azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
447b90e092e8a9f7de486add7ff1850d33a295d5
claudetools/clients/cascades-tucson/session-logs/2026-04-21-howard-spoofing-recheck-and-yq.md
Howard Enos f15862440e sync: auto-sync from HOWARD-HOME at 2026-04-21 15:07:39 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-21 15:07:39
2026-04-21 15:07:42 -07:00

5.4 KiB
Raw Blame History

Cascades Tucson — Post-DMARC spoofing recheck + yq install (Howard)

User

  • User: Howard Enos (howard)
  • Machine: Howard-Home
  • Role: tech

Session

  • Date: 2026-04-21 (UTC)
  • Scope: Verify tooling health on Howard-Home, verify Mike's DMARC fix is working for Cascades, clean up two missed phishes, then hand off for Intune Phase B-1

Note for Mike

Good news

Your _dmarc.cascadestucson.com change from p=none to p=quarantine; pct=100 is working. Between your 16:34Z sweep yesterday and 20:22Z today, zero new signature-matching spoofs were delivered. Two phishes landed after your sweep but before DNS propagation (both show dmarc=fail action=none in their headers — DMARC was still observational at delivery). Since the change propagated: nothing. 26-hour clean window.

Two stragglers I cleaned up

Your 4/20 sweep targeted 7 mailboxes; these two weren't on that list but got hit with same-campaign messages you'd have deleted if you'd seen them:

Mailbox When (UTC) Subject Origin Outcome
accounting@ 4/20 13:41Z Action Required: Service Termination Alert 104.168.70.29 (ColoCrossing US, LANG:zh-cn) Permanently deleted from Inbox, HTTP 204
jd.martin@ 4/20 18:28Z NSA: Cascadestucson Executed NDA Agreement 178.211.155.48 (Deltahost DE, LANG:en) Permanently deleted from Deleted Items, HTTP 204

Both were envelope-spoofed as the recipient themselves, both credential/document-bait phishes from the same operator as yesterday (new IPs but same hoster patterns — ColoCrossing + Deltahost). JD's was already user-deleted before I got to it; accounting@ was still in the Inbox.

User advisory — please mention when you talk to them

  • accounting@ (whoever checks that shared mailbox — likely Mary Hogan-Padilla): "On 4/20 around 6:41 AM local you got a fake Microsoft password-expiry email. Did anyone click the link? Need to know so we can decide whether to reset creds."
  • JD Martin: "The DocuSign/NDA email on 4/20 at 11:28 AM local was a phish. Confirm you didn't click through or enter any credentials."

IP blocking — skipped

You recommended TABL additions for the 4 IPs yesterday. I added the two new IPs (104.168.70.29, 178.211.155.48) to my report but did NOT add them to TABL — since DMARC enforcement is working, the additive blocks are redundant. If we see another wave that slips past DMARC, that's the signal to add them.

DMARC aggregate reports

Still routing to info@cascadestucson.com (internal mailbox, no one parsing). Flagged in my morning spoofing-hunt report as the highest-leverage remaining fix. I didn't touch this. Consider pointing rua at dmarcian or EasyDMARC (free tiers) so we can see who's spoofing cascadestucson.com in the wild + confirm enforcement empirically.

p=reject readiness

Once we have a week of aggregator data showing no legit senders are quarantined in error, you can bump from p=quarantine to p=reject. Don't do this blind — the risk is silently breaking a forwarding chain or vendor mail. Aggregator-first, then escalate.

Tooling fixes this session

Howard-Home state at start

  • Ollama local: running (qwen3-coder:30b, nomic-embed-text)
  • Ollama Tailscale: running (codestral:22b, qwen3:14b)
  • GrepAI watcher: running, indexed 1,978 files / 13,473 chunks / 85.3 MB, steady
  • Vault: D:/vault present, sops binary present, age keys present

Problem found: vault.sh broken because yq missing

bash D:/vault/scripts/vault.sh get-field ... was emitting:

[ERROR] Neither yq nor Python is available for YAML parsing.
        Install yq or ensure python + yaml-query.py are present.

vault.sh looks for yq first, then a Python fallback via $SCRIPT_DIR/yaml-query.py. Neither existed on Howard-Home.

Fix applied: installed yq v4.53.2 via winget

winget install MikeFarah.yq

Installed to C:\Users\Howard\AppData\Local\Microsoft\WinGet\Links\yq.exe. Verified: vault.sh get-field now returns clean values.

Gap: Python fallback script still missing everywhere

vault.sh:17,39,49 references $SCRIPT_DIR/yaml-query.py but that file doesn't exist in D:/vault/scripts/ (or anywhere in the vault repo). The fallback path Mike coded for (WDAC / policy-restricted machines) is documented but missing its implementation. Not urgent since yq works on Howard-Home and presumably on DESKTOP-0O8A1RL, but worth committing a yaml-query.py helper so the fallback actually fires if yq is blocked on a future machine.

Also done this session

  • /sync at session start — pulled 4 commits from Mike (MacBook-Air): Syncro API corrections, GuruRMM MSI deploy fix, BirthBiologic onboarding, desertrat.com Mailprotector SBR repair. Nothing Cascades-related.
  • Report written: reports/2026-04-21-post-dmarc-spoofing-recheck.md (full methodology + headers + delete log)
  • Sweep script kept at C:/tmp-scripts/cascades_scan.sh for future rechecks (reusable against any domain with cascadestucson.com → variable)

Data artifacts

  • /tmp/cascades_recheck/ — users list, hits.jsonl, per-hit headers, delete log
  • /tmp/cascades_recheck/delete_log/20260421T203252Z_deletions.jsonl — structured record of the 2 HTTP 204 permanentDelete calls

What's next (picking up from 4/20 session)

Intune Phase B-1: Android compliance policy. See docs/intune-b1-android-compliance-walkthrough.md (new this session). Howard-Home executes via admin center this session.

Reference in New Issue View Git Blame Copy Permalink