You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by John Hardin <jh...@impsec.org> on 2014/06/11 17:44:28 UTC
Possible enhancement for URIBL plugin?
Folks:
I just came across a PayPal phish that has a potentially useful indicator:
the domain referenced in the URI has no MX record defined, so it cannot
accept email.
Would it be worth another DNS query in URIBL to check whether the domain
has an MX record, and add a point if not?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim II: A Sergeant in motion outranks a Lieutenant who doesn't
know what's going on.
Maxim III: An ordnance technician at a dead run outranks everybody.
-----------------------------------------------------------------------
741 days since the first successful private support mission to ISS (SpaceX)
Re: Possible enhancement for URIBL plugin?
Posted by Axb <ax...@gmail.com>.
On 06/11/2014 08:36 PM, John Hardin wrote:
> I received a phish referencing this URL:
>
> http://www.secure-line2.com/reach.php
>
> (it's a collector script fed by an HTML form in the mail, so no content
> if you just visit it in a browser.)
>
> Look up the MX hosts for that domain name.
now it has no MX rec record... nothing abnormal.
> I can't gauge how useful it will be. I only noticed it as an anomaly
> with a phishing email that stood out to me and should be easy to detect
> and likely wouldn't occur for legitimate domains.
THere's gazillions of legitimate URL domains without MX records
> It's entirely possible that the number of times a spam/phish domain is
> misconfigured that way (especially after this discussion) is low enough
> that it's not worth the effort.
nope.. not really...
Could you send me the a zipped sample of that phish offlist . Would like
to check it against my SOUGHT_like rules
Re: Possible enhancement for URIBL plugin?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 11 Jun 2014, Axb wrote:
> On 06/11/2014 07:40 PM, John Hardin wrote:
>> That, too, but that wouldn't be a part of the URIBL plugin, so this
>> check sounds reasonable for whatever's doing DNS checks on those bits as
>> well.
>>
>> > Point being, a blanket "every URI in an email must have an MX record"
>> > is not correct, but a little extra logic would be useful.
>>
>> Not correct absent an exclusion list, agreed.
>
> Please rewind...
> What are we trying to achieve?
Better detection of spamvertised domains and phishing websites.
> the more I think about it and do lookups on the last dozen of spams my traps
> got, the less I understand it.
>
> I'll refill my gin & tonic and hope somebody can show me examples where this
> will be a big step on the road to FUSSP
I received a phish referencing this URL:
http://www.secure-line2.com/reach.php
(it's a collector script fed by an HTML form in the mail, so no content if
you just visit it in a browser.)
Look up the MX hosts for that domain name.
I can't gauge how useful it will be. I only noticed it as an anomaly with
a phishing email that stood out to me and should be easy to detect and
likely wouldn't occur for legitimate domains.
It's entirely possible that the number of times a spam/phish domain is
misconfigured that way (especially after this discussion) is low enough
that it's not worth the effort.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The social contract exists so that everyone doesn't have to squat
in the dust holding a spear to protect his woman and his meat all
day every day. It does not exist so that the government can take
your spear, your meat, and your woman because it knows better what
to do with them. -- Dagny @ Ace of Spades
-----------------------------------------------------------------------
741 days since the first successful private support mission to ISS (SpaceX)
Re: Possible enhancement for URIBL plugin?
Posted by Axb <ax...@gmail.com>.
On 06/11/2014 07:40 PM, John Hardin wrote:
> That, too, but that wouldn't be a part of the URIBL plugin, so this
> check sounds reasonable for whatever's doing DNS checks on those bits as
> well.
>
>> Point being, a blanket "every URI in an email must have an MX record"
>> is not correct, but a little extra logic would be useful.
>
> Not correct absent an exclusion list, agreed.
Please rewind...
What are we trying to achieve?
the more I think about it and do lookups on the last dozen of spams my
traps got, the less I understand it.
I'll refill my gin & tonic and hope somebody can show me examples where
this will be a big step on the road to FUSSP
Re: Possible enhancement for URIBL plugin?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 11 Jun 2014, Joe Quinn wrote:
> On 6/11/2014 12:36 PM, Axb wrote:
>> On 06/11/2014 05:57 PM, Joe Quinn wrote:
>> > On 6/11/2014 11:54 AM, Axb wrote:
>> > > Shouldn't the URIBL plugin only looks at msg body and not headers..
>> > I don't think so. If you run this rule on a message body that uses a
>> > shortener like goo.gl, it will see that there is no MX record for goo.gl
>> > and FP.
>>
>> ??? why should it have an MX record?
>> Do you really think that your daily collection of .ru pillz and
>> .us/me/biz/club snowshowers use MX records? What for?
>
> I may have misunderstood what you wrote.
>
> goo.gl is a legitimate example of a URI that you will frequently find in the
> body of ham messages. It does not have an MX record. If you scan the message
> body for URIs that lack MX records, you will score on goo.gl and likely FP.
> This rule, if implemented, should only look at parts of the message that
> imply "this domain will be receiving messages".
Disagree.
Excluding common known redirector sites like goo.gl, it *should* consider
body URIs.
> For instance, if you receive a message that has a return path of
> example@lacks-an-mx-record.biz, the simple fact of it being Return-Path
> implies it will be accepting email. The lack of an MX record in that case
> would be a valid spam indicator.
That, too, but that wouldn't be a part of the URIBL plugin, so this check
sounds reasonable for whatever's doing DNS checks on those bits as well.
> Point being, a blanket "every URI in an email must have an MX record" is not
> correct, but a little extra logic would be useful.
Not correct absent an exclusion list, agreed.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
No representation without taxation!
-----------------------------------------------------------------------
741 days since the first successful private support mission to ISS (SpaceX)
Re: Possible enhancement for URIBL plugin?
Posted by Joe Quinn <jq...@pccc.com>.
On 6/11/2014 12:36 PM, Axb wrote:
> On 06/11/2014 05:57 PM, Joe Quinn wrote:
>> On 6/11/2014 11:54 AM, Axb wrote:
>>> Shouldn't the URIBL plugin only looks at msg body and not headers..
>> I don't think so. If you run this rule on a message body that uses a
>> shortener like goo.gl, it will see that there is no MX record for goo.gl
>> and FP.
>
>
> ??? why should it have an MX record?
> Do you really think that your daily collection of .ru pillz and
> .us/me/biz/club snowshowers use MX records? What for?
I may have misunderstood what you wrote.
goo.gl is a legitimate example of a URI that you will frequently find in
the body of ham messages. It does not have an MX record. If you scan the
message body for URIs that lack MX records, you will score on goo.gl and
likely FP. This rule, if implemented, should only look at parts of the
message that imply "this domain will be receiving messages".
For instance, if you receive a message that has a return path of
example@lacks-an-mx-record.biz, the simple fact of it being Return-Path
implies it will be accepting email. The lack of an MX record in that
case would be a valid spam indicator.
Point being, a blanket "every URI in an email must have an MX record" is
not correct, but a little extra logic would be useful.
Re: Possible enhancement for URIBL plugin?
Posted by Axb <ax...@gmail.com>.
On 06/11/2014 05:57 PM, Joe Quinn wrote:
> On 6/11/2014 11:54 AM, Axb wrote:
>> On 06/11/2014 05:52 PM, Joe Quinn wrote:
>>> On 6/11/2014 11:44 AM, John Hardin wrote:
>>>> Folks:
>>>>
>>>> I just came across a PayPal phish that has a potentially useful
>>>> indicator: the domain referenced in the URI has no MX record defined,
>>>> so it cannot accept email.
>>>>
>>>> Would it be worth another DNS query in URIBL to check whether the
>>>> domain has an MX record, and add a point if not?
>>>>
>>> Just off the top of my head, it may cause issues with mass email
>>> services like Constant Contact which send their email from oodles of
>>> CDN-like alternate domains which aren't intended to receive email.
>>>
>>> I expect you would need to limit it to headers that are clearly intended
>>> to receive messages (ie, Reply-To, Return-Path, From if the other two
>>> headers are not present, etc).
>>
>> Shouldn't the URIBL plugin only looks at msg body and not headers..
> I don't think so. If you run this rule on a message body that uses a
> shortener like goo.gl, it will see that there is no MX record for goo.gl
> and FP.
??? why should it have an MX record?
Do you really think that your daily collection of .ru pillz and
.us/me/biz/club snowshowers use MX records? What for?
Re: Possible enhancement for URIBL plugin?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 11 Jun 2014, Joe Quinn wrote:
> On 6/11/2014 11:54 AM, Axb wrote:
>> On 06/11/2014 05:52 PM, Joe Quinn wrote:
>> > On 6/11/2014 11:44 AM, John Hardin wrote:
>> > > Folks:
>> > >
>> > > I just came across a PayPal phish that has a potentially useful
>> > > indicator: the domain referenced in the URI has no MX record defined,
>> > > so it cannot accept email.
>> > >
>> > > Would it be worth another DNS query in URIBL to check whether the
>> > > domain has an MX record, and add a point if not?
>> >
>> > Just off the top of my head, it may cause issues with mass email
>> > services like Constant Contact which send their email from oodles of
>> > CDN-like alternate domains which aren't intended to receive email.
>> >
>> > I expect you would need to limit it to headers that are clearly intended
>> > to receive messages (ie, Reply-To, Return-Path, From if the other two
>> > headers are not present, etc).
>>
>> Shouldn't the URIBL plugin only looks at msg body and not headers..
>
> I don't think so. If you run this rule on a message body that uses a
> shortener like goo.gl, it will see that there is no MX record for goo.gl and
> FP.
OK, so might need an exclusion list for common widespread cases like this.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
No representation without taxation!
-----------------------------------------------------------------------
741 days since the first successful private support mission to ISS (SpaceX)
Re: Possible enhancement for URIBL plugin?
Posted by Joe Quinn <jq...@pccc.com>.
On 6/11/2014 11:54 AM, Axb wrote:
> On 06/11/2014 05:52 PM, Joe Quinn wrote:
>> On 6/11/2014 11:44 AM, John Hardin wrote:
>>> Folks:
>>>
>>> I just came across a PayPal phish that has a potentially useful
>>> indicator: the domain referenced in the URI has no MX record defined,
>>> so it cannot accept email.
>>>
>>> Would it be worth another DNS query in URIBL to check whether the
>>> domain has an MX record, and add a point if not?
>>>
>> Just off the top of my head, it may cause issues with mass email
>> services like Constant Contact which send their email from oodles of
>> CDN-like alternate domains which aren't intended to receive email.
>>
>> I expect you would need to limit it to headers that are clearly intended
>> to receive messages (ie, Reply-To, Return-Path, From if the other two
>> headers are not present, etc).
>
> Shouldn't the URIBL plugin only looks at msg body and not headers..
I don't think so. If you run this rule on a message body that uses a
shortener like goo.gl, it will see that there is no MX record for goo.gl
and FP.
Re: Possible enhancement for URIBL plugin?
Posted by Axb <ax...@gmail.com>.
On 06/11/2014 05:52 PM, Joe Quinn wrote:
> On 6/11/2014 11:44 AM, John Hardin wrote:
>> Folks:
>>
>> I just came across a PayPal phish that has a potentially useful
>> indicator: the domain referenced in the URI has no MX record defined,
>> so it cannot accept email.
>>
>> Would it be worth another DNS query in URIBL to check whether the
>> domain has an MX record, and add a point if not?
>>
> Just off the top of my head, it may cause issues with mass email
> services like Constant Contact which send their email from oodles of
> CDN-like alternate domains which aren't intended to receive email.
>
> I expect you would need to limit it to headers that are clearly intended
> to receive messages (ie, Reply-To, Return-Path, From if the other two
> headers are not present, etc).
Shouldn't the URIBL plugin only looks at msg body and not headers..
Re: Possible enhancement for URIBL plugin?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 11 Jun 2014, Joe Quinn wrote:
> On 6/11/2014 11:44 AM, John Hardin wrote:
>> Folks:
>>
>> I just came across a PayPal phish that has a potentially useful indicator:
>> the domain referenced in the URI has no MX record defined, so it cannot
>> accept email.
>>
>> Would it be worth another DNS query in URIBL to check whether the domain
>> has an MX record, and add a point if not?
>
> That's a pretty funny mistake for a spammer to make.
Actually it was a phishing site hosting a webform/CGI, so there's really
no need for email contact.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
No representation without taxation!
-----------------------------------------------------------------------
741 days since the first successful private support mission to ISS (SpaceX)
Re: Possible enhancement for URIBL plugin?
Posted by Joe Quinn <jq...@pccc.com>.
On 6/11/2014 11:44 AM, John Hardin wrote:
> Folks:
>
> I just came across a PayPal phish that has a potentially useful
> indicator: the domain referenced in the URI has no MX record defined,
> so it cannot accept email.
>
> Would it be worth another DNS query in URIBL to check whether the
> domain has an MX record, and add a point if not?
>
Just off the top of my head, it may cause issues with mass email
services like Constant Contact which send their email from oodles of
CDN-like alternate domains which aren't intended to receive email.
I expect you would need to limit it to headers that are clearly intended
to receive messages (ie, Reply-To, Return-Path, From if the other two
headers are not present, etc).
That's a pretty funny mistake for a spammer to make.
Re: Possible enhancement for URIBL plugin?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 11 Jun 2014, Kevin Golding wrote:
> On Wed, 11 Jun 2014 16:44:28 +0100, John Hardin <jh...@impsec.org> wrote:
>
>> I just came across a PayPal phish that has a potentially useful indicator:
>> the domain referenced in the URI has no MX record defined, so it cannot
>> accept email.
>
> MX records aren't required for mail deliverability. Unusual these days, but
> not required.
>
> http://tools.ietf.org/html/rfc5321#section-5.1
Well, yes, but having a "stealth" mail server for your domain is also
kinda suspicious.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
No representation without taxation!
-----------------------------------------------------------------------
741 days since the first successful private support mission to ISS (SpaceX)
Re: Possible enhancement for URIBL plugin?
Posted by Kevin Golding <kp...@caomhin.org>.
On Wed, 11 Jun 2014 16:44:28 +0100, John Hardin <jh...@impsec.org> wrote:
> I just came across a PayPal phish that has a potentially useful
> indicator: the domain referenced in the URI has no MX record defined, so
> it cannot accept email.
MX records aren't required for mail deliverability. Unusual these days,
but not required.
http://tools.ietf.org/html/rfc5321#section-5.1