Re: Re: SPAM: proofpoint.com URLs in sl-users messages

[Ron Tapia]

Hi,

Proofpoint has a small Python script:
        
https://help.proofpoint.com/Threat_Insight_Dashboard/Concepts/How_do_I_decode_a_rewritten_URL%3F

that can be used to decode URLs that they mangle.

It could be adapted to filter incoming messages so that you'd never have 
to see proofpoint mangled links. I use a "display-filter" in alpine 
(Thunderbird also supports filters) to unmangle Microsoft safelinks
mangled URLs.

It doesn't take a lot of imagination to see that training users to click 
on complicated-looking URLs without thought (because they're safe!) can 
only end badly. Eventually, some organization is going to lose a lot of 
money becuase of a phishing attack made possible by the use of these URL 
manglers.

Cheers,

Ron

--
If you are not part of the solution, you are part of the precipitate.
<begin pgp signed message to disable safelinks/>
On Wed, 25 Jul 2018, Maarten wrote:

Date: Wed, 25 Jul 2018 12:55:43 +0000
From: Maarten <mailingli...@feedmebits.nl>
To: scientific-linux-users <scientific-linux-users@fnal.gov>
Cc: scientific-linux-users@fnal.gov
Subject: Re: Re: SPAM:  proofpoint.com URLs in sl-users messages

Ended up in my spam box as well



On Tue, Jul 24, 2018 at 19:40, Denice <deatr...@triumf.ca> wrote:
      On Tue, 24 Jul 2018, Glenn Cooper wrote:

            Dear Scientific Linux users,

            You may have noticed recently that URLs in messages to the
            scientific-linux-users@fnal.gov mailing list are often converted to 
a longer
            version where the original URL is routed through 
"urldefense.proofpoint.com",
            e.g.,

https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.mozilla.org_show-5Fbug.cgi-3Fid-3D1278282&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=Z
            
Sgt1f7kW9G8-9f6VpdMqA&m=GNVwbRVdMb0OHea3YcT932r9X96HOwQvQqu1TZ4KG5k&s=YJv_zN6hJ20hObNHTC9szZwF56XooQ5-FHJCgYt00cg&e=

            This is an anti-phishing measure adopted by Fermilab.  URLs in mail 
messages
            are automatically rewritten to go through a service that checks 
against known
            malicious sites, then either blocks the attempt or routes to the 
original
            address.  Although these links look odd, they are legitimate, and 
you will
            get to the intended sites if you follow them.



      This message showed up in my inbox tagged as SPAM ..  so I am not
      sure how this is an improvement.

      cheers, etc.
      --
      Denice Deatrich, TRIUMF/Science/ATLAS      Ph: +1 604 222 7665
      <*> This moment's fortune cookie:
      Ban the bomb.  Save the world for conventional warfare.