Re: spamassassin rule to combat phishing
I've tested the rule: uri URI_MYDOMAIN_PHISH m;^https?://(?:[^./]+\.)*example\.com[^/?];i is catching this sample newletter link: Oct 29 09:38:50.368 [24608] dbg: rules: ran uri rule URI_MYDOMAIN_PHISH == got hit: http://example.com; Complete email body content in test of newsletter link: a target=_blank href=http://www.environmental-expert.com/redirectnewsletter_login.asp?UR= L=http://www.environmental-expert.comloginemail=u...@example.comloginc= ode=123456utm_source=Articles_Waste_Recycling_01112014utm_medium=em= ailutm_campaign=newslettersutm_content=logoclickimg src=http://www.environmental-expert.com/newsletter/images/logo_dark_smal= l.gif width=200 height=83 border=0/a I wonder how the RE can be tweaked to not match this case? I still don't understand the ?: part.
Re: spamassassin rule to combat phishing
On Wed, Oct 29, 2014 at 10:27 AM, francis picabia fpica...@gmail.com wrote: I've tested the rule: uri URI_MYDOMAIN_PHISH m;^https?://(?:[^./]+\.)*example\.com[^/?];i is catching this sample newletter link: Oct 29 09:38:50.368 [24608] dbg: rules: ran uri rule URI_MYDOMAIN_PHISH == got hit: http://example.com; Complete email body content in test of newsletter link: a target=_blank href=http://www.environmental-expert.com/redirectnewsletter_login.asp?UR= L=http://www.environmental-expert.comloginemail=u...@example.comloginc= ode=123456utm_source=Articles_Waste_Recycling_01112014utm_medium=em= ailutm_campaign=newslettersutm_content=logoclickimg src=http://www.environmental-expert.com/newsletter/images/logo_dark_smal= l.gif width=200 height=83 border=0/a I wonder how the RE can be tweaked to not match this case? I still don't understand the ?: part. I don't know if it is the best solution, but adding to the non-matching clause has helped for the false positve and still catches the phishing example: uri URI_MYDOMAIN_PHISH m;^https?://(?:[^./]+\.)*example\.com[^/?];i
Re: spamassassin rule to combat phishing
On Mon, Oct 27, 2014 at 4:55 PM, John Hardin jhar...@impsec.org wrote: On Mon, 27 Oct 2014, francis picabia wrote: uri URI_EXAMPLE_EXTRA m;^https?://(?:www\.)?example\.com[^/?];i However another spoofed message was received today and the rule did not capture it. If I want to detect something in the form of: random_server.example.com.junk I need to wildcard the first bit. Would that be: uri URI_EXAMPLE_EXTRA m;^https?://(?:.*\.)?example\.com[^/?];i I don't understand what the question mark and colon does inside the ( ) I thought it followed an optional char or expression. Should it be like this? uri URI_EXAMPLE_EXTRA m;^https?://(.*\.)?example\.com[^/?];i (?:) means group, don't remember the match. () remembers what's matched for future use in the RE (e.g. to check for repeated strings like abcabcabcabc. Try this: uri URI_EXAMPLE_EXTRA m;^https?://(?:[^./]+\.)*example\.com[^/?];i Once again, thanks for the RE coding. I found a false positive it captured with my attempt at this : a href= http://www.newslettersite.com/redirectnewsletter_login.asp?URL=http://www.secondsite.com/PYB/contact_us.asploginemail=u...@example.comlogincode=123456utm_source=Articles_Air_01112014utm_medium=emailutm_campaign=newsletterutm_content=contactus I've tested your rule with that and it does not tag for the above. Great. Hopefully useful to others facing domain spoofs in phishing.
Re: spamassassin rule to combat phishing
On Tue, Oct 28, 2014 at 11:47 AM, francis picabia fpica...@gmail.com wrote: On Mon, Oct 27, 2014 at 4:55 PM, John Hardin jhar...@impsec.org wrote: On Mon, 27 Oct 2014, francis picabia wrote: uri URI_EXAMPLE_EXTRA m;^https?://(?:www\.)?example\.com[^/?];i However another spoofed message was received today and the rule did not capture it. If I want to detect something in the form of: random_server.example.com.junk I need to wildcard the first bit. Would that be: uri URI_EXAMPLE_EXTRA m;^https?://(?:.*\.)?example\.com[^/?];i I don't understand what the question mark and colon does inside the ( ) I thought it followed an optional char or expression. Should it be like this? uri URI_EXAMPLE_EXTRA m;^https?://(.*\.)?example\.com[^/?];i (?:) means group, don't remember the match. () remembers what's matched for future use in the RE (e.g. to check for repeated strings like abcabcabcabc. Try this: uri URI_EXAMPLE_EXTRA m;^https?://(?:[^./]+\.)*example\.com[^/?];i Once again, thanks for the RE coding. I found a false positive it captured with my attempt at this : a href= http://www.newslettersite.com/redirectnewsletter_login.asp?URL=http://www.secondsite.com/PYB/contact_us.asploginemail=u...@example.comlogincode=123456utm_source=Articles_Air_01112014utm_medium=emailutm_campaign=newsletterutm_content=contactus I've tested your rule with that and it does not tag for the above. Great. Hopefully useful to others facing domain spoofs in phishing. I thought this was a representative test case, but apparently there is something triggering a false positive when the email is a newsletter which embeds a user's email within URLs. In the sample I've seen, there are 34 such possible links which may have triggered the issue, but I don't know which. I ran the quarantined sample through spamassassin -D and it shows: Oct 28 16:24:01.391 [28945] dbg: rules: ran uri rule URI_MYDOMAIN_PHISH == got hit: http://example.com; On prior lines in the trace I see other uri rules getting hits, but it seems to be about different URLs. The entire body of the email is base64 encoded. Extracting that part and running base64 -d I am not finding the hit described by SA trace. This is my method: zcat spam-jUVZBDml0wS5.gz | grep 'http://example.com' So the URL is not in the non-base64 part. zcat spam-jUVZBDml0wS5.gz /tmp/spamfull cp /tmp/spamfull /tmp/spam64 vi /tmp/spam64 (to remove headers) base64 -d /tmp/spam64 | grep 'http://example.com' (no matchs) Double checked with: spamassassin -D -lint /tmp/spamfull 21 | grep http://example.com nothing is output except the line above with URI_MYDOMAIN_PHISH. Is there any suggestion on how to nail down where the match is happening?
Re: spamassassin rule to combat phishing
On Fri, Sep 19, 2014 at 2:59 PM, John Hardin jhar...@impsec.org wrote: On Fri, 19 Sep 2014, francis picabia wrote: On Tue, Sep 16, 2014 at 5:27 PM, John Hardin jhar...@impsec.org wrote: On Tue, 16 Sep 2014, francis picabia wrote: Hello, We just received the most authentic looking phishing I've seen. It was professionally written, included a nice signature in the style used by people at my workplace, and the target link was an exact replica of an ezproxy website we run. The URL domain was only different by a few letters. I'm thinking we will see more of these. So here is a question perhaps someone can solve and many of us can benefit from... How can I make a uri rule which matches example.com.junk/ but does not match example.com/ uri URI_EXAMPLE_EXTRA m;^https?://(?:www\.)?example\.com[^/?];i That's a great one liner. I'm glad I asked. Thank you for this. Warning: I did not actually test it. Please test it before putting it into production. Yes, understood. I did test and it seemed to work OK. However another spoofed message was received today and the rule did not capture it. If I want to detect something in the form of: random_server.example.com.junk I need to wildcard the first bit. Would that be: uri URI_EXAMPLE_EXTRA m;^https?://(?:.*\.)?example\.com[^/?];i I don't understand what the question mark and colon does inside the ( ) I thought it followed an optional char or expression. Should it be like this? uri URI_EXAMPLE_EXTRA m;^https?://(.*\.)?example\.com[^/?];i
Re: spamassassin rule to combat phishing
On Mon, 27 Oct 2014, francis picabia wrote: uri URI_EXAMPLE_EXTRA m;^https?://(?:www\.)?example\.com[^/?];i However another spoofed message was received today and the rule did not capture it. If I want to detect something in the form of: random_server.example.com.junk I need to wildcard the first bit. Would that be: uri URI_EXAMPLE_EXTRA m;^https?://(?:.*\.)?example\.com[^/?];i I don't understand what the question mark and colon does inside the ( ) I thought it followed an optional char or expression. Should it be like this? uri URI_EXAMPLE_EXTRA m;^https?://(.*\.)?example\.com[^/?];i (?:) means group, don't remember the match. () remembers what's matched for future use in the RE (e.g. to check for repeated strings like abcabcabcabc. Try this: uri URI_EXAMPLE_EXTRA m;^https?://(?:[^./]+\.)*example\.com[^/?];i -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- 4 days until Halloween
Re: spamassassin rule to combat phishing
On Tue, Sep 16, 2014 at 5:27 PM, John Hardin jhar...@impsec.org wrote: On Tue, 16 Sep 2014, francis picabia wrote: Hello, We just received the most authentic looking phishing I've seen. It was professionally written, included a nice signature in the style used by people at my workplace, and the target link was an exact replica of an ezproxy website we run. The URL domain was only different by a few letters. I'm thinking we will see more of these. So here is a question perhaps someone can solve and many of us can benefit from... How can I make a uri rule which matches example.com.junk/ but does not match example.com/ uri URI_EXAMPLE_EXTRA m;^https?://(?:www\.)?example\.com[^/?];i That's a great one liner. I'm glad I asked. Thank you for this.
spamassassin rule to combat phishing
Hello, We just received the most authentic looking phishing I've seen. It was professionally written, included a nice signature in the style used by people at my workplace, and the target link was an exact replica of an ezproxy website we run. The URL domain was only different by a few letters. I'm thinking we will see more of these. So here is a question perhaps someone can solve and many of us can benefit from... How can I make a uri rule which matches example.com.junk/ but does not match example.com/ The goal is to score fake URLs containing our domain, and thus an email with a link to something like http://example.com.tk/ wouldn't be delivered.
Re: spamassassin rule to combat phishing
On Tue, 16 Sep 2014, francis picabia wrote: Hello, We just received the most authentic looking phishing I've seen. It was professionally written, included a nice signature in the style used by people at my workplace, and the target link was an exact replica of an ezproxy website we run. The URL domain was only different by a few letters. I'm thinking we will see more of these. So here is a question perhaps someone can solve and many of us can benefit from... How can I make a uri rule which matches example.com.junk/ but does not match example.com/ uri URI_EXAMPLE_EXTRA m;^https?://(?:www\.)?example\.com[^/?];i The goal is to score fake URLs containing our domain, and thus an email with a link to something like http://example.com.tk/ wouldn't be delivered. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- From the Liberty perspective, it doesn't matter if it's a jackboot or a Birkenstock smashing your face. -- Robb Allen --- Tomorrow: the 227th anniversary of the signing of the U.S. Constitution
