Mike Cardwell wrote:
Marc Perkel wrote:
Or maybe I'm trying to reinvent a wheel someone already has up and
running :-)
a bank without SPF or DKIM signing is NOT worth using
Yes - but I think what he's saying is that you have to start with a
list of bank domains, the test those domains with higher scrutiny.
Does such a list exist? One of my users was getting a lot of spam
pretending to be from banks. I ended up just compiling a regular
expression to match against the from header of the emails:
@([-a-zA-Z0-9\.]+[-\.])?(rbs|barclays|halifax|secure-halifax|hsbc|natwest|nationwide|northernbank|cbonline|ybonline|co-operativebank|bank-of-ireland|bankofengland|lloydstsb|bankofscotland|firstdirect|alliance-leicester|abbeynational|egg|new\.egg|woolwich|firsttrustbank|ulsterbank|citibank|icicibank)\.(com|co\.uk)
It's far from comprehensive obviously, but it covers most of what he was
receiving.
If that regular expression matches, and the connecting host is in a list
of what I refer to as "dodgy countries," then I reject the email.
OK, time for some rules to get this thread back on track :)
First up, from Mike's inspiration above, I came up with these:
header LOCAL_FROM_BANK From:addr =~
/\@(abbey|abbeyinternational|abbeynational|abbey-online|alliance-leicester|bankofamerica|barclays|cahoot|cbonline|citibank|co-operativebank|egg|firstdirect|halifax|hbos|hsbc|lloydstsb|llyodstsb|natwest|nationwide|newegg|neweggbank|northernbank|rbs|secure-halifax|woolwich|ybonline)\.(com|co\.uk)/i
describe LOCAL_FROM_BANK From a bank
header LOCAL_FROM_BANK_NET From:addr =~
/\@(abbey|abbeyinternational|abbeynational|abbey-online|alliance-leicester|bankofamerica|barclays|cahoot|cbonline|citibank|co-operativebank|egg|firstdirect|halifax|hbos|hsbc|lloydstsb|llyodstsb|natwest|nationwide|newegg|neweggbank|northernbank|rbs|secure-halifax|woolwich|ybonline)\.net/i
describe LOCAL_FROM_BANK_NET Banks don't send from .net
header LOCAL_FROM_BANK_OBF From:addr =~
/\@(abbey|abbeyinternational|abbeynational|abbey-online|alliance-leicester|bankofamerica|barclays|cahoot|cbonline|citibank|co-operativebank|egg|firstdirect|halifax|hbos|hsbc|lloydstsb|llyodstsb|natwest|nationwide|newegg|neweggbank|northernbank|rbs|secure-halifax|woolwich|ybonline)[-a-zA-Z0-9]{1,5}\.(com|co\.uk|net)/i
describe LOCAL_FROM_BANK_OBF From an obfuscated bank like domain
Hopefully the last two are self explanatory, and with the first I chose
to only test the primary domain (as opposed to Mike's example above) as
I notice this matches the vast majority of phishing examples I'm seeing,
and most legitimate bank emails appear to be sent From subdomains (eg,
email.bank.com) so shouldn't trigger false positives on this rule.
Maybe they could be further split into domains known never to send
legitimate mail to allow for higher scoring.
Now for some URI rules I've been experimenting with, again originating
from what I've observed in phishing examples, but maybe more widely
applicable (UK examples given but feel free to adapt to your country/tld
of choice):
uri LOCAL_URI_PHISH_UK m{https?://.{1,40}\.(ac|co|gov)\.uk\.\w}
describe LOCAL_URI_PHISH_UK contains obfuscated UK phish link of form
example.co.uk.something
uri LOCAL_URI_PHISH_UK2 m{https?://.{1,40}\.(ac|co|gov)-uk\.\w}
describe LOCAL_URI_PHISH_UK2 contains obfuscated UK phish link of form
example.co-uk.something
uri LOCAL_URI_PHISH_UK3
m{https?://.{1,40}/.{1,60}\.(ac|co|gov)\.uk}
describe LOCAL_URI_PHISH_UK3 contains obfuscated UK phish link of form
example.com/bank.co.uk
uri LOCAL_URI_HIDDEN_DIR m{https?://.{1,40}/\.\w}
describe LOCAL_URI_HIDDEN_DIR contains hidden directory of form
example.com/.something
The first two I've been running for a while and they pretty much catch
what they are intended to (I think that SA contains a similar rule for
.com already). The third rule is something I'm just testing and may be
prone to FPs, and the fourth might be indicative of a hacked server with
a hidden phishing directory.
Any comments?
