On 2014-01-18 15:01, Michael Monnerie wrote:
Dear list, since this week there are tons of very good forged bills that look like real, from big companies like telekom, vodafone, etc.
+1
They look like the original, and just the link in the middle, where it says "download your bill here", goes to a site containing trojans.
+1i have seen some that contain a html attachment, this is now blocked in my own clamav rule
I'd like to write rules for the ZMI_GERMAN ruleset, what would be the
best to capture such forgeries? I thought of something like
__VODAFONEgood1 /this is a text from the vodafone bill/
__VODAFONEgood2 /this is another real text from the vodafone bill/
__VODAFONE_URI m{(?:http://|)(?:www\.|)vodafone.de}
well if this rules works, it could be added to clamav signature aswell or simple add phishes to phishtank.com
meta VODAFONEgood (__VODAFONEgood1 && __VODAFONEgood2) >=2 /* of course there should be more than 2 rules in our set*/
+1
and here I'd need to check for URIs *other than* Vodafone: meta VODAFONEforged VODAFONEgood && any_uri_except __VODAFONE_URI
is it linked to http:// not to https:// ?, if users want to pay on http:// tell them :=)
phishes mostly go to http:// pages, not to https:// i wonder why
So I want to catch a real-looking vodafone bill that has any URI to another domain. Also, as Vodafone uses SPF, I'd like to check if I hit VODAFONEgood && !SPF signature in the mail.
this is complicated since you belive phishes only have this domain as sender, url and envelope can match, and this would be great if thay do, but its hard to figure out for spamassassin with domains is forged or not based on this
The problem with all this is, that there are MANY companies, so does someone have a better idea?
i need samples to help, or just wait to see one herei build local clamav signatures for the worst kinds of spams (ldb/ldu database fussy--matcching)
