C-Command Software Forum

Spoof Email from Previously Whitelisted Email Address

This morning I received a well-crafted spoof email with a forged From:trackingupdates@fedex.com. Of course, I receive real tracking-related messages from the real trackingupdates@fedex.com all the time.

I’d say that the email code was based on a legit FedEx notification, and the tracking link even went to a legit FedEx tracking page (mind, I was a bit baffled to see info on a parcel from Bratislava bound for Dubai).

The two visible signs that this was not a real FedEx email were the To: undisclosed-recipients:; and, ahem, an .ACE attachment.

I got curious to see what SpamSieve did with this one when I trained it. Now I’m wondering if I’ll soon be trying to train SpamSieve that messages from trackingupdates@fedex.com are usually good. Here’s a bit from the log:

*Trained: Spam (Manual)
Subject: FedEx Shipment 623822459978 Notification
From: TrackingUpdates@fedex.com
Identifier: nPFBjOjoKlZweIcYKAqGWg==
Actions: disabled rule <From (address) Is Equal to "trackingupdates@fedex.com"> in SpamSieve whitelist, disabled rule <From (name) Is Equal to “FedEx SHIPMENT”> in SpamSieve whitelist, added rule <From (address) Is Equal to "TrackingUpdates@fedex.com"> to SpamSieve blocklist, added rule <From (name) Is Equal to “FedEx SHIPMENT”> to SpamSieve blocklist, added to Spam corpus (2647), removed from Good corpus (1776)
Date: 2018-01-23 11:14:45 -0800 (PST)

Mistake: False Negative
Subject: FedEx Shipment 623822459978 Notification
Identifier: nPFBjOjoKlZweIcYKAqGWg==
Classifier: Whitelist
Score: 1
Date: 2018-01-23 11:14:50 -0800 (PST)*

Michael, I saved the raw source of the message as a text file. Ping me if you’d like to have a look.

Thanks, as always.

It looks like the address was whitelisted because you had previously only received good messages from there. So SpamSieve did not do a deep analysis of the message. You should now train one of the good messages as good so that SpamSieve knows not to block all of them.

Why didn’t I think to train SpamSieve on a good email in advance? Thanks, Michael, you’re always way ahead!

That’s OK—you want to train it after training the spam one, anyway.