Re: Adding Phishing Link rule

2006-06-24 Thread Philip Prindeville 
What about combining this with a whitelist?

I.e. I regularly get emails from target.bifn0.com that contain links that
point to themselves, but say they are target.com  And in fact, this is
a 3rd party that Target has contracted to do outsource mailings for them,
so in that respect they are legitimate.  So I could easily whitelist
them and
continue to reject everyone else...

The other approach would be to push for an advisory standard (RFC)
that explains how to encode URL's so that they aren't flagged as
phishing.  (No flames from pissy people please... you know who you
are... ;-)  I.e. that at a minimum the host portions of the URL and the
label for the link would have to match...

If the sender REALLY needs to have the link reside somewhere else,
they could always have the published address send a Location: response
that redirects you to the eventual resting place.

-Philip


Loren Wilton wrote:

>The rule you suggest isn't particularly good.  There are far too many legit
>mails (mostly mailing list type of things) that do exactly what you want to
>check for.  So the FP rate is higher than most people would like.  This has
>been discussed many times in the past.
>
>That said, I believe there is at least one SARE rule that checks for exactly
>what you want to look for.
>
>Loren
>
>  
>

Re: Adding Phishing Link rule

2006-06-19 Thread Stuart 
Unfortunately, although many phishing mails would match this rule, 
just as many ligitimate messages would as well.  Check the archives.


http://www.nabble.com/Detecting-phishing-urls-t1027084.html#a2669493

On Sat, 17 Jun 2006 21:56:03 +0200
 Yves Goergen <[EMAIL PROTECTED]> wrote:

Hello,
I'm running SpamAssassin on my Exim MTA and would like to add a rule 
of
which I don't think it's built-in yet: Phishing mails commonly have 
an

HTML link in them with a target like "http://12.34.56.78/..."; but a
label like "http[s]://somedomain/...". This case where the link 
label is
a domain but the target is a numeric IP, and even worse the case, 
where
the label has https: and the target only http:, I would like to 
score a
high number of points. Is this already built-in? I couldn't see it 
on

such a mail I received today.

How can I add this rule myself? The "rawbody" option only matches 
line
by line, which doesn't help me because the link is split over 
multiple
lines. What I need is something to match the entire message as one, 
with

HTML kept intact but encoding (Quoted Printable...) resolved. I have
seen the HTTPS_IP_MISMATCH rule that leads me to a Perl function. I
don't understand Perl very well, and this specific function is way 
too
complex for me. Also I don't know where to add my own Perl 
functions.

The documentation doesn't tell me.

--
Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]>
http://beta.unclassified.de – My web laboratory.

Re: Adding Phishing Link rule

2006-06-19 Thread Yves Goergen 
On 19.06.2006 18:26 CE(S)T, Chris Santerre wrote:
> Why not just use black.uribl.com ? It lists PHISHes.

Trying this out now.

-- 
Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]>
http://beta.unclassified.de – My web laboratory.

Re: Adding Phishing Link rule

2006-06-19 Thread Jamie L. Penman-Smithson 


On 19 Jun 2006, at 17:26, Chris Santerre wrote:
> Still I don't know how to create a rule like this. But as someone  
else

> in the bug tracker already mentioned a year ago, what SpamAssassin
> misses to do things like that is a 'rawbody' match that uses
> the entire
> message, not only single lines. Content can be arbitrary
> split over many
> lines so that any 'rawbody' rule can become useless pretty fast. :(

Why not just use black.uribl.com ? It lists PHISHes.

There's also ph.surbl.org 

-j



PGP.sig
Description: This is a digitally signed message part

RE: Adding Phishing Link rule

2006-06-19 Thread Chris Santerre 
Title: RE: Adding Phishing Link rule







> -Original Message-
> From: Yves Goergen [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, June 18, 2006 5:46 AM
> To: Loren Wilton
> Cc: users@spamassassin.apache.org
> Subject: Re: Adding Phishing Link rule
> 
> 
> On 18.06.2006 03:51 CE(S)T, Loren Wilton wrote:
> > The rule you suggest isn't particularly good.  There are 
> far too many legit
> > mails (mostly mailing list type of things) that do exactly 
> what you want to
> > check for.  So the FP rate is higher than most people would like.
> 
> However, I haven't seen this type of link before and I cannot tolerate
> people showing explicit URLs in a link label but actually linking
> somewhere else. This rule, as so many, isn't intended to 
> block a message
> on its own, but gives its part to the score.
> 
> > That said, I believe there is at least one SARE rule that 
> checks for exactly
> > what you want to look for.
> 
> Now that I know what SARE is, it doesn't make the impression of a
> considerable archive to me, with respect to this issue.


Say what??? Its not really a discussion list type setup. If you mean the forums, hell even I haven't looked at them in ages :) 

Loren meant that there is already a rule written by SARE for exactly what you are looking for. You just need to find it. I'll see if I can. 

> 
> Still I don't know how to create a rule like this. But as someone else
> in the bug tracker already mentioned a year ago, what SpamAssassin
> misses to do things like that is a 'rawbody' match that uses 
> the entire
> message, not only single lines. Content can be arbitrary 
> split over many
> lines so that any 'rawbody' rule can become useless pretty fast. :(


Why not just use black.uribl.com ? It lists PHISHes.


Chris Santerre
SysAdmin and SARE/URIBL ninja
http://www.uribl.com
http://www.rulesemporium.com

Re: Adding Phishing Link rule

2006-06-18 Thread Yves Goergen 
On 18.06.2006 03:51 CE(S)T, Loren Wilton wrote:
> The rule you suggest isn't particularly good.  There are far too many legit
> mails (mostly mailing list type of things) that do exactly what you want to
> check for.  So the FP rate is higher than most people would like.

However, I haven't seen this type of link before and I cannot tolerate
people showing explicit URLs in a link label but actually linking
somewhere else. This rule, as so many, isn't intended to block a message
on its own, but gives its part to the score.

> That said, I believe there is at least one SARE rule that checks for exactly
> what you want to look for.

Now that I know what SARE is, it doesn't make the impression of a
considerable archive to me, with respect to this issue.

Still I don't know how to create a rule like this. But as someone else
in the bug tracker already mentioned a year ago, what SpamAssassin
misses to do things like that is a 'rawbody' match that uses the entire
message, not only single lines. Content can be arbitrary split over many
lines so that any 'rawbody' rule can become useless pretty fast. :(

-- 
Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]>
http://beta.unclassified.de – My web laboratory.

Re: Adding Phishing Link rule

2006-06-18 Thread Yves Goergen 
On 18.06.2006 04:29 CE(S)T, Theo Van Dinter wrote:
> Actually that is a rule already in 3.1 (HTTPS_IP_MISMATCH) (anchor text
> has to be https w/ some http href which is an IP).

Well, if it really is, it doesn't work.

-- 
Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]>
http://beta.unclassified.de – My web laboratory.

Re: Adding Phishing Link rule

2006-06-17 Thread Theo Van Dinter 
On Sat, Jun 17, 2006 at 09:56:03PM +0200, Yves Goergen wrote:
> I'm running SpamAssassin on my Exim MTA and would like to add a rule of
> which I don't think it's built-in yet: Phishing mails commonly have an
> HTML link in them with a target like "http://12.34.56.78/..."; but a
> label like "http[s]://somedomain/...". This case where the link label is

Actually that is a rule already in 3.1 (HTTPS_IP_MISMATCH) (anchor text
has to be https w/ some http href which is an IP).

For other versions of that rule:

http://wiki.apache.org/spamassassin/AntiPhishFakeUrlRule

-- 
Randomly Generated Tagline:
Captain!  Someone has snorted all the dilithium crystals.


pgpLIb1NpPOiX.pgp
Description: PGP signature

Re: Adding Phishing Link rule

2006-06-17 Thread Loren Wilton 
The rule you suggest isn't particularly good.  There are far too many legit
mails (mostly mailing list type of things) that do exactly what you want to
check for.  So the FP rate is higher than most people would like.  This has
been discussed many times in the past.

That said, I believe there is at least one SARE rule that checks for exactly
what you want to look for.

Loren

Re: Adding Phishing Link rule

2006-06-17 Thread Yves Goergen 
On 17.06.2006 22:05 CE(S)T, Michele Neylon :: Blacknight.ie wrote:
> You could have a look at MailScanner (http://www.mailscanner.info) as
> this has builtin support for phishing checks ...

Sorry, MailScanner doesn't support SMTP-time checks and requires me to
setup 2 separate Exim instances with non-standard configuration, this is
all too hacky to me. I'm looking for a way to do that with SpamAssassin
directly.

-- 
Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]>
http://beta.unclassified.de – My web laboratory.

Re: Adding Phishing Link rule

2006-06-17 Thread Michele Neylon :: Blacknight.ie 
You could have a look at MailScanner (http://www.mailscanner.info) as
this has builtin support for phishing checks ...

-- 
Mr Michele Neylon
Blacknight Solutions
Quality Business Hosting & Colocation
http://www.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 59  9164239