You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2012/10/02 21:23:32 UTC
[Bug 6848] New: HTML URI spoofing detection
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6848
Priority: P2
Bug ID: 6848
Assignee: dev@spamassassin.apache.org
Summary: HTML URI spoofing detection
Severity: normal
Classification: Unclassified
OS: Linux
Reporter: biggnou@gmail.com
Hardware: PC
Status: NEW
Version: unspecified
Component: RuleQA
Product: Spamassassin
Hello,
This is a "duplicate" of several bug reports, or call it a boomrang.
I wrote to the sa-users mailinglist about a specific problem with some specific
spams. In the begining I wrote rawbody rules with complex regexes, but folowing
advices given by a few mailinglist users, I ended up with this basic use of the
URIDetail plugin.
And now I would like to submit a few rules to the ruleqa. Of course, as it's
specific to a spam campaign, I expect those rules to fail this test, but it
could be agood idea to store them as a usefull "template" for spoofed URIs and
other phishing attempts.
## Canada Post
uri_detail AJB_CANPOST_BADLINK raw !~ /canadapost\./ text =~
/(?:https?:\/\/|www\.)canadapost\./ type =~ /^a$/
describe AJB_CANPOST_BADLINK Found a mismatch between href and anchored
text pretending to link to www.canadapost.ca
score AJB_CANPOST_BADLINK 1.0
## youtube
uri_detail AJB_UTUBE_BADLINK raw !~ /youtube\./ text =~
/(?:https?:\/\/|www\.)youtube\./ type =~ /^a$/
describe AJB_UTUBE_BADLINK Found a mismatch between href and anchored text
pretending to link to www.youtube.com
score AJB_UTUBE_BADLINK 0.5
# because of link trackers (from massmailer for example), we must meta this
with other rulz to be sure we face our fake yutube botnet
header __AJB_EMPTY_SUBJ Subject =~ /^$/
meta AJB_FK_UTUBE_BOTNET AJB_UTUBE_BADLINK && MIME_HTML_ONLY &&
__AJB_EMPTY_SUBJ
describe AJB_FK_UTUBE_BOTNET mismatch between href and anchored + empty
subject = botnet
score AJB_FK_UTUBE_BOTNET 5.5
Those rules are pretty effective against the spam capmaings hitting my servers,
and I'm already working on rules based on this kind for other spoofed domains
like Royal Bank of Canada, Paypal and ING direct (with metas on the received
header).
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6848] HTML URI spoofing detection
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6848
--- Comment #2 from AXB <ax...@gmail.com> ---
(In reply to comment #1)
> Who wants to add these to their sandbox?
How about a dedicated file in the "emailed" sandbox?
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6848] HTML URI spoofing detection
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6848
--- Comment #3 from AXB <ax...@gmail.com> ---
Alex,
Pls include rules in a file named 20_bug_6848_ajb.cf and attached to this bug.
For safety, enclose rules in:
ifplugin Mail::SpamAssassin::Plugin::URIDetail
# put rules here
endif
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6848] HTML URI spoofing detection
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6848
--- Comment #5 from Alex Boyer <bi...@gmail.com> ---
Created attachment 5097
--> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5097&action=edit
rules files
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6848] HTML URI spoofing detection
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6848
John Hardin <jh...@impsec.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jhardin@impsec.org
--- Comment #1 from John Hardin <jh...@impsec.org> ---
Who wants to add these to their sandbox?
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6848] HTML URI spoofing detection
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6848
Alex Boyer <bi...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |biggnou@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6848] HTML URI spoofing detection
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6848
--- Comment #7 from AXB <ax...@gmail.com> ---
Commit Added /trunk/rulesrc/sandbox/emailed/20_bug_6848_ajb.cf
Committed revision 1393572.
results will become visible in a couple of days
see http://ruleqa.spamassassin.org/
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6848] HTML URI spoofing detection
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6848
--- Comment #4 from John Hardin <jh...@impsec.org> ---
(In reply to comment #2)
> (In reply to comment #1)
> > Who wants to add these to their sandbox?
>
> How about a dedicated file in the "emailed" sandbox?
Good idea!
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6848] HTML URI spoofing detection
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6848
--- Comment #6 from Alex Boyer <bi...@gmail.com> ---
(In reply to comment #3)
> Alex,
>
> Pls include rules in a file named 20_bug_6848_ajb.cf and attached to this
> bug.
> For safety, enclose rules in:
>
> ifplugin Mail::SpamAssassin::Plugin::URIDetail
> # put rules here
> endif
Good morning,
I uploaded the rule file as asked.
I can also provide a couple of spam and ham samples to test those if needed.
I don't know if the correct place to do so or not, do not hesitate to point me
in the good direction.
Best regards,
--
You are receiving this mail because:
You are the assignee for the bug.