I do with your response?
        0
  3. pistouri Posted messages 19008 Registration date   Status Contributor Last intervention   Ambassadeur 8 723
     
    Hello,

    I've been receiving the same message in my messaging apps for a few days.
    Do not click on unsubscribe because it opens a ransom page and blocks your PC.
    Restart Explorer through the task manager if it's too late with --► explorer.exe
    File-►Run a new task

    I'm with FREE.




    I reported the source code to Signal Spam

    Extract of the source code, because it is very long.


    I blocked the domain name and the sender in the junk folder with Windows Mail.

    Why report your spam?

    Reporting spam helps gather all the technical information needed to identify a spammer, whether the report concerns marketing abuse or a cyber-crime spam. Signal Spam handles the qualification of your report and redistributes useful information in the fight against spam.


    ==► How to report an email or a URL?

    An email consists of 2 elements:

      Headers. This is the technical part that you do not see. It requires manipulation to access it.
     The body of the message. This is simply the content you read when you open an email.

    These 2 elements together form what we call the source code of an email.
    This is what you need to provide us to report an email.


    Report with a reporting module
    Install the module for Mac Mail
    Install the module for Outlook
    Install the module for Safari
    Install the module for Firefox
    Install the module for Google Chrome
    Install the module for Opera
    Install the module for Thunderbird

    Report without a reporting module
    If you do not wish to, or cannot use one of our reporting modules, you need to copy and paste the source code of the email you wish to report into the form in your personal space.

    List your webmail or messaging software below and click on it to access the tutorial:
    Gmail
    Laposte.net
    Mac Mail
    Numericable
    Orange
    Outlook.com
    SFR
    Thunderbird
    Yahoo

    To be continued:

    A+
    0
    1. marsupilami1947 Posted messages 392 Registration date   Status Member Last intervention   11
       
      Hello,
      Thank you for your response.
      Since each message is from a different sender, I assume we need to report all the messages to Signal Spam.
      There was a time when I reported to Signal Spam, but since I never received any feedback, I stopped doing it. I did report to Phishinginitiative, but without much hope either.
      I don't have Windows Mail, but Zimbra as my email client.
      You mentioned "domain name," can you tell me what that is? Does this name appear in the source code you sent me?
      0
    2. pistouri Posted messages 19008 Registration date   Status Contributor Last intervention   8 723 > marsupilami1947 Posted messages 392 Registration date   Status Member Last intervention  
       
      Hello marsupo,

      Any email providers have the ''spam'' section to sort out junk emails, phishing, scams of all kinds, and other similar stuff, which is convenient.
      Zimbra tested once or twice, the FREE Webmail didn't convince me.
      I have encountered this kind of fraudulent email before, and so far Signal Spam, without wanting to overly praise them, has blocked them a few days later.
      On this last instance, I inundated them with source codes, because it’s not the sender's name that blocks but the domain name.
      For example, domain name = @free.fr
      The polluting sender can thus change their email address name at will, likely using aliases, but not @free.fr
      And there are other specific lines in the source code that Signal Spam uses to filter and block this kind of polluter.
      0
    3. marsupilami1947 Posted messages 392 Registration date   Status Member Last intervention   11 > pistouri Posted messages 19008 Registration date   Status Contributor Last intervention  
       
      Hello pistouri,
      Thank you for the clarifications.
      I haven't identified a "spam" section in Zimbra, but I know how to set up filters. The problem is that when faced with these messages, I didn't know how to set up a filter. I implemented the filter found by Pierr10, and it works very well.
      I am now going to report to Signalspam to see if they can do something about a spam that changes its sender, subject, and unsubscribe link each time. The only common point we've found is that the unsubscribe link always contains the word "club."
      I don't want to block the "@free.fr" domain, as that would block all messages from this domain, spam or not.
      Have a nice day.
      0
    4. pistouri Posted messages 19008 Registration date   Status Contributor Last intervention   8 723 > marsupilami1947 Posted messages 392 Registration date   Status Member Last intervention  
       
      I can't see myself blocking the domain ""@free.fr"

      free.fr or FR to be more precise for the domain name.

      It's spam signal that does that.

      I don't know with Zimbra how you will find the source code

      With for example Windows Mail: new spam received this morning.


      Unwanted (block the domain name)


      A+
      0
    5. marsupilami1947 Posted messages 392 Registration date   Status Member Last intervention   11 > pistouri Posted messages 19008 Registration date   Status Contributor Last intervention  
       
      Hello,
      Thank you for the new information.
      I don't have that option with Zimbra, no filter is set for the domain name.
      Have a good day.
      0
  4. laroute Posted messages 152 Registration date   Status Member Last intervention   7
     
    Hello and thank you Xileh

    this is indeed the first example I receive "morgan" I followed the recommendations and I am waiting to see the results

    thanks again

    see you later
    0