This morning I received a well-crafted spoof email with a forged From:trackingupdates@fedex.com. Of course, I receive real tracking-related messages from the real trackingupdates@fedex.com all the time.
I’d say that the email code was based on a legit FedEx notification, and the tracking link even went to a legit FedEx tracking page (mind, I was a bit baffled to see info on a parcel from Bratislava bound for Dubai).
The two visible signs that this was not a real FedEx email were the To: undisclosed-recipients:; and, ahem, an .ACE attachment.
I got curious to see what SpamSieve did with this one when I trained it. Now I’m wondering if I’ll soon be trying to train SpamSieve that messages from trackingupdates@fedex.com are usually good. Here’s a bit from the log:
*Trained: Spam (Manual)
Subject: FedEx Shipment 623822459978 Notification
From: TrackingUpdates@fedex.com
Identifier: nPFBjOjoKlZweIcYKAqGWg==
Actions: disabled rule <From (address) Is Equal to "trackingupdates@fedex.com"> in SpamSieve whitelist, disabled rule <From (name) Is Equal to “FedEx SHIPMENT”> in SpamSieve whitelist, added rule <From (address) Is Equal to "TrackingUpdates@fedex.com"> to SpamSieve blocklist, added rule <From (name) Is Equal to “FedEx SHIPMENT”> to SpamSieve blocklist, added to Spam corpus (2647), removed from Good corpus (1776)
Date: 2018-01-23 11:14:45 -0800 (PST)
Mistake: False Negative
Subject: FedEx Shipment 623822459978 Notification
Identifier: nPFBjOjoKlZweIcYKAqGWg==
Classifier: Whitelist
Score: 1
Date: 2018-01-23 11:14:50 -0800 (PST)*
Michael, I saved the raw source of the message as a text file. Ping me if you’d like to have a look.
Thanks, as always.