{"id":9143,"date":"2024-04-19T00:32:55","date_gmt":"2024-04-19T00:32:55","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9143"},"modified":"2024-04-20T23:32:43","modified_gmt":"2024-04-20T23:32:43","slug":"shall-we-say-good-bye-phishing-queue-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/04\/19\/shall-we-say-good-bye-phishing-queue-part-2\/","title":{"rendered":"Shall we say\u2026 Good bye, phishing queue? Part 2"},"content":{"rendered":"\n

In my older piece<\/a> I argued that we should stop caring about phishing alerts. Of course, it was a bit of a parable…<\/p>\n\n\n\n

Still, there is a lot of quick wins I described there that can be implemented\/incorporated into phishing workflows easily – as long as you have some sort of automation\/SOAR in place…<\/p>\n\n\n\n

As I mentioned back then, any emails marked as phish that come from all these ‘noreply’, ‘no-reply’, ‘donotreply’ mailboxes coming from well known domains can be (most of the time) auto-closed w\/o any investigation…<\/p>\n\n\n\n

Easy to say, but what are these really…?<\/p>\n\n\n\n

While I have personally collected a long list of these nothingburger email senders before, I got curious how many of these generic ‘do not reply’ type of email accounts are really out there, and not within a single company’s scope, but in general (that is, just email account names hosted on popular domains that belong to the ‘do nothing’ category).<\/p>\n\n\n\n

If asked about listing these passive account names from the top of your head I bet you would start with ‘noreply’, ‘no-reply’, and all the variants of ‘donotreply’, then you would perhaps follow with ‘contact’, ‘info’, ‘abuse’, ‘webmaster’, and so on and so forth, but … this is just a guesswork. I thought this approach was too speculative and that we can build a more more comprehensive list of these w\/o guessing. And mind you, this IS a very difficult request to fulfill. Unless you work for a company working in the mail security business, that is…<\/p>\n\n\n\n

And since I don’t, let’s get creative…<\/p>\n\n\n\n

I wrote a quick & dirty script that goes through a batch of files containing email addresses extracted from various public e-mail dumps. It reads them one by one and it tries to extract some basic stats about them. A lot of results are quite boring and non-actionable, many are discarded ‘on the fly’, but after running it for a few days, adjusting it here and there, my goal of building an _inaccurate_ histogram of the most commonly used do-not-reply account names started to bring fruits. And while I am writing this, my script is still running, but there are a lot of juicy results already, so I am going to share them below…<\/p>\n\n\n\n

Before I do so, let me help you with an interpretation.<\/p>\n\n\n\n

For every account name I am listing, try to find out if any of these come from the domains that are generally trustworthy. And the good news is — chances are, many of them contribute to your phishing alert volumes!<\/p>\n\n\n\n

For example, a noreply@facebook.com is trustworthy, but noreply@skdjfhskdjfgj.com is not.<\/p>\n\n\n\n

Now that we have all these pieces of information in place, let’s look at the actual list of email accounts of ‘no interest’:<\/p>\n\n\n\n