ปัญหา

      มี Email Subject : Change your password immediately. Your account has been hacked. ส่งเข้าไปยัง inbox ของลูกค้าเอง

ลักษณะของ Email 

Return-Path: 
Delivered-To: poranee@ccsthai.com
Received: from netway37.netway.co.th
 by netway37.netway.co.th with LMTP id 2FGbFyrx31t+vh8A2wumKw
 for ; Mon, 05 Nov 2018 14:28:42 +0700
Return-path: 
Envelope-to: poranee@ccsthai.com
Delivery-date: Mon, 05 Nov 2018 14:28:42 +0700
Received: from cm-27-145-209-217.revip12.asianet.co.th ([27.145.209.217]:40731)
 by netway37.netway.co.th with esmtp (Exim 4.91)
 (envelope-from )
 id 1gJZJS-008kOV-BS
 for poranee@ccsthai.com; Mon, 05 Nov 2018 14:28:42 +0700
From: 
To: 
Date: 5 Nov 2018 19:54:01 +0600
MIME-Version: 1.0
Subject: Change your password immediately. Your account has been hacked.
Message-ID: <5BE05371.9362.8E7D93@poranee.ccsthai.com>
Priority: normal
X-mailer: Pegasus Mail for Windows (4.41)
Content-type: text/plain; charset="ibm852"
Content-transfer-encoding: 8BIT
Content-description: Mail message body

I greet you!

I have bad news for you.
11/08/2018 - on this day I hacked your operating system and got full access to your account poranee@ccsthai.com

It is useless to change the password, my malware intercepts it every time.

How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I'm talking about sites for adults.

I want to say - you are a big pervert. You have unbridled fantasy!

After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I took off your joys (using the camera of your device). It turned out beautifully, do not hesitate.

I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.
I think $844 is a very small amount for my silence.
Besides, I spent a lot of time on you!

I accept money only in Bitcoins.
My BTC wallet: 1B1Vov1LTLGLcVG3ycPQhQLe81V67FZpMZ

You do not know how to replenish a Bitcoin wallet?
In any search engine write "how to send money to btc wallet".
It's easier than send money to a credit card!

For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!

After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your "joys".

I want you to be prudent.
- Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
- Do not try to contact me (this is not feasible, I sent you an email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
 This is a hacker code of honor.

From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

Don't be mad at me, everyone has their own work.
Farewell.

การแก้ไขปัญหา

1. ใน /etc/mail/spamassassin/local.cf เพิ่มเติม sa rule ตามนี้

header RUSSIAN2 Content-Type =~ /Windows-1251/
score RUSSIAN2 2

header RUSSIAN3 Content-Type =~ /ibm852/
score RUSSIAN3 2

header RUSSIAN4 Content-Type =~ /cp-850/
score RUSSIAN4 2

body LOC_NO_EXTORT1_ALL /I accept money only in Bitcoins/i
score LOC_NO_EXTORT1_ALL 9.0
body LOC_NO_EXTORT2_ALL /My BTC wallet/i
score LOC_NO_EXTORT2_ALL 9.0
body LOC_NO_EXTORT3_ALL /how to send money to btc wallet/i
score LOC_NO_EXTORT3_ALL 9.0
body LOC_NO_EXTORT4_ALL /to my Bitcoin cryptocurrency wallet/i
score LOC_NO_EXTORT4_ALL 9.0
body LOC_NO_EXTORT5_ALL /My Bitcoin wallet Address/i
score LOC_NO_EXTORT5_ALL 9.0
body LOC_NO_EXTORT6_ALL /My bitcoin wallet Address/i
score LOC_NO_EXTORT6_ALL 9.0
body LOC_NO_EXTORT7_ALL /My bitcoin address/i
score LOC_NO_EXTORT7_ALL 9.0
body LOC_NO_EXTORT8_ALL /my bitcoin address/i
score LOC_NO_EXTORT8_ALL 9.0
body LOC_NO_EXTORT9_ALL /bitcoin address/i
score LOC_NO_EXTORT9_ALL 9.0

body LOC_NO_EXTORT10_ALL /BTC Address/i
score LOC_NO_EXTORT10_ALL 9.0

#Phishing Mail Password Hacked
header NW_BAD_PASS1 Subject =~ /been hacked\./i
header NW_BAD_PASS2 Content-Type =~ /ibm852/
body NW_BAD_PASS3 /(got full access|in Bitcoins)/i
meta NW_BAD_PASS (NW_BAD_PASS1 + NW_BAD_PASS2 + NW_BAD_PASS3 >= 2.0)
describe NW_BAD_PASS Simple rule to block one more enhancement message
score NW_BAD_PASS 9.0

#Phishing Mail Password Hacked 1
header NW_BAD1_PASS1 Subject =~ /was hacked/i
header NW_BAD1_PASS2 Content-Type =~ /cp-850/
body NW_BAD1_PASS3 /(opening this letter you have|to my Bitcoin cryptocurrency)/i
meta NW_BAD1_PASS (NW_BAD1_PASS1 + NW_BAD1_PASS2 + NW_BAD1_PASS3 >= 2.0)
describe NW_BAD_PASS Simple rule to block one more enhancement message
score NW_BAD1_PASS 9.0

#Phishing Mail Password Hacked 2
header NW_BAD2_PASS1 Subject =~ /been hacked\!/i
body NW_BAD2_PASS2 /(My Bitcoin wallet Address|payment by Bitcoin)/i
meta NW_BAD2_PASS (NW_BAD2_PASS1 + NW_BAD2_PASS2 >= 2.0)
describe NW_BAD_PASS Simple rule to block one more enhancement message
score NW_BAD2_PASS 9.0

#Phishing Mail Password Hacked 3
header NW_BAD3_PASS1 Subject =~ /hackers to your account\!/i
body NW_BAD3_PASS2 /(bitcoin payment|how to buy bitcoins)/i
meta NW_BAD3_PASS (NW_BAD2_PASS1 + NW_BAD2_PASS2 >= 2.0)
describe NW_BAD_PASS Simple rule to block one more enhancement message
score NW_BAD3_PASS 9.0

#Phishing Mail Password Hacked 4
header NW_BAD4_PASS1 Subject =~ /I hacked device\./i
body NW_BAD4_PASS2 /(My bitcoin address|Buy Bitcoin)/i
meta NW_BAD4_PASS (NW_BAD4_PASS1 + NW_BAD4_PASS2 >= 2.0)
describe NW_BAD_PASS Simple rule to block one more enhancement message
score NW_BAD4_PASS 9.0

2. ทำการรัน 

/usr/local/cpanel/3rdparty/bin/spamassassin -D --lint
/scripts/restartsrv_spamd

3. ต้องทำการ Enable Apache Spamassasin ใน cPanel Account แค่ Enable เท่านั้นไม่ต้องปรับค่าอะไรทั้งนั้น

ผลที่ได้
จาก exim_mainlog :

2018-11-06 16:03:40 1gJxGo-000aNQ-EL H=mail-oln040092009043.outbound.protection.outlook.com (NAM04-BN3-obe.outbound.protection.outlook.com) [40.92.9.43]:50208 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=no F= rejected after DATA: "The mail server detected your message as spam and has prevented delivery (100)."
2018-11-06 16:03:40 SMTP connection from [209.85.208.69]:46189 (TCP/IP connection count = 8)
2018-11-06 16:03:40 SSL_write: (from mail-oln040092009043.outbound.protection.outlook.com (NAM04-BN3-obe.outbound.protection.outlook.com) [40.92.9.43]:50208) syscall: Connection reset by peer
2018-11-06 16:03:40 SMTP connection from mail-oln040092009043.outbound.protection.outlook.com (NAM04-BN3-obe.outbound.protection.outlook.com) [40.92.9.43]:50208 closed by QUIT

ผลใน maillog :

Nov 6 16:53:59 netway39 spamd[165551]: spamd: connection from localhost [127.0.0.1]:18246 to port 783, fd 5
Nov 6 16:53:59 netway39 spamd[165551]: spamd: setuid to bkycoth succeeded
Nov  6 16:53:59 netway39 spamd[165551]: spamd: checking message  for bkycoth:1014
Nov 6 16:54:01 netway39 spamd[165551]: spamd: identified spam (43.5/9.0) for bkycoth:1014 in 2.4 seconds, 11949 bytes.
Nov  6 16:54:01 netway39 spamd[165551]: spamd: result: Y 43 - DCC_CHECK,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,LOC_NO_EXTORT1_ALL,LOC_NO_EXTORT2_ALL,LOC_NO_EXTORT3_ALL,NW_BAD_PASS,NW_BAD_PASS1,NW_BAD_PASS3,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS,T_HK_NAME_FM_MR_MRS,URIBL_BLOCKED scantime=2.4,size=11949,user=bkycoth,uid=1014,required_score=9.0,rhost=localhost,raddr=127.0.0.1,rport=18246,mid=,autolearn=spam autolearn_force=no,shortcircuit=no