On Sun, 14 Feb 2021, Ricky Boone wrote:
What are the community's thoughts on handling spam/phishing that utilize
homoglyphs to obfuscate the brands they're targeting? Are there any
plugins that are in development that might assist with catching these?
Take a look at the definition of the FUZZY rules.
There's no general plugin for this currently. That would be a bit
difficult to do on-the-fly without getting (potentially lots of) FPs on
non-English words.
At the moment it's:
1) notice that some word is being obfuscated
2) add a FUZZY rule for that word
3) tune it for FPs (may hit legitimate words in non-English, exclude them)
The problem is such obfuscations may not be common enough in the masscheck
corpora for the rules to be promoted, scored and published.
For example, here are some phrases that I've been monitoring from reported
messages:
* that Âmåzon has received
* Äpple Watch
* Ãρρle iPad
* Aρρle iPad
* PäyPäl Credit
* PαyPαl Credit
* Spãce Gray
* to Over Støck Inc on
* subscribed for Nõrtõn Yearly
* subscribed for Nõrtøn Yearly
* the Nõrtõn Freedom Protection
Existing rules (mainline SpamAssassin channel, KAM, etc.) don't seem to
flag much, if anything substantial, on the messages I've seen with this
behavior. I've trained bayes on each, and created a custom set of rules to
try to catch various patterns used in the messages.
I've added FUZZY rules for amazon, apple, microsoft, facebook, paypal and
norton to my sandbox, they are likely going to be fairly commonB.
How often do you see (over)stock and space obfuscated?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
At $8 billion per year, the TSA is the most expensive
theatrical production in history. -- David Burge @iowahawkblog
-----------------------------------------------------------------------
8 days until George Washington's 289th Birthday
