Re: Today's Google Docs phish

2017-05-06 Thread RW
On Fri, 5 May 2017 22:02:56 -0400 Alex wrote: > Am I understanding correctly that redirector_pattern breaks up the one > encoded URI into multiple URIs that are available for rules to be > written using them, instead of ? > > In other words, if I were to write a uri rule that includes > www.goog

Re: Today's Google Docs phish

2017-05-05 Thread Alex
Hi, >> >>> I found a local version which maybe did the trick >> >>> >> >>> redirector_pattern >> >>> >> >>> m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i >> >> > >> Yes, but I don't understand how that equates to an eventual score. > > I haven't used these, b

Re: Today's Google Docs phish

2017-05-04 Thread Alan Hodgson
On Thursday 04 May 2017 17:07:31 John Hardin wrote: > I expect a basic accounts.google.com URI rule would be a good idea even if > a redirector pattern for this was added - is there any legitimate reason > for a "log in to your google account" URL to be in an email? > Not from anyone who isn't wh

Re: Today's Google Docs phish

2017-05-04 Thread John Hardin
On Thu, 4 May 2017, Alex wrote: Hi, I found a local version which maybe did the trick redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i Can you explain how to use that? Does it get scored? see samples in 20_uri_tests.cf Yes, but I

Re: Today's Google Docs phish

2017-05-04 Thread RW
On Thu, 4 May 2017 18:26:42 -0400 Alex wrote: > Hi, > > >>> I found a local version which maybe did the trick > >>> > >>> redirector_pattern > >>> > >>> m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i > >>> > >> > Yes, but I don't understand how that equat

Re: Today's Google Docs phish

2017-05-04 Thread Alex
Hi, >>> I found a local version which maybe did the trick >>> >>> redirector_pattern >>> >>> m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i >> >> >> Can you explain how to use that? Does it get scored? > > see samples in 20_uri_tests.cf Yes, but I don't under

Re: Today's Google Docs phish

2017-05-04 Thread RW
On Thu, 04 May 2017 12:03:42 +0200 Benny Pedersen wrote: > Alex skrev den 2017-05-04 03:37: > > > https://pastebin.com/aWVaMMni > > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > this is imho a spam indicator > > double encodeing, makes utf-8 see 7

Re: Today's Google Docs phish

2017-05-04 Thread Axb
On 05/04/2017 06:57 PM, Alex wrote: Hi, Take a look at "redirector_pattern" use in 20_uri_tests.cf and hstern/20_uri_tests.cf. It looks like several google redirector patterns are present, but not a redirect via accounts.google.com, that's new. FWIW: Using stock redirector_pattern pattern my

Re: Today's Google Docs phish

2017-05-04 Thread Alex
Hi, >>> Take a look at "redirector_pattern" use in 20_uri_tests.cf and >>> hstern/20_uri_tests.cf. >>> >>> It looks like several google redirector patterns are present, but not a >>> redirect via accounts.google.com, that's new. >> >> FWIW: Using stock redirector_pattern pattern my SA detected the

Re: Today's Google Docs phish

2017-05-04 Thread Axb
On 05/04/2017 06:42 PM, Axb wrote: On 05/04/2017 06:34 PM, John Hardin wrote: On Thu, 4 May 2017, Chip M. wrote: John, how about a rule against the redirection parameter itself (i.e. "redirect_uri")? I suspect it'll hit too much ham, however it would make a great meta combined with obscure/ch

Re: Today's Google Docs phish

2017-05-04 Thread Axb
On 05/04/2017 06:34 PM, John Hardin wrote: On Thu, 4 May 2017, Chip M. wrote: John, how about a rule against the redirection parameter itself (i.e. "redirect_uri")? I suspect it'll hit too much ham, however it would make a great meta combined with obscure/cheap TLDs, and/or other characteristi

Re: Today's Google Docs phish

2017-05-04 Thread John Hardin
On Thu, 4 May 2017, Chip M. wrote: John, how about a rule against the redirection parameter itself (i.e. "redirect_uri")? I suspect it'll hit too much ham, however it would make a great meta combined with obscure/cheap TLDs, and/or other characteristics. I've added that to my own MassCheck que

Re: Today's Google Docs phish

2017-05-04 Thread Alex
Hi, On Thu, May 4, 2017 at 11:54 AM, Chip M. wrote: > Alex, thanks for the spample! Gladly. > I've only received one (so far), containing the same base domain > with the ".win" TLD, also freshly registered at NameCheap with > privacy protection and CloudFlare. Which rules show that? Sounds lik

Re: Today's Google Docs phish

2017-05-04 Thread Chip M.
Alex, thanks for the spample! I've only received one (so far), containing the same base domain with the ".win" TLD, also freshly registered at NameCheap with privacy protection and CloudFlare. On Thu, 04 May 2017, Axb wrote: >SA's redirect patterns detected these domains and my logs show >most

Re: Today's Google Docs phish

2017-05-04 Thread Alex
Hi, On Thu, May 4, 2017 at 3:12 AM, Vincent Fox wrote: > Sendmail access.src: > > From:proREJECT > > Guess that's why I haven't heard about this on our campus. We actually get legitimate mail from at least a few of these. > I block dozens of these apparently lawless domains. Dozens? Can yo

Re: Today's Google Docs phish (domain age)

2017-05-04 Thread Benny Pedersen
Noel Butler skrev den 2017-05-04 12:45: The SEM fresh* uri lists I dare say. it could be core part of spamassassin, why ?, since spammers avoid sending it to sem, and not all new domains come to sem before its depricatd spam campains :/ who will make it to sa core ? sad to see your mail

Re: Today's Google Docs phish (domain age)

2017-05-04 Thread Noel Butler
On 04/05/2017 17:38, Merijn van den Kroonenberg wrote: >> On Wed, 3 May 2017, Alex wrote: >> That target domain "g-docs . pro" was registered 12 days ago via >> namecheap.com >> which was enough to earn it a few extra points at our site. > > How do you detect the domain age in SA? I am really int

Re: Today's Google Docs phish

2017-05-04 Thread Benny Pedersen
Alex skrev den 2017-05-04 03:37: https://pastebin.com/aWVaMMni Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable this is imho a spam indicator double encodeing, makes utf-8 see 7 bit, no go its the same with idn phishing domains in other threads can sa tes

Re: Today's Google Docs phish (domain age)

2017-05-04 Thread Merijn van den Kroonenberg
> On Wed, 3 May 2017, Alex wrote: > >> Hi, >> >> If you haven't heard, there was a huge Google Docs phishing attack >> today. [snip] >> Have you received any of these? Have you done anything to prevent them >> next time or from being received this time? > > That target domain "g-docs . pro" was reg

Re: Today's Google Docs phish

2017-05-04 Thread Axb
FTR: Google closed this hole real fast. SA's redirect patterns detected these domains and my logs show most were listed by the domain lists within a few minutes. On 05/04/2017 03:37 AM, Alex wrote: Hi, If you haven't heard, there was a huge Google Docs phishing attack today. Several hundred

Re: Today's Google Docs phish

2017-05-04 Thread Vincent Fox
Sendmail access.src: From:proREJECT Guess that's why I haven't heard about this on our campus. I block dozens of these apparently lawless domains. From: Alex Sent: Wednesday, May 3, 2017 6:37:49 PM To: SA Mailing list Subject: Today's Go

Re: Today's Google Docs phish

2017-05-03 Thread David B Funk
On Wed, 3 May 2017, Alex wrote: Hi, If you haven't heard, there was a huge Google Docs phishing attack today. Several hundred bypassed our filters in the hour or so before we were able to identify them. The To address is always "h...@mailinator.com" and the subject is always " has s

Re: Today's Google Docs phish

2017-05-03 Thread John Hardin
On Wed, 3 May 2017, Alex wrote: If you haven't heard, there was a huge Google Docs phishing attack today. Our IT department actually warned us of this one... I wanted to provide an example in case it helps, even though chances are the campaign is dead. We've seen Google proxy and redirect at

Today's Google Docs phish

2017-05-03 Thread Alex
Hi, If you haven't heard, there was a huge Google Docs phishing attack today. Several hundred bypassed our filters in the hour or so before we were able to identify them. The To address is always "h...@mailinator.com" and the subject is always " has shared a document on Google Docs wit