neil wrote:
Hi;
Ned Slider wrote:
>First up, from Mike's inspiration above, I came up with these:
I took your rule and added some meta rules to it. I'm getting hits on
phishes, but I haven't seen any legitimate traffic hit it.
This may be that I have not seen any real bank mail or it could be that
it misses it completely.
I don't have time to test it fully right now, so play at your peril.
header __LOCAL_BANK_0 eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.2.\d+')
describe __LOCAL_BANK_0 Banks
tflags __LOCAL_BANK_0 nice net
header __LOCAL_BANK_1 eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.3.\d+')
describe __LOCAL_BANK_1 Email service providers
tflags __LOCAL_BANK_1 nice net
header __LOCAL_BANK_2 eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.4.\d+')
describe __LOCAL_BANK_2 Organisations
tflags __LOCAL_BANK_2 nice net
header __LOCAL_BANK_3 eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.15.\d+')
describe __LOCAL_BANK_3 Email Marketing Providers
tflags __LOCAL_BANK_3 nice net
header LOCAL_FROM_BANK From:addr =~
/\@(abbey|abbeyinternational|abbeynational|abbey-online|alliance-leicester|bankofamerica|barclays|cahoot|cbonline|ci
tibank|co-operativebank|egg|firstdirect|halifax|hbos|hsbc|lloydstsb|llyodstsb|natwest|nationwide|newegg|neweggbank|northernbank|rbs|secure-halifax|woolwich|ybonline)\
.(com|co\.uk)/i
describe LOCAL_FROM_BANK From a bank
meta LOCAL_BANK_OK (LOCAL_FROM_BANK && (LOCAL_BANK_0 ||
LOCAL_BANK_1 || LOCAL_BANK_2 || LOCAL_BANK_3))
score LOCAL_BANK_OK -0.1
meta LOCAL_BANK_BAD (LOCAL_FROM_BANK && !(LOCAL_BANK_0 ||
LOCAL_BANK_1 || LOCAL_BANK_2 || LOCAL_BANK_3) )
score LOCAL_BANK_BAD 0.1
Rgds
n
Just did a couple quick lookups for a few legit bank emails, and those
that send directly from their own IP space passed the dnswl lookup, but
those having their mails delivered by third parties failed (not listed).
In the case I tested, as the rule stands above, neither (legitimate)
examples were hit by LOCAL_FROM_BANK (due to From being a subdomain),
and the third party mailer IP didn't hit any of your dnswl rules either.
I was thinking of combining LOCAL_FROM_BANK with meta rules for common
phrases appearing in phishing emails, much like the JM_SOUGHT rules.
Claims to be from a bank, and contains a common phishing phrase should
IMHO provide a pretty reliable indicator. Perhaps we need a
JM_SOUGHT_PHISH subset ;) (I'm happy to submit some samples)
But I still maintain we should be able produce/maintain a list of
legitimate banking (sub)domains that banks use to send mail so that any
others can be scored outright with a good degree of certainty (although
arguably the phishers might use such a list against us).
