On 16/03/12 02:21, sporkman wrote:
Ned Slider wrote:
On 12/03/12 17:02, David B Funk wrote:
On Mon, 12 Mar 2012, Paul Russell wrote:
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that
should ever appear in an email, create a meta rule that looks for a
url containing bway.net (or even just bway or webmail or login etc),
but isn't https://webmail.bway.net/.
Create meta rules for the common words you have identified. Link
these with a rule such as __HAS_ANY_URI or some of your webmail based
URI rules above.
What other rules commonly hit - are they sent from freemail accounts?
Do they hit any DNSBL's?
It's not that simple. If it were, the problem would not have been
ongoing for at least 4 years.
Technically what Ned said is correct "This one is easy enough".
Yes THIS ONE (emphasis mine) is easy enough, but for some of us these
kind of spear-phishing attacks are an ever mutating problem and some
are damned clever.
Exactly, if you only provide one snippet of an example you don't give us
much to work with so the best we can do is suggest a rule that will
catch that one very narrow example :-/
Give us a tarball of (preferably unredacted) examples to work with - you
must have hundreds collected over the last 4 years.
Here's a collection from our support folks:
http://home.bway.net/spork/phish/
Some patterns of interest (including some of the excellent suggestions
upthread):
-envelope-from is not from our domain, From: line in the message is, being
able to clobber that pattern would be quite helpful by itself.
-I'm not going to go into details, but the messages quite often have a from
or envelope-from that we simply don't use when sending email to customers or
replying to them. In fact, all of these samples have that wrong.
-Most the messages contain a URL that includes our domain in it after the
host part of the URL. The ones that don't still include "bway" somewhere in
the URL.
If I could slap together a rule that detects those three anomalies together,
I'd be pretty happy.
Good - you have something to work with now.
Here's a rule that will catch bway.net after the host part of the URL:
uri LOCAL_URI_BWAY_NET m{https?://[^/]+/.{0,40}bway\.net}
describe LOCAL_URI_BWAY_NET URL contains bway.net in the path
score LOCAL_URI_BWAY_NET 1
And many of your examples link to bway.htm so lets catch those too:
uri LOCAL_URI_BWAY_HTM m{bway\.html?$}
describe LOCAL_URI_BWAY_HTM Contains link to bway.htm
score LOCAL_URI_BWAY_HTM 1
Then I'd create some rules to make meta rules from. For example, not
from our domain + has URI + URI contains "bway".
Generally, the more rules you can create the better. Lots of small
scoring rules will invariably outperform a few high scoring rules unless
you are able to identify that one killer feature that identifies it as a
phish to you.
