Re: phishing rules
On Tue, 25 Aug 2015 08:25:30 -0400 Joe Quinn wrote: > On 8/25/2015 7:51 AM, RW wrote: > > On Tue, 25 Aug 2015 09:55:57 +0200 > > Tom Hendrikx wrote: > > > > > >> Basically every MUA I know will label the message as a possible > >> scam when you use the BAD version, which why you actually never > >> see it in non-spam mail, unless the editor was a real noob. > > That applies to spam too. > > > > Would this really have a significant effect on modern phishes? > It still works against a lot of people, even those who know what to > look for. It's easy to get complacent and click a link without > checking it first when you go through a hundred emails a day. It's not really about whether it might work, but whether it's actually being used. The original post was about the current wave of phishes that are getting though SA. What I'm seeing is phishes that are convincing without using the domain miss-match which triggers a malicious link warming. I just wondered whether it had been established that domain mismatches are a common feature of the phishes that are getting through.
Re: phishing rules
On 8/25/2015 7:51 AM, RW wrote: On Tue, 25 Aug 2015 09:55:57 +0200 Tom Hendrikx wrote: Basically every MUA I know will label the message as a possible scam when you use the BAD version, which why you actually never see it in non-spam mail, unless the editor was a real noob. That applies to spam too. Would this really have a significant effect on modern phishes? It still works against a lot of people, even those who know what to look for. It's easy to get complacent and click a link without checking it first when you go through a hundred emails a day. That said, it also works because it's common in ham to the point that you just sometimes have to ignore it. Lots of questionable but consented-to mass marketing emails will use a tracker domain for embedded URLs, so when someone links to href=http://apache.org>apache.org, it gets rewritten and now it hits this new rule. Or perhaps if you ever are told to go to href=http://*www*.google.com>google.com and log into href=http://*accounts.google.com*>gmail.com you'll hit the rule too... There's a lot of reasons to have such a rule and lots of reasons to not have it. Without any data, I would lean towards not having it, because there's usually a better pattern to match on. But we can have data! Put the rule in a sandbox and see what RuleQA thinks of its stats.
Re: phishing rules
On Tue, 25 Aug 2015 09:55:57 +0200 Tom Hendrikx wrote: > Basically every MUA I know will label the message as a possible scam > when you use the BAD version, which why you actually never see it in > non-spam mail, unless the editor was a real noob. That applies to spam too. Would this really have a significant effect on modern phishes?
Re: phishing rules
On 24-08-15 18:34, Joseph Brennan wrote: > > Nick Edwards wrote: > >> example >> the displayed version in mail might be www.example.com, but the actual >> URI when you highlight or click on it, is foobar.example.net > > > The most common case is that the text shows the real web page, but the > link goes to a click counter page that redirects to the real web page. > This is usually not spam but wanted list mail from Mail Chimp, Constant > Contact, and friends. That is why all those messages actually don't use a URL in the text, but a regular textual description: BAD: http://redirector.tld?go=acme.com";>acme.com GOOD: http://redirector.tld?go=acme.com";>Visit ACME website Basically every MUA I know will label the message as a possible scam when you use the BAD version, which why you actually never see it in non-spam mail, unless the editor was a real noob. I have no recent experience with MailChimp and friends, but I hope they're educating users to use the GOOD version. So a clear spam indicator for me. Regards, Tom
Re: phishing rules
Nick Edwards wrote: example the displayed version in mail might be www.example.com, but the actual URI when you highlight or click on it, is foobar.example.net The most common case is that the text shows the real web page, but the link goes to a click counter page that redirects to the real web page. This is usually not spam but wanted list mail from Mail Chimp, Constant Contact, and friends. A recent variation is a link going to urldefense.proofpoint.com which redirects to the real web page-- or not, if Proofpoint has found the web page to be malicious by the time the user clicks. Even if you don't use Proofpoint to do this rewriting, you're going to see the result sometimes in replies that include the original, and forwards. Ironically this is an ANTI phishing technique. I realize you're not interested but other people read this list :-) Joseph Brennan Columbia University
Re: phishing rules
On Mon, 24 Aug 2015 13:14:41 +1000 Nick Edwards wrote: > Hey, > > Kind of had enough of regular URIBL's not getting this stuff, so > wondering has anyone wrote any rules they want to share on/off list to > match on mismatched URI links, Are you getting a lot of phishes that still do this? It used to be really common, but I haven't seen it much recently.
Re: phishing rules
On August 24, 2015 5:14:53 AM Nick Edwards wrote: ciao Agere, create share deploy, thank you
Re: Phishing rules?
Joseph Brennan <[EMAIL PROTECTED]> writes: > /Dear .{0,12}(web ?mail|columbia\.edu)/i > > /Password.{0,10}\([\s\.\*\_]+\)/ > > /you must reply to this email/i > > Reply-to =~ /[EMAIL PROTECTED]/ I created a meta-rule out of these (with a score of 8), and then ran spamassassin -D < phish to see how it worked, it matched the metarule flawlessly, but the phish ended up with only a 5.4 score due to BAYES_00 dragging it down. That was surprising to me, so I started to wonder if my bayes DB was poisoned. I ran some stats, and the results seem to indicate a healthy bayes database (unless I am reading this wrong)... A side note: its interesting to note how only 9% of our email is spam, which seems low, but maybe clamav-milter+rbls are blocking the remaining 40%? Email: 2379392 Autolearn: 1075396 AvgScore: -6.32 AvgScanTime: 5.96 sec Spam:227816 Autolearn: 114079 AvgScore: 14.75 AvgScanTime: 4.23 sec Ham:2151576 Autolearn: 961317 AvgScore: -8.56 AvgScanTime: 6.15 sec Time Spent Running SA: 3941.26 hours Time Spent Processing Spam: 267.76 hours Time Spent Processing Ham: 3673.50 hours TOP SPAM RULES FIRED -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1HTML_MESSAGE154522 54.03 67.83 52.57 2BAYES_991345316.09 59.050.48 3BOTNET 1336878.90 58.683.63 4RDNS_NONE 102255 10.19 44.886.51 5URIBL_JP_SURBL 98879 4.94 43.400.87 6MIME_HTML_ONLY 87518 7.62 38.424.36 7URIBL_OB_SURBL 76624 3.98 33.630.84 8DCC_CHECK 74600 8.51 32.755.94 9URIBL_AB_SURBL 59890 2.72 26.290.23 10URIBL_SC_SURBL 53911 2.51 23.660.27 11RCVD_IN_BL_SPAMCOP_NET 43120 2.43 18.930.68 12URIBL_WS_SURBL 38251 1.79 16.790.21 13URIBL_RHS_DOB 36565 2.17 16.050.70 14BAYES_5035322 3.93 15.502.71 15HTML_IMAGE_ONLY_16 33887 1.68 14.870.28 16HTML_SHORT_LINK_IMG_2 33118 1.56 14.540.19 17HTML_IMAGE_RATIO_02 32757 2.93 14.381.72 18URIBL_SBL 30456 1.80 13.370.57 19RAZOR2_CHECK27722 2.55 12.171.53 20RAZOR2_CF_RANGE_51_100 26856 2.41 11.791.41 -- TOP HAM RULES FIRED -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1BAYES_002002969 84.675.15 93.09 2HTML_MESSAGE1131073 54.03 67.83 52.57 3UNPARSEABLE_RELAY 760567 32.93 10.12 35.35 4DKIM_SIGNED 693328 29.746.26 32.22 5DKIM_VERIFIED 531590 22.673.38 24.71 6ALL_TRUSTED 1736127.300.058.07 7USER_IN_WHITELIST 1557046.540.007.24 8RDNS_NONE 140127 10.19 44.886.51 9DCC_CHECK 1278448.51 32.755.94 10RCVD_IN_DNSWL_LOW 1018634.310.344.73 11MIME_HTML_ONLY 93817 7.62 38.424.36 12RCVD_IN_DNSWL_MED 90038 3.810.314.18 13WHOIS_NETSOLPR 87575 3.720.384.07 14MIME_QP_LONG_LINE 82804 4.49 10.523.85 15BOTNET 78052 8.90 58.683.63 16BAYES_5058286 3.93 15.502.71 17FUZZY_AMBIEN53284 2.280.382.48 18SARE_SUB_ENC_UTF8 50533 2.140.172.35 19SARE_MILLIONSOF 42268 1.840.671.96 20FORGED_YAHOO_RCVD 38762 1.741.161.80 -- Then I looked to see what bayes did with the message, but I do not understand how to read the output, can someone explain this to me and give me an idea why BAYES_00 fired when we've been feeding every one of these spams to bayes to train on it? $ spamassassin -D bayes < phish [9595] dbg: bayes: using username: @GLOBAL [9595] dbg: bayes: database connection established [9595] dbg: bayes: found ba
Re: Phishing rules?
Micah Anderson wrote: Joseph Brennan <[EMAIL PROTECTED]> writes: /Dear .{0,12}(web ?mail|columbia\.edu)/i /Password.{0,10}\([\s\.\*\_]+\)/ /you must reply to this email/i Reply-to =~ /[EMAIL PROTECTED]/ I'm new at writing custom rules, so I am trying to figure out the best way to do this. Would it be better to make a different rule for each one of these, or would it be better to bmake a meta-rule? My guess is its better to make a meta-rule, but that means that each rule must hit in order to get the larger score, versus some of the individual rules hitting and adding up to the larger score. The meta-rule seems good because it describes a full profile phishing email that must be met, but it seems bad because one tweak of the phish would result in the meta-rule not matching overall. I suppose this is the point of the arthemetic meta-rule possibility, however I'm puzzled at the best mechanism to choose. Any advice would be appreciated. My thinking is lots of low scoring rules are better than one large scoring rule. You can however combine the two techniques with metarules whereby if 3 or more single scoring rules are met a metarule adds an additional score just for good measure. Once I figure out the best way to match these, I need a good way to determine what I should score these, the rule-writing documentation suggests starting at 0.1 and then moving it up as you test it, and suggests extreme caution scoring a custom rule over 1, however it seems like these would be better scored higher than that. That depends on how specific your rules are. Try to write rules for phrases rather than single words. If the phish are specific to you then it shouldn't be too difficult to write rules to specifically catch them. If/when the phishers tweak the phish then you'll need to tweak your rules. Look at the emails with an analytical eye - what giveaway signs tell you that they are spam? Then try to write rules to detect what you see. The first of course is partly local to us. Another useful local rule is to check for the uri of your own webmail. Yeah, i'll make a uri rule for that and probably add that to the meta-rule. Thanks for any advice, micah
Re: Phishing rules?
Joseph Brennan <[EMAIL PROTECTED]> writes: > /Dear .{0,12}(web ?mail|columbia\.edu)/i > > /Password.{0,10}\([\s\.\*\_]+\)/ > > /you must reply to this email/i > > Reply-to =~ /[EMAIL PROTECTED]/ I'm new at writing custom rules, so I am trying to figure out the best way to do this. Would it be better to make a different rule for each one of these, or would it be better to bmake a meta-rule? My guess is its better to make a meta-rule, but that means that each rule must hit in order to get the larger score, versus some of the individual rules hitting and adding up to the larger score. The meta-rule seems good because it describes a full profile phishing email that must be met, but it seems bad because one tweak of the phish would result in the meta-rule not matching overall. I suppose this is the point of the arthemetic meta-rule possibility, however I'm puzzled at the best mechanism to choose. Any advice would be appreciated. Once I figure out the best way to match these, I need a good way to determine what I should score these, the rule-writing documentation suggests starting at 0.1 and then moving it up as you test it, and suggests extreme caution scoring a custom rule over 1, however it seems like these would be better scored higher than that. > The first of course is partly local to us. Another useful local rule > is to check for the uri of your own webmail. Yeah, i'll make a uri rule for that and probably add that to the meta-rule. Thanks for any advice, micah
Re: Phishing rules?
Sahil Tandon <[EMAIL PROTECTED]> writes: > Joseph Brennan <[EMAIL PROTECTED]> wrote: > >>> We get some legitimate email from @live.com users. >> >> But they don't set a Reply-to header. That's the test. > > But that wasn't his question; he asked whether any legitimate mail flows > from live.com. That was my answer. :) You are technically correct, but Joseph's message made clear the information that I was not aware of, which was quite helpful and technically better. Micah
Re: Phishing rules?
On Mon, November 3, 2008 12:02, Martin Gregorie wrote: > ^http:.*\.spaces\.live\.com\/$ > in its body but the From: header identifies a completely unrelated > address. Would a rule that tags messages with this From and URI combo be > useful or would it generate too many FPs? http://www.nabble.com/Re:-FreeMail-plugin-td16200020.html might be helpfull -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Phishing rules?
Jeff Chan wrote: On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote: I keep getting hit by phishing attacks, and they aren't being stopped by anything I've thrown up in front of them: [...] I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand pulls in the 25_uribl.cf automatically, right? Or do I need to configure that? if its automatic, that pulls in SURBL phishing). Increase the score on: URIBL_PH_SURBL out of curiosity, what score do you suggest? The current SpamAssassin rules scoring process gives it an artificially low score which is counterproductive IMO. If you want to stop more phishing spams, consider increasing the score. Jeff C.
Re: Phishing rules?
Micah Anderson wrote: * Kelson <[EMAIL PROTECTED]> [2008-10-30 17:29-0400]: Micah Anderson wrote: reject_rbl_client list.dsbl.org, DSBL has shut down, and you should remove the query from your list. It won't help with the phishing, but it'll free up some network resources. Info: http://dsbl.org/node/3 Thanks, I wasn't aware of that. I'm only using zen.spamhaus now, which is a shame. why? that's what I use (I only use other DNSBLs in some cases). I had to remove barracuda because I've received already 3 complaints about false-positives, thats a real shame, because it was blocking about 3x as much as zen was. can you share these FPs? if you can't post them to a public list but can post them to me, I am interested. I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). Odd, ClamAV + SaneSecurty does a really good job here at blocking phish before they even get to SpamAssassin. We call clamd through MIMEDefang, then call SpamAssassin (also through MimeDefang) if a message passes. Have you verified that Clam is using the SaneSecurity signatures? How are you calling ClamAV? Oh I'm certainly blocking phishing attempts via the SaneSecurity signatures, probably 200+ in the last hour alone. However, the phishing emails that are getting through are not known to their signature database, and in some case have been directly targetted at the domain I am managing. Thats why I am interested in rules that look for typical phishing emails. These emails are usually quite similar in their construction, so it seems like a good case for rules. It's hard to block all phishes, since new forms appear every now and then.
Re: Phishing rules?
Joseph Brennan <[EMAIL PROTECTED]> wrote: >> We get some legitimate email from @live.com users. > > But they don't set a Reply-to header. That's the test. But that wasn't his question; he asked whether any legitimate mail flows from live.com. That was my answer. :) -- Sahil Tandon <[EMAIL PROTECTED]>
Re: Phishing rules?
On Sun, 2008-11-02 at 22:36 -0500, Micah Anderson wrote: > Joseph Brennan <[EMAIL PROTECTED]> writes: > > >> Reply-to: [EMAIL PROTECTED] > > > > > > First pass: > > > > header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/ > > score LOCAL_REPLYTO_LIVE8.0 > > > > Maybe scoring 8.0 for one thing scares you, but I haven't seen this > > fp in a couple of months. > > Is live.com a legitimate email sender? It looks microsoft related. If I > set it to 8, then any mail from that address is surely to get caught as > spam, which may not be the right thing depending on other potential > legitimate addresses sending from that domain. > The latest pharmacy scam to get through my filters has a URI that matches: ^http:.*\.spaces\.live\.com\/$ in its body but the From: header identifies a completely unrelated address. Would a rule that tags messages with this From and URI combo be useful or would it generate too many FPs? Martin
Re: Phishing rules?
Sahil Tandon <[EMAIL PROTECTED]> wrote: We get some legitimate email from @live.com users. But they don't set a Reply-to header. That's the test. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: Phishing rules?
Micah Anderson <[EMAIL PROTECTED]> wrote: > Joseph Brennan <[EMAIL PROTECTED]> writes: > > >> Reply-to: [EMAIL PROTECTED] > > > > > > First pass: > > > > header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/ > > score LOCAL_REPLYTO_LIVE8.0 > > > > Maybe scoring 8.0 for one thing scares you, but I haven't seen this > > fp in a couple of months. > > Is live.com a legitimate email sender? It looks microsoft related. If I > set it to 8, then any mail from that address is surely to get caught as > spam, which may not be the right thing depending on other potential > legitimate addresses sending from that domain. It is Microsoft: % whois `dig +short live.com` OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way ... > Or perhaps nothing but spam comes from live.com? I dont know anything > about it. We get some legitimate email from @live.com users. -- Sahil Tandon <[EMAIL PROTECTED]>
Re: Phishing rules?
Karsten Bräckelmann <[EMAIL PROTECTED]> writes: > On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote: >> Joseph Brennan <[EMAIL PROTECTED]> writes: > >> > Do you mean attempts to get your users to send their passwords, >> > or fake mail pretending to be from banks? >> >> I mean attempts to get my users to send their passwords, are these not >> called phishing? > > An important bit of information, missing from the OP. :) Targeted > attacks at your users, so the general phishing BLs don't really apply. > > Anyway, can't you educate your users, that > > (a) Any administrative email will be sent from an official, well known, > internal address? That means *not* an arbitrary address. Yes, sorry, > the obvious... > (b) They will *never* ever be asked for a password by mail. Period. > Again, obvious... We've been telling our users this for years, but there is always someone who doesn't listen, or forgets, or something. I dont know. I find it absolutely incredible that anyone would fall for any of these, yet I am the one who has to clean up the mess :P > Then block internal / administrative From addresses coming from any > external SMTP. Yeah, thats done, they dont get by faking our From, but the body is constructed in a way to mislead and impersonate our "staff" or whatever, usually by threatening people that their account will be closed, unless they reply. > This is not a technical way to stopping these, but an educational > approach to prevent the most dumb and gross social engineering. At least > the second one actually should be well-known, and I've seen ISPs > pointing it out frequently... Thanks, but we've done all these, and continue to do them, they are another plank in the various mechanisms that we must employ. micah
Re: Phishing rules?
SM <[EMAIL PROTECTED]> writes: > At 07:56 01-11-2008, Micah Anderson wrote: >>Here is an example one I received recently, note the hideously low bayes >>score on this one, caused it to autolearn as ham even, grr. > > [snip] > >>X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW >> autolearn=ham version=3.2.5 > > The sender is whitelisted by www.dnswl.org. Yeah, because this one was forwarded through debian.org, which is legitimate. The spam originator was not debian.org, but debian.org is the one in dnswl.org. >>Received: from master.debian.org (master.debian.org [70.103.162.29]) >> by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1 >> for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT) > > The mail is coming through debian.org. Do you want to blacklist that host? No, I do not.
Re: Phishing rules?
Joseph Brennan <[EMAIL PROTECTED]> writes: >> Reply-to: [EMAIL PROTECTED] > > > First pass: > > header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/ > score LOCAL_REPLYTO_LIVE8.0 > > Maybe scoring 8.0 for one thing scares you, but I haven't seen this > fp in a couple of months. Is live.com a legitimate email sender? It looks microsoft related. If I set it to 8, then any mail from that address is surely to get caught as spam, which may not be the right thing depending on other potential legitimate addresses sending from that domain. Or perhaps nothing but spam comes from live.com? I dont know anything about it. micah
Re: Phishing rules?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Micah Anderson wrote: [...] > Report them where exactly? > > Here is an example one I received recently, note the hideously low bayes > score on this one, caused it to autolearn as ham even, grr. > > > From [EMAIL PROTECTED] Fri Oct 31 20:00:45 2008 > Return-Path: <[EMAIL PROTECTED]> > X-OfflineIMAP-x792266711-4c6f63616c-494e424f58: > 1225549253-0134941395044-v6.0.3 > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on spamd2.riseup.net > X-Spam-Level: > X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW > autolearn=ham version=3.2.5 > Delivered-To: [EMAIL PROTECTED] > Received: from mx1.riseup.net (unknown [10.8.0.3]) > by cormorant.riseup.net (Postfix) with ESMTP id 58BFA19581F7 > for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:40 -0700 (PDT) > Received: from master.debian.org (master.debian.org [70.103.162.29]) > by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1 > for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT) [...] Contact debian.org's list manager instead of other actions. That's more reasonable. And more, i think we need to study about DKIM specification [RFC4871] to make the Internet of trust ;; byunghee -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkkNE/oACgkQsCouaZaxlv5YqACeIozvqJ96tTKm4oLnRySHAfc1 xUIAoI0G4FXr+PqdqvULxm0V+xZOSP77 =8NV0 -END PGP SIGNATURE-
Re: Phishing rules?
On Sat, 2008-11-01 at 18:01 -0400, Joseph Brennan wrote: > Karsten Bräckelmann <[EMAIL PROTECTED]> wrote: > > > Anyway, can't you educate your users [...] > > Experience tells me the answer is no, or at least a qualified no. And > we're supposed to have smart people here. > > I suppose the number of responses might be even higher if we did not > try to educate people. I'll try to comfort myself with that. Joseph, I was afraid you or Micah would tell me exactly that. *sigh* -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phishing rules?
Karsten Bräckelmann <[EMAIL PROTECTED]> wrote: Anyway, can't you educate your users Experience tells me the answer is no, or at least a qualified no. And we're supposed to have smart people here. I suppose the number of responses might be even higher if we did not try to educate people. I'll try to comfort myself with that. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: Phishing rules?
On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote: > Joseph Brennan <[EMAIL PROTECTED]> writes: > > Do you mean attempts to get your users to send their passwords, > > or fake mail pretending to be from banks? > > I mean attempts to get my users to send their passwords, are these not > called phishing? An important bit of information, missing from the OP. :) Targeted attacks at your users, so the general phishing BLs don't really apply. Anyway, can't you educate your users, that (a) Any administrative email will be sent from an official, well known, internal address? That means *not* an arbitrary address. Yes, sorry, the obvious... (b) They will *never* ever be asked for a password by mail. Period. Again, obvious... Then block internal / administrative From addresses coming from any external SMTP. This is not a technical way to stopping these, but an educational approach to prevent the most dumb and gross social engineering. At least the second one actually should be well-known, and I've seen ISPs pointing it out frequently... guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phishing rules?
Micah Anderson <[EMAIL PROTECTED]> wrote: I mean attempts to get my users to send their passwords, are these not called phishing? micah Yes, it's phishing, but for thos you might want to make local rules to catch things specific to your own web mail system and domain. I find myself reluctant to publish all the patterns we check, in case someone is watching, but taking your sample, these would match here: /Dear .{0,12}(web ?mail|columbia\.edu)/i /Password.{0,10}\([\s\.\*\_]+\)/ /you must reply to this email/i Reply-to =~ /[EMAIL PROTECTED]/ The first of course is partly local to us. Another useful local rule is to check for the uri of your own webmail. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: Phishing rules?
Reply-to: [EMAIL PROTECTED] First pass: header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/ score LOCAL_REPLYTO_LIVE8.0 Maybe scoring 8.0 for one thing scares you, but I haven't seen this fp in a couple of months. Joseph Brennan Columbia University Information Technology
Re: Phishing rules?
At 07:56 01-11-2008, Micah Anderson wrote: Here is an example one I received recently, note the hideously low bayes score on this one, caused it to autolearn as ham even, grr. [snip] X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.2.5 The sender is whitelisted by www.dnswl.org. Received: from master.debian.org (master.debian.org [70.103.162.29]) by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1 for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT) The mail is coming through debian.org. Do you want to blacklist that host? Regards, -sm
Re: Phishing rules?
Brent Clark <[EMAIL PROTECTED]> writes: > Hiya > > See SA examples > > http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists > > Also add hostkarma.junkemailfilter.com to you DNSBL. Thanks, I'll add this to my local.cf and see how it goes. > Another thing I do find is useful is adding additional higher valued > MX records. > > http://www.junkemailfilter.com/spam/support.html I dont really like the idea of adding some other site's MX to my DNS, so I think I'll pass on this one. thanks for the suggestions! micah
Re: Phishing rules?
Joseph Brennan <[EMAIL PROTECTED]> writes: > Micah Anderson <[EMAIL PROTECTED]> wrote: > >> I keep getting hit by phishing attacks, and they aren't being stopped by >> anything I've thrown up in front of them: > > Do you mean attempts to get your users to send their passwords, > or fake mail pretending to be from banks? I mean attempts to get my users to send their passwords, are these not called phishing? micah
Re: Phishing rules?
Karsten Bräckelmann <[EMAIL PROTECTED]> writes: > On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote: >> I keep getting hit by phishing attacks, and they aren't being stopped by >> anything I've thrown up in front of them: >> >> postfix is doing: >> reject_rbl_client b.barracudacentral.org, >> reject_rbl_client zen.spamhaus.org, >> reject_rbl_client list.dsbl.org, >> >> I've got clamav pulling signatures updated once a day from sanesecurity >> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, >> securesiteinfo) and Malware Black List, MSRBL (images, spam). > > I'd increase this, at least for the SaneSecurity phish sigs. They are > being updated much more frequently. Thanks for the pointer. For some reason I thought I had read on the SaneSecurity site that you shouldn't pull more than once a day, but now after you mentioned it I went and read again and they ask you dont pull more frequently than once an hour... so I've changed that cronjob, that should help. >> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand >> pulls in the 25_uribl.cf automatically, right? Or do I need to configure > > Yes, unless you disable network tests in general. Should be easy to > answer yourself if they are working, just by grepping for the rule names > defined in 25_uribl.cf. Network tests aren't disabled, and yeah I am seeing those rules occur in some of my headers of mail that I can search through, so I think that they are working. I've increased my overall URIBL scoring to 2.5 from the default. >> Sadly, I do not have an example I can share at the moment, as I >> typically delete them in a rage after training my bayes filter on >> them. However, I am looking for any suggestions of other things I can >> turn on... in particular, are there rules that people have created that >> look for certain keywords where the body is asking for your >> account/password information? > > So you've pretty much thrown everything at it you could find... ;) And > they are still slipping through? How many are we talking here? Compared > to the total number of spam / phish? > > Also, how many are being caught? Strikes me as odd that you don't have a > sample but yet sound like every single one is slipping by. These are hard for me to answer as I am not doing any analysis of how many are caught. In the last week, I've gotten four of them through, and I've received reports from a number of users that they too have received them. I've just sent a sample to the list however. > I guess, I would start verifying that all the above actually is working. > Most notably the SaneSecurity phish sigs. ClamAV should catch the lions > share, by far, assuming it comes before SA in your chain. Yeah, I'm using the clamav-milter, so those get rejected really early on. Thanks for the ideas, Micah
Re: Phishing rules?
Randy <[EMAIL PROTECTED]> writes: > Micah Anderson wrote: >> Sadly, I do not have an example I can share at the moment, as I >> typically delete them in a rage after training my bayes filter on >> them. However, I am looking for any suggestions of other things I can >> turn on... in particular, are there rules that people have created that >> look for certain keywords where the body is asking for your >> account/password information? >> > Report these and maybe they will add something that catches them. If > one wanted to, they can get any mail the want through your filters if > they are good and don't use things that trigger the rules. Report them where exactly? Here is an example one I received recently, note the hideously low bayes score on this one, caused it to autolearn as ham even, grr. >From [EMAIL PROTECTED] Fri Oct 31 20:00:45 2008 Return-Path: <[EMAIL PROTECTED]> X-OfflineIMAP-x792266711-4c6f63616c-494e424f58: 1225549253-0134941395044-v6.0.3 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on spamd2.riseup.net X-Spam-Level: X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.2.5 Delivered-To: [EMAIL PROTECTED] Received: from mx1.riseup.net (unknown [10.8.0.3]) by cormorant.riseup.net (Postfix) with ESMTP id 58BFA19581F7 for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:40 -0700 (PDT) Received: from master.debian.org (master.debian.org [70.103.162.29]) by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1 for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT) Received: from cat.cybersurf.net ([209.197.145.185] helo=cat.cia.com) by master.debian.org with esmtp (Exim 4.63) (envelope-from <[EMAIL PROTECTED]>) id 1Kw6j8-0003iT-Ix for [EMAIL PROTECTED]; Sat, 01 Nov 2008 03:00:38 + Received: from reef.cybersurf.com ([209.197.145.198]) by cat.cia.com with esmtp (Exim 4.50) id 1Kw6iz-0002Li-Pg; Fri, 31 Oct 2008 21:00:29 -0600 Received: from apache by reef.cybersurf.com with local (Exim 4.44) id 1Kw6j0-0006W5-UJ; Fri, 31 Oct 2008 20:00:30 -0700 Received: from 196-207-0-227.netcomng.com (196-207-0-227.netcomng.com [196.207.0.227]) by webmail.3web.com (IMP) with HTTP for <[EMAIL PROTECTED]>; Sat, 1 Nov 2008 14:00:30 +1100 Message-ID: <[EMAIL PROTECTED]> Date: Sat, 1 Nov 2008 14:00:30 +1100 From: WEBMAIL Help Desk <[EMAIL PROTECTED]> Reply-to: [EMAIL PROTECTED] Subject: WEBMAIL Help Desk MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.1 X-Originating-IP: 196.207.0.227 To: undisclosed-recipients:; X-Virus-Scanned: ClamAV 0.94/8552/Fri Oct 31 18:14:36 2008 on mx1.riseup.net X-Virus-Status: Clean Status: RO Content-Length: 1427 Lines: 38 Dear Webmail User, This message was sent automatically by a program on Webmail which periodically checks the size of inboxes, where new messages are received. The program is run weekly to ensure no one's inbox grows too large. If your inbox becomes too large, you will be unable to receive new email. Just before this message was sent, you had 18 Megabytes (MB) or more of messages stored in your inbox on your Webmail. To help us re-set your SPACE on our database prior to maintain your INBOX, you must reply to this e-mail and enter your Current User name () and Password( ). You will continue to receive this warning message periodically if your inbox size continues to be between 18 and 20 MB. If your inbox size grows to 20 MB, then a program on Bates Webmai will move your oldest email to a folder in your home directory to ensure that you will continue to be able to receive incoming email. You will be notified by email that this has taken place. If your inbox grows to 25 MB, you will be unable to receive new email as it will be returned to the sender. After you read a message, it is best to REPLY and SAVE it to another folder. Thank you for your cooperation. WEBMAIL Help Desk --- 3webXS HiSpeed Dial-up...surf up to 5x faster than regular dial-up alone... just $14.90/mo...visit www.get3web.com for details
Re: Phishing rules?
* Jeff Chan <[EMAIL PROTECTED]> [2008-10-31 02:36-0400]: > On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote: > > > I keep getting hit by phishing attacks, and they aren't being stopped by > > anything I've thrown up in front of them: > > [...] > > I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand > > pulls in the 25_uribl.cf automatically, right? Or do I need to configure > > that? if its automatic, that pulls in SURBL phishing). > > Increase the score on: > > URIBL_PH_SURBL > > The current SpamAssassin rules scoring process gives it an > artificially low score which is counterproductive IMO. If you > want to stop more phishing spams, consider increasing the score. Thanks, I will do so... however the phishing emails I am getting are of two types: . generalized phishes, which I would expect SURBL to be able to detect a large percentage of . targetted phishing to my domain where the phisher attempts to impersonate the 'admins' and ask for usernames/passwords. These I dont think will get hits on SURBL, because they are specific to my domain, and these are actually the more damaging because users are more likely to be fooled by something that is claiming to come from 'us'. Micah signature.asc Description: Digital signature
Re: Phishing rules?
* Kelson <[EMAIL PROTECTED]> [2008-10-30 17:29-0400]: > Micah Anderson wrote: >> reject_rbl_client list.dsbl.org, > > DSBL has shut down, and you should remove the query from your list. It > won't help with the phishing, but it'll free up some network resources. > Info: http://dsbl.org/node/3 Thanks, I wasn't aware of that. I'm only using zen.spamhaus now, which is a shame. I had to remove barracuda because I've received already 3 complaints about false-positives, thats a real shame, because it was blocking about 3x as much as zen was. >> I've got clamav pulling signatures updated once a day from sanesecurity >> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, >> securesiteinfo) and Malware Black List, MSRBL (images, spam). > > Odd, ClamAV + SaneSecurty does a really good job here at blocking phish > before they even get to SpamAssassin. We call clamd through MIMEDefang, > then call SpamAssassin (also through MimeDefang) if a message passes. > > Have you verified that Clam is using the SaneSecurity signatures? How > are you calling ClamAV? Oh I'm certainly blocking phishing attempts via the SaneSecurity signatures, probably 200+ in the last hour alone. However, the phishing emails that are getting through are not known to their signature database, and in some case have been directly targetted at the domain I am managing. Thats why I am interested in rules that look for typical phishing emails. These emails are usually quite similar in their construction, so it seems like a good case for rules. micah
Re: Phishing rules?
Hiya See SA examples http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists Also add hostkarma.junkemailfilter.com to you DNSBL. Works really well. Another thing I do find is useful is adding additional higher valued MX records. http://www.junkemailfilter.com/spam/support.html HTH Regards Brent Clark
Re: Phishing rules?
On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote: > I keep getting hit by phishing attacks, and they aren't being stopped by > anything I've thrown up in front of them: [...] > I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand > pulls in the 25_uribl.cf automatically, right? Or do I need to configure > that? if its automatic, that pulls in SURBL phishing). Increase the score on: URIBL_PH_SURBL The current SpamAssassin rules scoring process gives it an artificially low score which is counterproductive IMO. If you want to stop more phishing spams, consider increasing the score. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Phishing rules?
Micah Anderson <[EMAIL PROTECTED]> wrote: I keep getting hit by phishing attacks, and they aren't being stopped by anything I've thrown up in front of them: Do you mean attempts to get your users to send their passwords, or fake mail pretending to be from banks? Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: Phishing rules?
Micah Anderson wrote: reject_rbl_client list.dsbl.org, DSBL has shut down, and you should remove the query from your list. It won't help with the phishing, but it'll free up some network resources. Info: http://dsbl.org/node/3 I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). Odd, ClamAV + SaneSecurty does a really good job here at blocking phish before they even get to SpamAssassin. We call clamd through MIMEDefang, then call SpamAssassin (also through MimeDefang) if a message passes. Have you verified that Clam is using the SaneSecurity signatures? How are you calling ClamAV? -- Kelson Vibber SpeedGate Communications
Re: Phishing rules?
On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote: > I keep getting hit by phishing attacks, and they aren't being stopped by > anything I've thrown up in front of them: > > postfix is doing: > reject_rbl_client b.barracudacentral.org, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client list.dsbl.org, > > I've got clamav pulling signatures updated once a day from sanesecurity > (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, > securesiteinfo) and Malware Black List, MSRBL (images, spam). I'd increase this, at least for the SaneSecurity phish sigs. They are being updated much more frequently. > I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand > pulls in the 25_uribl.cf automatically, right? Or do I need to configure Yes, unless you disable network tests in general. Should be easy to answer yourself if they are working, just by grepping for the rule names defined in 25_uribl.cf. > that? if its automatic, that pulls in SURBL phishing). I've got Botnet > setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the > hashcash, and SPF plugins loaded, imageinfo, pretty much everything I > can think ofbut for some reason phishing attempts keep getting > through. > > Sadly, I do not have an example I can share at the moment, as I > typically delete them in a rage after training my bayes filter on > them. However, I am looking for any suggestions of other things I can > turn on... in particular, are there rules that people have created that > look for certain keywords where the body is asking for your > account/password information? So you've pretty much thrown everything at it you could find... ;) And they are still slipping through? How many are we talking here? Compared to the total number of spam / phish? Also, how many are being caught? Strikes me as odd that you don't have a sample but yet sound like every single one is slipping by. I guess, I would start verifying that all the above actually is working. Most notably the SaneSecurity phish sigs. ClamAV should catch the lions share, by far, assuming it comes before SA in your chain. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phishing rules?
Micah Anderson wrote: > I keep getting hit by phishing attacks, and they aren't being stopped by > anything I've thrown up in front of them: > > postfix is doing: > reject_rbl_client b.barracudacentral.org, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client list.dsbl.org, > > I've got clamav pulling signatures updated once a day from sanesecurity > (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, > securesiteinfo) and Malware Black List, MSRBL (images, spam). > > I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand > pulls in the 25_uribl.cf automatically, right? Or do I need to configure > that? if its automatic, that pulls in SURBL phishing). I've got Botnet > setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the > hashcash, and SPF plugins loaded, imageinfo, pretty much everything I > can think ofbut for some reason phishing attempts keep getting > through. > > Sadly, I do not have an example I can share at the moment, as I > typically delete them in a rage after training my bayes filter on > them. However, I am looking for any suggestions of other things I can > turn on... in particular, are there rules that people have created that > look for certain keywords where the body is asking for your > account/password information? > > Thanks for any ideas, > micah > Consider submitting them to SaneSecurity (www.sanesecurity.com) so that the signatures can be added to their phishing signature database. Bill
Re: Phishing rules?
Micah Anderson wrote: I keep getting hit by phishing attacks, and they aren't being stopped by anything I've thrown up in front of them: postfix is doing: reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand pulls in the 25_uribl.cf automatically, right? Or do I need to configure that? if its automatic, that pulls in SURBL phishing). I've got Botnet setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the hashcash, and SPF plugins loaded, imageinfo, pretty much everything I can think ofbut for some reason phishing attempts keep getting through. Sadly, I do not have an example I can share at the moment, as I typically delete them in a rage after training my bayes filter on them. However, I am looking for any suggestions of other things I can turn on... in particular, are there rules that people have created that look for certain keywords where the body is asking for your account/password information? Thanks for any ideas, micah Report these and maybe they will add something that catches them. If one wanted to, they can get any mail the want through your filters if they are good and don't use things that trigger the rules.