On Wed, 3 May 2017, Alex wrote:
Hi,
If you haven't heard, there was a huge Google Docs phishing attack
today. Several hundred bypassed our filters in the hour or so before
we were able to identify them. The To address is always
"hhhhhhhhhhhhh...@mailinator.com" and the subject is always "<User
Name> has shared a document on Google Docs with you" where "user name"
is some random user.
https://www.theatlantic.com/technology/archive/2017/05/did-someone-just-share-a-random-google-doc-with-you/525279/
I wanted to provide an example in case it helps, even though chances
are the campaign is dead. We've seen Google proxy and redirect attacks
before and will probably see them again.
https://pastebin.com/aWVaMMni
[snip..]
The LOC_FRAUD_DOC is a local rule and the LOC_URI_RARE_TLD was for
'.pro' from John's rules some time ago. They're only scored at 0.6.
Obviously training these would be enough to put them over to spam, but
would someone like to look at the URI in the body to create a possible
rule? It's likely Google is looking at this more closely - do you
think they will put an end to the redirect that's being used?
Should the score for .pro domains and other rare TLDs be higher?
Have you received any of these? Have you done anything to prevent them
next time or from being received this time?
That target domain "g-docs . pro" was registered 12 days ago via namecheap.com
which was enough to earn it a few extra points at our site.
It's now sitting in a high-scoring local URIBL here (which is enough to get a
SMTP-REJECT).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
