Ned Slider wrote:
>
> On 16/03/12 02:21, sporkman wrote:
>>
>>
>>
>> Ned Slider wrote:
>>>
>>> On 12/03/12 17:02, David B Funk wrote:
>>>> On Mon, 12 Mar 2012, Paul Russell wrote:
>>>>
>>>>> On 3/10/2012 16:43, Ned Slider wrote:
>>>>>>
>>>>>> This one is easy enough - if the latter is the only valid url that
>>>>>> should ever appear in an email, create a meta rule that looks for a
>>>>>> url containing bway.net (or even just bway or webmail or login etc),
>>>>>> but isn't https://webmail.bway.net/.
>>>>>>
>>>>>> Create meta rules for the common words you have identified. Link
>>>>>> these with a rule such as __HAS_ANY_URI or some of your webmail based
>>>>>> URI rules above.
>>>>>>
>>>>>> What other rules commonly hit - are they sent from freemail accounts?
>>>>>> Do they hit any DNSBL's?
>>>>>
>>>>> It's not that simple. If it were, the problem would not have been
>>>>> ongoing for at least 4 years.
>>>>
>>>> Technically what Ned said is correct "This one is easy enough".
>>>> Yes THIS ONE (emphasis mine) is easy enough, but for some of us these
>>>> kind of spear-phishing attacks are an ever mutating problem and some
>>>> are damned clever.
>>>>
>>>
>>> Exactly, if you only provide one snippet of an example you don't give us
>>> much to work with so the best we can do is suggest a rule that will
>>> catch that one very narrow example :-/
>>>
>>> Give us a tarball of (preferably unredacted) examples to work with - you
>>> must have hundreds collected over the last 4 years.
>>>
>>>
>>
>> Here's a collection from our support folks:
>>
>> http://home.bway.net/spork/phish/
>>
>> Some patterns of interest (including some of the excellent suggestions
>> upthread):
>>
>> -envelope-from is not from our domain, From: line in the message is,
>> being
>> able to clobber that pattern would be quite helpful by itself.
>> -I'm not going to go into details, but the messages quite often have a
>> from
>> or envelope-from that we simply don't use when sending email to customers
>> or
>> replying to them. In fact, all of these samples have that wrong.
>> -Most the messages contain a URL that includes our domain in it after the
>> host part of the URL. The ones that don't still include "bway" somewhere
>> in
>> the URL.
>>
>> If I could slap together a rule that detects those three anomalies
>> together,
>> I'd be pretty happy.
>
> Good - you have something to work with now.
>
> Here's a rule that will catch bway.net after the host part of the URL:
>
> uri LOCAL_URI_BWAY_NET m{https?://[^/]+/.{0,40}bway\.net}
> describe LOCAL_URI_BWAY_NET URL contains bway.net in the path
> score LOCAL_URI_BWAY_NET 1
>
> And many of your examples link to bway.htm so lets catch those too:
>
> uri LOCAL_URI_BWAY_HTM m{bway\.html?$}
> describe LOCAL_URI_BWAY_HTM Contains link to bway.htm
> score LOCAL_URI_BWAY_HTM 1
>
> Then I'd create some rules to make meta rules from. For example, not
> from our domain + has URI + URI contains "bway".
>
> Generally, the more rules you can create the better. Lots of small
> scoring rules will invariably outperform a few high scoring rules unless
> you are able to identify that one killer feature that identifies it as a
> phish to you.
>
It's probably been at least a few years since I made any custom rules, so
I'm a bit rusty, but here's a few things I'm trying out with a low score to
see how they work.
This one compares the envelope from to "From:" and if they don't agree,
there's a match:
header __ENV_FROM_TEST EnvelopeFrom !~ /\@bway.net/i
header __FROM_TEST From =~
/support|webmail|helpdesk|tech|info|sales|antispam\@bway.net/i
meta BWAY_PHISH_FROM (__ENV_FROM_TEST && __FROM_TEST)
describe BWAY_PHISH_FROM Mismatched From: and envelope-from
score BWAY_PHISH_MISMATCH_FROM 1.0
This one looks for our hostname in the URI, and if it's not there, but some
variation of our domain shows up in the rest of the URI, it matches:
uri_detail BWAY_PHISH_LINKS domain !~
/bway.net|www.bway.net|webmail.bway.net/ raw =~
/bway.htm|bway.html|webmail.bway.net/
describe BWAY_PHISH_LINKS Strange links that pretend to be webmail
score BWAY_PHISH_LINKS 1.0
I'm also toying with the idea of some meta rules that takes each of those
and also does a body check for the most common words (ie: "account",
"update", "deactivated", etc.) and bumps the score up further.
I'd never seen "uri_detail" before, but it seems pretty handy:
http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html
--
View this message in context:
http://old.nabble.com/Better-phish-detection-tp33478328p33516999.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
