[arrl-odv:29762] Messages From "Arrl Message Center" ?????
Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan. The messages have a link that says "Review Messages to release or block them." I have not clicked on that link as this looks suspiciously like a scam that might infect my computer. Have any of the rest of you received them? Has anyone clicked on the link? Anything happen? 73, Dick, N6AA
Dick: I sent a note to ODV last week, I believe, about this phishing attempt after getting a couple of notes from ODV members. It's obviously a scam and using the delete key is the way to deal with it. 73, Barry, N1VXY Sent from my Verizon Motorola Smartphone On Mar 2, 2020 9:22 PM, Richard Norton via arrl-odv <arrl-odv@reflector.arrl.org> wrote: Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan. The messages have a link that says "Review Messages to release or block them." I have not clicked on that link as this looks suspiciously like a scam that might infect my computer. Have any of the rest of you received them? Has anyone clicked on the link? Anything happen? 73, Dick, N6AA
I also got 7 messages. On Mail for macOS you can over over the link without opening it (see image below). It looks extremely unsavory.
On Mar 2, 2020, at 6:22 PM, Richard Norton via arrl-odv <arrl-odv@reflector.arrl.org> wrote:
Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
-Kristen (K6WX) "Your eyes ... it's a day's work just looking into them" Laurie Anderson (--... ...-- -.. . -.- -.... .-- -..-)
Oddly enough, no, even though I receive tons of phishing scams, 419s and other assorted garbage. Thank you for the heads up. 73 Ria, N2RJ On Mon, 2 Mar 2020 at 21:22, Richard Norton via arrl-odv <arrl-odv@reflector.arrl.org> wrote:
Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
Dick: I received no less that 6 today. Do not open them. And yes, they are from a .JA high level domain but that might be spoofed too. Delete and empty your trash file after that. de K3RF On 3/2/2020 9:22 PM, Richard Norton via arrl-odv wrote:
Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
--
I also received 6 of the e-mails this morning, but Comcast correctly put them in the Spam folder. 73; Mike W7VO On March 2, 2020 at 6:35 PM Bob Famiglio K3RF via arrl-odv <arrl-odv@reflector.arrl.org> wrote:
Dick:
I received no less that 6 today. Do not open them. And yes, they are from a .JA high level domain but that might be spoofed too. Delete and empty your trash file after that.
de K3RF
On 3/2/2020 9:22 PM, Richard Norton via arrl-odv wrote:
> > Today I received seven messages, sent to n6aa@arrl.org mailto:n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org mailto:arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
>
--
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
Actually, yes, now that I looked at it, Google did put them in the spam folder for me. I got about a dozen of them. Ria N2RJ On Mon, 2 Mar 2020 at 22:00, Michael Ritz <w7vo@comcast.net> wrote:
I also received 6 of the e-mails this morning, but Comcast correctly put them in the Spam folder.
73; Mike W7VO
On March 2, 2020 at 6:35 PM Bob Famiglio K3RF via arrl-odv <arrl-odv@reflector.arrl.org> wrote:
Dick:
I received no less that 6 today. Do not open them. And yes, they are from a .JA high level domain but that might be spoofed too. Delete and empty your trash file after that.
de K3RF
On 3/2/2020 9:22 PM, Richard Norton via arrl-odv wrote:
Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
--
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
This is not surprising. Email malware is the most pervasive mode of system attack. In my last position, we quarantined or deleted 60% of inbound emails on a regular basis. We deleted anything containing malware and from known hostile IP ranges and domains. We quarantined all non-whitelisted senders from many countries, and many domestic inbounds with suspicious links. We trained our user community with KnowB4, a service that intentionally spammed our users (our favorite was Dunkin Coupons for police) and invited a click and then a form to tempt them to disclose identity information. If they fell for the bait, they were required to take an online security course which helped them identify potential malware. After we instituted these measures (and others!), we never had downtime or data loss caused by email. 73, Mickey N4MB On Mon, Mar 2, 2020 at 10:00 PM Michael Ritz <w7vo@comcast.net> wrote:
I also received 6 of the e-mails this morning, but Comcast correctly put them in the Spam folder.
73; Mike W7VO
On March 2, 2020 at 6:35 PM Bob Famiglio K3RF via arrl-odv < arrl-odv@reflector.arrl.org> wrote:
Dick:
I received no less that 6 today. Do not open them. And yes, they are from a .JA high level domain but that might be spoofed too. Delete and empty your trash file after that.
de K3RF On 3/2/2020 9:22 PM, Richard Norton via arrl-odv wrote:
Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA
_______________________________________________ arrl-odv mailing listarrl-odv@reflector.arrl.orghttps://reflector.arrl.org/mailman/listinfo/arrl-odv
--
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
-- “Ends and beginnings—there are no such things. There are only middles.” Robert Frost
The reason you may have gotten them is because they did pass SPF checks and beyond that, Yahoo is pretty weak with spam filtering. SPF is Sender Policy Framework where the sending domain has a text record that says that only certain mail servers can send e-mail from that domain. It makes spoofing harder. Except where SPF passes for some reason. In this case it did. In the headers it is unclear as to whether or not PObox, our spam filtering service failed OR if the sender used a hijacked or rented email server. If it’s the former we should remedy this, but if it’s the latter there is nothing we can do. No spam filter is 100% effective but Google uses AI and ML (machine learning) with its neural network which is why it filters out nearly all spam. When in doubt, delete, hover over links and if it looks suspicious it probably is. 73 Ria, N2RJ (GMail user since 2004) On Mon, Mar 2, 2020 at 9:22 PM Richard Norton via arrl-odv < arrl-odv@reflector.arrl.org> wrote:
Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
I checked and my GMail spam folder has 16 of these spoofy emails. And also includes Barrys email about it! Mark, HDX (GMail user since 2007) [image: image.png] On Tue, Mar 3, 2020 at 7:10 AM rjairam@gmail.com <rjairam@gmail.com> wrote:
The reason you may have gotten them is because they did pass SPF checks and beyond that, Yahoo is pretty weak with spam filtering.
SPF is Sender Policy Framework where the sending domain has a text record that says that only certain mail servers can send e-mail from that domain. It makes spoofing harder.
Except where SPF passes for some reason. In this case it did.
In the headers it is unclear as to whether or not PObox, our spam filtering service failed OR if the sender used a hijacked or rented email server.
If it’s the former we should remedy this, but if it’s the latter there is nothing we can do.
No spam filter is 100% effective but Google uses AI and ML (machine learning) with its neural network which is why it filters out nearly all spam.
When in doubt, delete, hover over links and if it looks suspicious it probably is.
73 Ria, N2RJ (GMail user since 2004)
On Mon, Mar 2, 2020 at 9:22 PM Richard Norton via arrl-odv < arrl-odv@reflector.arrl.org> wrote:
Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
For Barry’s - click “not spam” and you did your part training the machine :) Ria On Tue, Mar 3, 2020 at 10:23 AM Mark J Tharp <kb7hdx@gmail.com> wrote:
I checked and my GMail spam folder has 16 of these spoofy emails. And also includes Barrys email about it!
Mark, HDX (GMail user since 2007)
[image: image.png]
On Tue, Mar 3, 2020 at 7:10 AM rjairam@gmail.com <rjairam@gmail.com> wrote:
The reason you may have gotten them is because they did pass SPF checks and beyond that, Yahoo is pretty weak with spam filtering.
SPF is Sender Policy Framework where the sending domain has a text record that says that only certain mail servers can send e-mail from that domain. It makes spoofing harder.
Except where SPF passes for some reason. In this case it did.
In the headers it is unclear as to whether or not PObox, our spam filtering service failed OR if the sender used a hijacked or rented email server.
If it’s the former we should remedy this, but if it’s the latter there is nothing we can do.
No spam filter is 100% effective but Google uses AI and ML (machine learning) with its neural network which is why it filters out nearly all spam.
When in doubt, delete, hover over links and if it looks suspicious it probably is.
73 Ria, N2RJ (GMail user since 2004)
On Mon, Mar 2, 2020 at 9:22 PM Richard Norton via arrl-odv < arrl-odv@reflector.arrl.org> wrote:
Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
If we are using only rudimentary filtering in pobox.com, we are headed for a problem. These type emails worry me. Please don't forward them to the rest of the group, which may defeat safeguards - now they're from a trusted source! Please don't click on anything you're not certain that is legitimate, ever! Phishing and "spear-phishing" (targeted email phishing) is one of the highest risk and most successful (for the bad guys) method of system penetration. It is a real problem. There have been some very high profile attacks on government agencies that have resulted in data loss and billions of dollars of damage. Outages at the Cities of Baltimore, Atlanta, Riviera Beach and Key Biscayne, Florida, were cause by activation of an internal employee clicking on a malware email. I've had number of FBI briefings on these outages - in each, a demand was made for ransom that was, curiously, just above the limits of the organization's insurance coverage. The FBI also said that the best antivirus will only detect 60% of viruses and penetration attempts at any given moment, so the scans and updates must be frequent and, if possible, continuous and in-line.
From what I see in the message header, HQ probably (hopefully) scans emails when they arrive in-house, perhaps on ARRL workstations. Our emails come from a reflector that may scan for viruses or phishing attempts. Emails that we are getting are also being scanned by our individual email providers. Gmail, for example, as Ria explained, uses an excellent filter, which is why these messages end up in our spam folders.
However, even if you're using GMail as an end client, you're going to want to use something that scans and quarantines emails. I get one for free for my home from my Internet Service Provider and run a security gateway as well as clients on each workstation. There's been discussion of the league going to Office 365. I have personally participated in three major migrations of Microsoft Exchange and it isn't easy, but there were complexities of scale, uptime and archive requirements that likely don't exist at ARRL. Microsoft by default does not supply email anti-virus with Office 365, but it is available from them and other providers. These products typically examine inbound emails and filter or quarantines them before sending them on to the email server. The key is to get an easy to manage, easy to install set of tools to manage this "front end" before the email is sent to Office365. Given all our external-facing systems, I hope that a penetration test is budgeted within IT and these systems are being examined by a security professional periodically. Mickey Baker, N4MB Palm Beach Gardens, FL *“The servant-leader is servant first… It begins with the natural feeling that one wants to serve, to serve first. Then conscious choice brings one to aspire to lead." Robert K. Greenleaf* On Tue, Mar 3, 2020 at 10:23 AM Mark J Tharp <kb7hdx@gmail.com> wrote:
I checked and my GMail spam folder has 16 of these spoofy emails. And also includes Barrys email about it!
Mark, HDX (GMail user since 2007)
[image: image.png]
On Tue, Mar 3, 2020 at 7:10 AM rjairam@gmail.com <rjairam@gmail.com> wrote:
The reason you may have gotten them is because they did pass SPF checks and beyond that, Yahoo is pretty weak with spam filtering.
SPF is Sender Policy Framework where the sending domain has a text record that says that only certain mail servers can send e-mail from that domain. It makes spoofing harder.
Except where SPF passes for some reason. In this case it did.
In the headers it is unclear as to whether or not PObox, our spam filtering service failed OR if the sender used a hijacked or rented email server.
If it’s the former we should remedy this, but if it’s the latter there is nothing we can do.
No spam filter is 100% effective but Google uses AI and ML (machine learning) with its neural network which is why it filters out nearly all spam.
When in doubt, delete, hover over links and if it looks suspicious it probably is.
73 Ria, N2RJ (GMail user since 2004)
On Mon, Mar 2, 2020 at 9:22 PM Richard Norton via arrl-odv < arrl-odv@reflector.arrl.org> wrote:
Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
Mickey: To give you some idea of the approach and methods we’re using here at HQ for email scanning, I’ll let Michael Keane, K1MK describe it: We need to distinguish between the email controls that are in place for just arrl.org forwards (the Board) versus mail that is delivered to HQ We should also distinguish between emails which have virus or other malware payloads attached to the message and phishing attempts. Those are two different kinds of threats which are detected by different means. Phishing emails may appear as apparently benign as saying "please call this phone number" or "click on this link". This makes phising messages more difficult to detect programmatically without simultaneously generating a whole bunch of false positives -- valid messages being sent off to the spam folder. All mail inbound messages to arrl.org addresses first passes through PoBox's anti-spam filtering and basic virus scanning. As part of their anti-spam filtering PoBox blocks messages that are sent from hosts on the real-time blacklist which contains known bad actors. PoBox blocks over 90% of the inbound traffic being sent to arrl.org and arrl.net address as spam or malware. The vast majority of the traffic through PoBox is for arrl.net. "Zero days" in which phishy or spam-ish messages manage to leak through PoBox's filters can and do occur, and continue until PoBox can adjust their Bayesian filters in response. If the Board members are interested, they may forward examples of spam-ish messages that are delivered to their arrl.org addresses that have managed to evade PoBox's filters onto Dave or Oscar who can help expedite closing the loop with PoBox to get leaks plugged more quickly. Once incoming messages hit our inbound Exchange server there is an additional level of spam filtering in place there. After final delivery to user endpoints -- desktops -- we are running McAffe Endpoint Security to protect the endpoints (computers) against possible virus/malware payloads. But all of the above is not sufficient to block all phishing attempts which by the very nature of their very design are intended to fly low under the radar of common safeguards and not to trigger a security response. To combat what is ultimately a human factors vulnerability, we have since 2018 required that all staff attend and successfully complete phishing security training. And to be tested and re-certified on a periodic basis. We employ KnowBe4 (<www.knowbe4.com<http://www.knowbe4.com>>) for staff phishing security training. --MK As you are well aware, this is a constant battle. And as Michael noted, we’re using technology and human training to combat the threats. 73, Barry, N1VXY From: arrl-odv <arrl-odv-bounces@reflector.arrl.org> On Behalf Of Mickey Baker Sent: Tuesday, March 3, 2020 11:12 AM To: Keane, Michael, K1MK <mkeane@arrl.org> Cc: arrl-odv <arrl-odv@arrl.org> Subject: [arrl-odv:29774] Re: Messages From "Arrl Message Center" ????? If we are using only rudimentary filtering in pobox.com<http://pobox.com>, we are headed for a problem. These type emails worry me. Please don't forward them to the rest of the group, which may defeat safeguards - now they're from a trusted source! Please don't click on anything you're not certain that is legitimate, ever! Phishing and "spear-phishing" (targeted email phishing) is one of the highest risk and most successful (for the bad guys) method of system penetration. It is a real problem. There have been some very high profile attacks on government agencies that have resulted in data loss and billions of dollars of damage. Outages at the Cities of Baltimore, Atlanta, Riviera Beach and Key Biscayne, Florida, were cause by activation of an internal employee clicking on a malware email. I've had number of FBI briefings on these outages - in each, a demand was made for ransom that was, curiously, just above the limits of the organization's insurance coverage. The FBI also said that the best antivirus will only detect 60% of viruses and penetration attempts at any given moment, so the scans and updates must be frequent and, if possible, continuous and in-line. From what I see in the message header, HQ probably (hopefully) scans emails when they arrive in-house, perhaps on ARRL workstations. Our emails come from a reflector that may scan for viruses or phishing attempts. Emails that we are getting are also being scanned by our individual email providers. Gmail, for example, as Ria explained, uses an excellent filter, which is why these messages end up in our spam folders. However, even if you're using GMail as an end client, you're going to want to use something that scans and quarantines emails. I get one for free for my home from my Internet Service Provider and run a security gateway as well as clients on each workstation. There's been discussion of the league going to Office 365. I have personally participated in three major migrations of Microsoft Exchange and it isn't easy, but there were complexities of scale, uptime and archive requirements that likely don't exist at ARRL. Microsoft by default does not supply email anti-virus with Office 365, but it is available from them and other providers. These products typically examine inbound emails and filter or quarantines them before sending them on to the email server. The key is to get an easy to manage, easy to install set of tools to manage this "front end" before the email is sent to Office365. Given all our external-facing systems, I hope that a penetration test is budgeted within IT and these systems are being examined by a security professional periodically. Mickey Baker, N4MB Palm Beach Gardens, FL “The servant-leader is servant first… It begins with the natural feeling that one wants to serve, to serve first. Then conscious choice brings one to aspire to lead." Robert K. Greenleaf On Tue, Mar 3, 2020 at 10:23 AM Mark J Tharp <kb7hdx@gmail.com<mailto:kb7hdx@gmail.com>> wrote: I checked and my GMail spam folder has 16 of these spoofy emails. And also includes Barrys email about it! Mark, HDX (GMail user since 2007) [image.png] On Tue, Mar 3, 2020 at 7:10 AM rjairam@gmail.com<mailto:rjairam@gmail.com> <rjairam@gmail.com<mailto:rjairam@gmail.com>> wrote: The reason you may have gotten them is because they did pass SPF checks and beyond that, Yahoo is pretty weak with spam filtering. SPF is Sender Policy Framework where the sending domain has a text record that says that only certain mail servers can send e-mail from that domain. It makes spoofing harder. Except where SPF passes for some reason. In this case it did. In the headers it is unclear as to whether or not PObox, our spam filtering service failed OR if the sender used a hijacked or rented email server. If it’s the former we should remedy this, but if it’s the latter there is nothing we can do. No spam filter is 100% effective but Google uses AI and ML (machine learning) with its neural network which is why it filters out nearly all spam. When in doubt, delete, hover over links and if it looks suspicious it probably is. 73 Ria, N2RJ (GMail user since 2004) On Mon, Mar 2, 2020 at 9:22 PM Richard Norton via arrl-odv <arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org>> wrote: Today I received seven messages, sent to n6aa@arrl.org<mailto:n6aa@arrl.org> , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan. The messages have a link that says "Review Messages to release or block them." I have not clicked on that link as this looks suspiciously like a scam that might infect my computer. Have any of the rest of you received them? Has anyone clicked on the link? Anything happen? 73, Dick, N6AA _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv
Barry and Michael Thank you for the explanation. What is the cost of the "KnowBe4" training for the staff? Is it an annual cost or per session cost? What would it cost to provide the "KnowBe4" training to the Board (the 30 plus the Officers)? _______________________________________ John Robert Stratton N5AUS Director West Gulf Division Office:512-445-6262 Cell:512-426-2028 P.O. Box 2232 Austin, Texas 78768-2232 *_______________________________________*** ** On 3/3/20 2:28 PM, Shelley, Barry, N1VXY (CEO) wrote:
Mickey:
To give you some idea of the approach and methods we’re using here at HQ for email scanning, I’ll let Michael Keane, K1MK describe it:
We need to distinguish between the email controls that are in place for
just arrl.org forwards (the Board) versus mail that is delivered to HQ
We should also distinguish between emails which have virus or other
malware payloads attached to the message and phishing attempts. Those
are two different kinds of threats which are detected by different
means. Phishing emails may appear as apparently benign as saying "please
call this phone number" or "click on this link". This makes phising
messages more difficult to detect programmatically without
simultaneously generating a whole bunch of false positives -- valid
messages being sent off to the spam folder.
All mail inbound messages to arrl.org addresses first passes through
PoBox's anti-spam filtering and basic virus scanning. As part of their
anti-spam filtering PoBox blocks messages that are sent from hosts on
the real-time blacklist which contains known bad actors.
PoBox blocks over 90% of the inbound traffic being sent to arrl.org and
arrl.net address as spam or malware. The vast majority of the traffic through PoBox is for arrl.net.
"Zero days" in which phishy or spam-ish messages manage to leak through
PoBox's filters can and do occur, and continue until PoBox can adjust
their Bayesian filters in response. If the Board members are interested,
they may forward examples of spam-ish messages that are delivered to
their arrl.org addresses that have managed to evade PoBox's filters onto
Dave or Oscar who can help expedite closing the loop with PoBox to get
leaks plugged more quickly.
Once incoming messages hit our inbound Exchange server there is an
additional level of spam filtering in place there. After final delivery
to user endpoints -- desktops -- we are running McAffe Endpoint Security
to protect the endpoints (computers) against possible virus/malware
payloads.
But all of the above is not sufficient to block all phishing attempts
which by the very nature of their very design are intended to fly low
under the radar of common safeguards and not to trigger a security
response. To combat what is ultimately a human factors vulnerability, we
have since 2018 required that all staff attend and successfully complete
phishing security training. And to be tested and re-certified on a
periodic basis. We employ KnowBe4 (<www.knowbe4.com <http://www.knowbe4.com>>) for staff phishing
security training.
--MK
As you are well aware, this is a constant battle. And as Michael noted, we’re using technology and human training to combat the threats.
73,
Barry, N1VXY
*From:* arrl-odv <arrl-odv-bounces@reflector.arrl.org> *On Behalf Of *Mickey Baker *Sent:* Tuesday, March 3, 2020 11:12 AM *To:* Keane, Michael, K1MK <mkeane@arrl.org> *Cc:* arrl-odv <arrl-odv@arrl.org> *Subject:* [arrl-odv:29774] Re: Messages From "Arrl Message Center" ?????
If we are using only rudimentary filtering in pobox.com <http://pobox.com>, we are headed for a problem. These type emails worry me. Please don't forward them to the rest of the group, which may defeat safeguards - now they're from a trusted source! Please don't click on anything you're not certain that is legitimate, ever!
Phishing and "spear-phishing" (targeted email phishing) is one of the highest risk and most successful (for the bad guys) method of system penetration. It is a real problem. There have been some very high profile attacks on government agencies that have resulted in data loss and billions of dollars of damage. Outages at the Cities of Baltimore, Atlanta, Riviera Beach and Key Biscayne, Florida, were cause by activation of an internal employee clicking on a malware email. I've had number of FBI briefings on these outages - in each, a demand was made for ransom that was, curiously, just above the limits of the organization's insurance coverage. The FBI also said that the best antivirus will only detect 60% of viruses and penetration attempts at any given moment, so the scans and updates must be frequent and, if possible, continuous and in-line.
From what I see in the message header, HQ probably (hopefully) scans emails when they arrive in-house, perhaps on ARRL workstations. Our emails come from a reflector that may scan for viruses or phishing attempts. Emails that we are getting are also being scanned by our individual email providers. Gmail, for example, as Ria explained, uses an excellent filter, which is why these messages end up in our spam folders.
However, even if you're using GMail as an end client, you're going to want to use something that scans and quarantines emails. I get one for free for my home from my Internet Service Provider and run a security gateway as well as clients on each workstation.
There's been discussion of the league going to Office 365. I have personally participated in three major migrations of Microsoft Exchange and it isn't easy, but there were complexities of scale, uptime and archive requirements that likely don't exist at ARRL.
Microsoft by default does not supply email anti-virus with Office 365, but it is available from them and other providers. These products typically examine inbound emails and filter or quarantines them before sending them on to the email server. The key is to get an easy to manage, easy to install set of tools to manage this "front end" before the email is sent to Office365.
Given all our external-facing systems, I hope that a penetration test is budgeted within IT and these systems are being examined by a security professional periodically.
Mickey Baker, N4MB Palm Beach Gardens, FL /“The servant-leader is servant first… It begins with the natural feeling that one wants to serve, to serve first. Then conscious choice brings one to aspire to lead." Robert K. Greenleaf/
On Tue, Mar 3, 2020 at 10:23 AM Mark J Tharp <kb7hdx@gmail.com <mailto:kb7hdx@gmail.com>> wrote:
I checked and my GMail spam folder has 16 of these spoofy emails.
And also includes Barrys email about it!
Mark, HDX
(GMail user since 2007)
image.png
On Tue, Mar 3, 2020 at 7:10 AM rjairam@gmail.com <mailto:rjairam@gmail.com> <rjairam@gmail.com <mailto:rjairam@gmail.com>> wrote:
The reason you may have gotten them is because they did pass SPF checks and beyond that, Yahoo is pretty weak with spam filtering.
SPF is Sender Policy Framework where the sending domain has a text record that says that only certain mail servers can send e-mail from that domain. It makes spoofing harder.
Except where SPF passes for some reason. In this case it did.
In the headers it is unclear as to whether or not PObox, our spam filtering service failed OR if the sender used a hijacked or rented email server.
If it’s the former we should remedy this, but if it’s the latter there is nothing we can do.
No spam filter is 100% effective but Google uses AI and ML (machine learning) with its neural network which is why it filters out nearly all spam.
When in doubt, delete, hover over links and if it looks suspicious it probably is.
73
Ria, N2RJ
(GMail user since 2004)
On Mon, Mar 2, 2020 at 9:22 PM Richard Norton via arrl-odv <arrl-odv@reflector.arrl.org <mailto:arrl-odv@reflector.arrl.org>> wrote:
Today I received seven messages, sent to n6aa@arrl.org <mailto:n6aa@arrl.org> , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org <mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org <mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org <mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
John: The cost of KnowB4 is an annual subscription of approximately $20 per user. So it would be about $600 per year to support training the Board. One thing to note, the training for the staff is specifically intended to protect the ARRL infrastructure. But training the Board, while good information to have, isn’t going to do anything to make our email infrastructure more secure. 73, Barry, N1VXY From: arrl-odv <arrl-odv-bounces@reflector.arrl.org> On Behalf Of John Robert Stratton Sent: Wednesday, March 4, 2020 9:47 AM To: arrl-odv <arrl-odv@reflector.arrl.org> Subject: [arrl-odv:29776] Re: Messages From "Arrl Message Center" ????? Barry and Michael Thank you for the explanation. What is the cost of the "KnowBe4" training for the staff? Is it an annual cost or per session cost? What would it cost to provide the "KnowBe4" training to the Board (the 30 plus the Officers)? _______________________________________ John Robert Stratton N5AUS Director West Gulf Division Office: 512-445-6262 Cell: 512-426-2028 P.O. Box 2232 Austin, Texas 78768-2232 _______________________________________ On 3/3/20 2:28 PM, Shelley, Barry, N1VXY (CEO) wrote: Mickey: To give you some idea of the approach and methods we’re using here at HQ for email scanning, I’ll let Michael Keane, K1MK describe it: We need to distinguish between the email controls that are in place for just arrl.org forwards (the Board) versus mail that is delivered to HQ We should also distinguish between emails which have virus or other malware payloads attached to the message and phishing attempts. Those are two different kinds of threats which are detected by different means. Phishing emails may appear as apparently benign as saying "please call this phone number" or "click on this link". This makes phising messages more difficult to detect programmatically without simultaneously generating a whole bunch of false positives -- valid messages being sent off to the spam folder. All mail inbound messages to arrl.org addresses first passes through PoBox's anti-spam filtering and basic virus scanning. As part of their anti-spam filtering PoBox blocks messages that are sent from hosts on the real-time blacklist which contains known bad actors. PoBox blocks over 90% of the inbound traffic being sent to arrl.org and arrl.net address as spam or malware. The vast majority of the traffic through PoBox is for arrl.net. "Zero days" in which phishy or spam-ish messages manage to leak through PoBox's filters can and do occur, and continue until PoBox can adjust their Bayesian filters in response. If the Board members are interested, they may forward examples of spam-ish messages that are delivered to their arrl.org addresses that have managed to evade PoBox's filters onto Dave or Oscar who can help expedite closing the loop with PoBox to get leaks plugged more quickly. Once incoming messages hit our inbound Exchange server there is an additional level of spam filtering in place there. After final delivery to user endpoints -- desktops -- we are running McAffe Endpoint Security to protect the endpoints (computers) against possible virus/malware payloads. But all of the above is not sufficient to block all phishing attempts which by the very nature of their very design are intended to fly low under the radar of common safeguards and not to trigger a security response. To combat what is ultimately a human factors vulnerability, we have since 2018 required that all staff attend and successfully complete phishing security training. And to be tested and re-certified on a periodic basis. We employ KnowBe4 (<www.knowbe4.com<http://www.knowbe4.com>>) for staff phishing security training. --MK As you are well aware, this is a constant battle. And as Michael noted, we’re using technology and human training to combat the threats. 73, Barry, N1VXY From: arrl-odv <arrl-odv-bounces@reflector.arrl.org><mailto:arrl-odv-bounces@reflector.arrl.org> On Behalf Of Mickey Baker Sent: Tuesday, March 3, 2020 11:12 AM To: Keane, Michael, K1MK <mkeane@arrl.org><mailto:mkeane@arrl.org> Cc: arrl-odv <arrl-odv@arrl.org><mailto:arrl-odv@arrl.org> Subject: [arrl-odv:29774] Re: Messages From "Arrl Message Center" ????? If we are using only rudimentary filtering in pobox.com<http://pobox.com>, we are headed for a problem. These type emails worry me. Please don't forward them to the rest of the group, which may defeat safeguards - now they're from a trusted source! Please don't click on anything you're not certain that is legitimate, ever! Phishing and "spear-phishing" (targeted email phishing) is one of the highest risk and most successful (for the bad guys) method of system penetration. It is a real problem. There have been some very high profile attacks on government agencies that have resulted in data loss and billions of dollars of damage. Outages at the Cities of Baltimore, Atlanta, Riviera Beach and Key Biscayne, Florida, were cause by activation of an internal employee clicking on a malware email. I've had number of FBI briefings on these outages - in each, a demand was made for ransom that was, curiously, just above the limits of the organization's insurance coverage. The FBI also said that the best antivirus will only detect 60% of viruses and penetration attempts at any given moment, so the scans and updates must be frequent and, if possible, continuous and in-line. From what I see in the message header, HQ probably (hopefully) scans emails when they arrive in-house, perhaps on ARRL workstations. Our emails come from a reflector that may scan for viruses or phishing attempts. Emails that we are getting are also being scanned by our individual email providers. Gmail, for example, as Ria explained, uses an excellent filter, which is why these messages end up in our spam folders. However, even if you're using GMail as an end client, you're going to want to use something that scans and quarantines emails. I get one for free for my home from my Internet Service Provider and run a security gateway as well as clients on each workstation. There's been discussion of the league going to Office 365. I have personally participated in three major migrations of Microsoft Exchange and it isn't easy, but there were complexities of scale, uptime and archive requirements that likely don't exist at ARRL. Microsoft by default does not supply email anti-virus with Office 365, but it is available from them and other providers. These products typically examine inbound emails and filter or quarantines them before sending them on to the email server. The key is to get an easy to manage, easy to install set of tools to manage this "front end" before the email is sent to Office365. Given all our external-facing systems, I hope that a penetration test is budgeted within IT and these systems are being examined by a security professional periodically. Mickey Baker, N4MB Palm Beach Gardens, FL “The servant-leader is servant first… It begins with the natural feeling that one wants to serve, to serve first. Then conscious choice brings one to aspire to lead." Robert K. Greenleaf On Tue, Mar 3, 2020 at 10:23 AM Mark J Tharp <kb7hdx@gmail.com<mailto:kb7hdx@gmail.com>> wrote: I checked and my GMail spam folder has 16 of these spoofy emails. And also includes Barrys email about it! Mark, HDX (GMail user since 2007) [image.png] On Tue, Mar 3, 2020 at 7:10 AM rjairam@gmail.com<mailto:rjairam@gmail.com> <rjairam@gmail.com<mailto:rjairam@gmail.com>> wrote: The reason you may have gotten them is because they did pass SPF checks and beyond that, Yahoo is pretty weak with spam filtering. SPF is Sender Policy Framework where the sending domain has a text record that says that only certain mail servers can send e-mail from that domain. It makes spoofing harder. Except where SPF passes for some reason. In this case it did. In the headers it is unclear as to whether or not PObox, our spam filtering service failed OR if the sender used a hijacked or rented email server. If it’s the former we should remedy this, but if it’s the latter there is nothing we can do. No spam filter is 100% effective but Google uses AI and ML (machine learning) with its neural network which is why it filters out nearly all spam. When in doubt, delete, hover over links and if it looks suspicious it probably is. 73 Ria, N2RJ (GMail user since 2004) On Mon, Mar 2, 2020 at 9:22 PM Richard Norton via arrl-odv <arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org>> wrote: Today I received seven messages, sent to n6aa@arrl.org<mailto:n6aa@arrl.org> , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan. The messages have a link that says "Review Messages to release or block them." I have not clicked on that link as this looks suspiciously like a scam that might infect my computer. Have any of the rest of you received them? Has anyone clicked on the link? Anything happen? 73, Dick, N6AA _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv
Barry Thanks for the cost info. As to training the Board, the cost question was not a prelude to an action item - it was for information only. After all, you have been with the League long enough to know that the Board is not trainable. :-) _______________________________________ John Robert Stratton N5AUS Director West Gulf Division Office:512-445-6262 Cell:512-426-2028 P.O. Box 2232 Austin, Texas 78768-2232 *_______________________________________*** ** On 3/4/20 1:38 PM, Shelley, Barry, N1VXY (CEO) wrote:
John:
The cost of KnowB4 is an annual subscription of approximately $20 per user. So it would be about $600 per year to support training the Board.
One thing to note, the training for the staff is specifically intended to protect the ARRL infrastructure. But training the Board, while good information to have, isn’t going to do anything to make our email infrastructure more secure.
73,
Barry, N1VXY
*From:*arrl-odv <arrl-odv-bounces@reflector.arrl.org> *On Behalf Of *John Robert Stratton *Sent:* Wednesday, March 4, 2020 9:47 AM *To:* arrl-odv <arrl-odv@reflector.arrl.org> *Subject:* [arrl-odv:29776] Re: Messages From "Arrl Message Center" ?????
Barry and Michael
Thank you for the explanation.
What is the cost of the "KnowBe4" training for the staff? Is it an annual cost or per session cost?
What would it cost to provide the "KnowBe4" training to the Board (the 30 plus the Officers)?
_______________________________________
John Robert Stratton
N5AUS
Director
West Gulf Division
Office: 512-445-6262
Cell: 512-426-2028
P.O. Box 2232
Austin, Texas 78768-2232
*_______________________________________*
On 3/3/20 2:28 PM, Shelley, Barry, N1VXY (CEO) wrote:
Mickey:
To give you some idea of the approach and methods we’re using here at HQ for email scanning, I’ll let Michael Keane, K1MK describe it:
We need to distinguish between the email controls that are in place for
just arrl.org forwards (the Board) versus mail that is delivered to HQ
We should also distinguish between emails which have virus or other
malware payloads attached to the message and phishing attempts. Those
are two different kinds of threats which are detected by different
means. Phishing emails may appear as apparently benign as saying "please
call this phone number" or "click on this link". This makes phising
messages more difficult to detect programmatically without
simultaneously generating a whole bunch of false positives -- valid
messages being sent off to the spam folder.
All mail inbound messages to arrl.org addresses first passes through
PoBox's anti-spam filtering and basic virus scanning. As part of their
anti-spam filtering PoBox blocks messages that are sent from hosts on
the real-time blacklist which contains known bad actors.
PoBox blocks over 90% of the inbound traffic being sent to arrl.org and
arrl.net address as spam or malware. The vast majority of the traffic through PoBox is for arrl.net.
"Zero days" in which phishy or spam-ish messages manage to leak through
PoBox's filters can and do occur, and continue until PoBox can adjust
their Bayesian filters in response. If the Board members are interested,
they may forward examples of spam-ish messages that are delivered to
their arrl.org addresses that have managed to evade PoBox's filters onto
Dave or Oscar who can help expedite closing the loop with PoBox to get
leaks plugged more quickly.
Once incoming messages hit our inbound Exchange server there is an
additional level of spam filtering in place there. After final delivery
to user endpoints -- desktops -- we are running McAffe Endpoint Security
to protect the endpoints (computers) against possible virus/malware
payloads.
But all of the above is not sufficient to block all phishing attempts
which by the very nature of their very design are intended to fly low
under the radar of common safeguards and not to trigger a security
response. To combat what is ultimately a human factors vulnerability, we
have since 2018 required that all staff attend and successfully complete
phishing security training. And to be tested and re-certified on a
periodic basis. We employ KnowBe4 (<www.knowbe4.com <http://www.knowbe4.com>>) for staff phishing
security training.
--MK
As you are well aware, this is a constant battle. And as Michael noted, we’re using technology and human training to combat the threats.
73,
Barry, N1VXY
*From:* arrl-odv <arrl-odv-bounces@reflector.arrl.org> <mailto:arrl-odv-bounces@reflector.arrl.org> *On Behalf Of *Mickey Baker *Sent:* Tuesday, March 3, 2020 11:12 AM *To:* Keane, Michael, K1MK <mkeane@arrl.org> <mailto:mkeane@arrl.org> *Cc:* arrl-odv <arrl-odv@arrl.org> <mailto:arrl-odv@arrl.org> *Subject:* [arrl-odv:29774] Re: Messages From "Arrl Message Center" ?????
If we are using only rudimentary filtering in pobox.com <http://pobox.com>, we are headed for a problem. These type emails worry me. Please don't forward them to the rest of the group, which may defeat safeguards - now they're from a trusted source! Please don't click on anything you're not certain that is legitimate, ever!
Phishing and "spear-phishing" (targeted email phishing) is one of the highest risk and most successful (for the bad guys) method of system penetration. It is a real problem. There have been some very high profile attacks on government agencies that have resulted in data loss and billions of dollars of damage. Outages at the Cities of Baltimore, Atlanta, Riviera Beach and Key Biscayne, Florida, were cause by activation of an internal employee clicking on a malware email. I've had number of FBI briefings on these outages - in each, a demand was made for ransom that was, curiously, just above the limits of the organization's insurance coverage. The FBI also said that the best antivirus will only detect 60% of viruses and penetration attempts at any given moment, so the scans and updates must be frequent and, if possible, continuous and in-line.
From what I see in the message header, HQ probably (hopefully) scans emails when they arrive in-house, perhaps on ARRL workstations. Our emails come from a reflector that may scan for viruses or phishing attempts. Emails that we are getting are also being scanned by our individual email providers. Gmail, for example, as Ria explained, uses an excellent filter, which is why these messages end up in our spam folders.
However, even if you're using GMail as an end client, you're going to want to use something that scans and quarantines emails. I get one for free for my home from my Internet Service Provider and run a security gateway as well as clients on each workstation.
There's been discussion of the league going to Office 365. I have personally participated in three major migrations of Microsoft Exchange and it isn't easy, but there were complexities of scale, uptime and archive requirements that likely don't exist at ARRL.
Microsoft by default does not supply email anti-virus with Office 365, but it is available from them and other providers. These products typically examine inbound emails and filter or quarantines them before sending them on to the email server. The key is to get an easy to manage, easy to install set of tools to manage this "front end" before the email is sent to Office365.
Given all our external-facing systems, I hope that a penetration test is budgeted within IT and these systems are being examined by a security professional periodically.
Mickey Baker, N4MB Palm Beach Gardens, FL /“The servant-leader is servant first… It begins with the natural feeling that one wants to serve, to serve first. Then conscious choice brings one to aspire to lead." Robert K. Greenleaf/
On Tue, Mar 3, 2020 at 10:23 AM Mark J Tharp <kb7hdx@gmail.com <mailto:kb7hdx@gmail.com>> wrote:
I checked and my GMail spam folder has 16 of these spoofy emails.
And also includes Barrys email about it!
Mark, HDX
(GMail user since 2007)
image.png
On Tue, Mar 3, 2020 at 7:10 AM rjairam@gmail.com <mailto:rjairam@gmail.com> <rjairam@gmail.com <mailto:rjairam@gmail.com>> wrote:
The reason you may have gotten them is because they did pass SPF checks and beyond that, Yahoo is pretty weak with spam filtering.
SPF is Sender Policy Framework where the sending domain has a text record that says that only certain mail servers can send e-mail from that domain. It makes spoofing harder.
Except where SPF passes for some reason. In this case it did.
In the headers it is unclear as to whether or not PObox, our spam filtering service failed OR if the sender used a hijacked or rented email server.
If it’s the former we should remedy this, but if it’s the latter there is nothing we can do.
No spam filter is 100% effective but Google uses AI and ML (machine learning) with its neural network which is why it filters out nearly all spam.
When in doubt, delete, hover over links and if it looks suspicious it probably is.
73
Ria, N2RJ
(GMail user since 2004)
On Mon, Mar 2, 2020 at 9:22 PM Richard Norton via arrl-odv <arrl-odv@reflector.arrl.org <mailto:arrl-odv@reflector.arrl.org>> wrote:
Today I received seven messages, sent to n6aa@arrl.org <mailto:n6aa@arrl.org> , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org <mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org <mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org <mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________
arrl-odv mailing list
arrl-odv@reflector.arrl.org <mailto:arrl-odv@reflector.arrl.org>
I'm glad to hear this story, particularly the use of KnowB4 (a Florida Company!) for internal staff. Our police officers and our HR department at the City were the worse offenders. The bifurcation of the arrl.org inside v. outside was something we spoke about briefly at the A&F committee meeting in January - I was a guest. This is tough, it requires a table to redirect addresses. Office 365, being paid for on a per mailbox basis, will get more and more expensive as people move out of positions and keep their arrl.org, unless this bifurcation takes place in the data stream BEFORE messages go to the Office 365 server, so you won't be able to get rid of the pobox.com (where I assume this filter is placed) or the reflector, and the associated management to onboard and off-board active roles. It's a big move from Exchange to Office 365. The easiest way to do it, in my opinion, is to use Quest migration manager. It is slow, but doesn't break anything. I recently moved a 24TB message store AND ARCHIVE and it took 3 months. But it was perfect, we never lost a message (that we know about, anyway!) In my opinion, the ARRL is too small to be operating our own infrastructure, given the economies available with Cloud offerings. Likely the cost in hardware maintenance (if the ARRL pays hardware maintenance!) and insurance can justify the cost of cloud-based infrastructure and eliminate site dependent issues. The umbrella of protection of cloud provided security tools, the ability to adjust performance with demand, and physical environment costs offer a compelling case. If I can help Mike's team in any way, let me know. I'm available as a volunteer. Mickey Baker, N4MB Palm Beach Gardens, FL *“The servant-leader is servant first… It begins with the natural feeling that one wants to serve, to serve first. Then conscious choice brings one to aspire to lead." Robert K. Greenleaf* On Tue, Mar 3, 2020 at 3:28 PM Shelley, Barry, N1VXY (CEO) < bshelley@arrl.org> wrote:
Mickey:
To give you some idea of the approach and methods we’re using here at HQ for email scanning, I’ll let Michael Keane, K1MK describe it:
We need to distinguish between the email controls that are in place for
just arrl.org forwards (the Board) versus mail that is delivered to HQ
We should also distinguish between emails which have virus or other
malware payloads attached to the message and phishing attempts. Those
are two different kinds of threats which are detected by different
means. Phishing emails may appear as apparently benign as saying "please
call this phone number" or "click on this link". This makes phising
messages more difficult to detect programmatically without
simultaneously generating a whole bunch of false positives -- valid
messages being sent off to the spam folder.
All mail inbound messages to arrl.org addresses first passes through
PoBox's anti-spam filtering and basic virus scanning. As part of their
anti-spam filtering PoBox blocks messages that are sent from hosts on
the real-time blacklist which contains known bad actors.
PoBox blocks over 90% of the inbound traffic being sent to arrl.org and
arrl.net address as spam or malware. The vast majority of the traffic through PoBox is for arrl.net.
"Zero days" in which phishy or spam-ish messages manage to leak through
PoBox's filters can and do occur, and continue until PoBox can adjust
their Bayesian filters in response. If the Board members are interested,
they may forward examples of spam-ish messages that are delivered to
their arrl.org addresses that have managed to evade PoBox's filters onto
Dave or Oscar who can help expedite closing the loop with PoBox to get
leaks plugged more quickly.
Once incoming messages hit our inbound Exchange server there is an
additional level of spam filtering in place there. After final delivery
to user endpoints -- desktops -- we are running McAffe Endpoint Security
to protect the endpoints (computers) against possible virus/malware
payloads.
But all of the above is not sufficient to block all phishing attempts
which by the very nature of their very design are intended to fly low
under the radar of common safeguards and not to trigger a security
response. To combat what is ultimately a human factors vulnerability, we
have since 2018 required that all staff attend and successfully complete
phishing security training. And to be tested and re-certified on a
periodic basis. We employ KnowBe4 (<www.knowbe4.com>) for staff phishing
security training.
--MK
As you are well aware, this is a constant battle. And as Michael noted, we’re using technology and human training to combat the threats.
73,
Barry, N1VXY
*From:* arrl-odv <arrl-odv-bounces@reflector.arrl.org> * On Behalf Of *Mickey Baker *Sent:* Tuesday, March 3, 2020 11:12 AM *To:* Keane, Michael, K1MK <mkeane@arrl.org> *Cc:* arrl-odv <arrl-odv@arrl.org> *Subject:* [arrl-odv:29774] Re: Messages From "Arrl Message Center" ?????
If we are using only rudimentary filtering in pobox.com, we are headed for a problem. These type emails worry me. Please don't forward them to the rest of the group, which may defeat safeguards - now they're from a trusted source! Please don't click on anything you're not certain that is legitimate, ever!
Phishing and "spear-phishing" (targeted email phishing) is one of the highest risk and most successful (for the bad guys) method of system penetration. It is a real problem. There have been some very high profile attacks on government agencies that have resulted in data loss and billions of dollars of damage. Outages at the Cities of Baltimore, Atlanta, Riviera Beach and Key Biscayne, Florida, were cause by activation of an internal employee clicking on a malware email. I've had number of FBI briefings on these outages - in each, a demand was made for ransom that was, curiously, just above the limits of the organization's insurance coverage. The FBI also said that the best antivirus will only detect 60% of viruses and penetration attempts at any given moment, so the scans and updates must be frequent and, if possible, continuous and in-line.
From what I see in the message header, HQ probably (hopefully) scans emails when they arrive in-house, perhaps on ARRL workstations. Our emails come from a reflector that may scan for viruses or phishing attempts. Emails that we are getting are also being scanned by our individual email providers. Gmail, for example, as Ria explained, uses an excellent filter, which is why these messages end up in our spam folders.
However, even if you're using GMail as an end client, you're going to want to use something that scans and quarantines emails. I get one for free for my home from my Internet Service Provider and run a security gateway as well as clients on each workstation.
There's been discussion of the league going to Office 365. I have personally participated in three major migrations of Microsoft Exchange and it isn't easy, but there were complexities of scale, uptime and archive requirements that likely don't exist at ARRL.
Microsoft by default does not supply email anti-virus with Office 365, but it is available from them and other providers. These products typically examine inbound emails and filter or quarantines them before sending them on to the email server. The key is to get an easy to manage, easy to install set of tools to manage this "front end" before the email is sent to Office365.
Given all our external-facing systems, I hope that a penetration test is budgeted within IT and these systems are being examined by a security professional periodically.
Mickey Baker, N4MB Palm Beach Gardens, FL *“The servant-leader is servant first… It begins with the natural feeling that one wants to serve, to serve first. Then conscious choice brings one to aspire to lead." Robert K. Greenleaf*
On Tue, Mar 3, 2020 at 10:23 AM Mark J Tharp <kb7hdx@gmail.com> wrote:
I checked and my GMail spam folder has 16 of these spoofy emails.
And also includes Barrys email about it!
Mark, HDX
(GMail user since 2007)
[image: image.png]
On Tue, Mar 3, 2020 at 7:10 AM rjairam@gmail.com <rjairam@gmail.com> wrote:
The reason you may have gotten them is because they did pass SPF checks and beyond that, Yahoo is pretty weak with spam filtering.
SPF is Sender Policy Framework where the sending domain has a text record that says that only certain mail servers can send e-mail from that domain. It makes spoofing harder.
Except where SPF passes for some reason. In this case it did.
In the headers it is unclear as to whether or not PObox, our spam filtering service failed OR if the sender used a hijacked or rented email server.
If it’s the former we should remedy this, but if it’s the latter there is nothing we can do.
No spam filter is 100% effective but Google uses AI and ML (machine learning) with its neural network which is why it filters out nearly all spam.
When in doubt, delete, hover over links and if it looks suspicious it probably is.
73
Ria, N2RJ
(GMail user since 2004)
On Mon, Mar 2, 2020 at 9:22 PM Richard Norton via arrl-odv < arrl-odv@reflector.arrl.org> wrote:
Today I received seven messages, sent to n6aa@arrl.org , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan.
The messages have a link that says "Review Messages to release or block them."
I have not clicked on that link as this looks suspiciously like a scam that might infect my computer.
Have any of the rest of you received them? Has anyone clicked on the link? Anything happen?
73,
Dick, N6AA
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv
-- “Ends and beginnings—there are no such things. There are only middles.” Robert Frost
participants (9)
-
Bob Famiglio K3RF -
John Robert Stratton -
Kristen McIntyre -
Mark J Tharp -
Michael Ritz -
Mickey Baker -
Richard Norton -
rjairam@gmail.com -
Shelley, Barry, N1VXY (CEO)