You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Matus UHLAR - fantomas <uh...@fantomas.sk> on 2011/03/21 17:18:31 UTC

fake URL's in mail

Hello,

I know that this discussion took many place here in the past, but our
company is a victim of many phishing attacks so I would like to use any
possible solution.

My idea is that, while there are many many companies sending liegitimate
mail with fake URLs, but those could be whitelisted in a manner similar to 
whitelist_from and/or whitelist_from_rcvd. 

That would of course require a plugin instead of simple rule, however,
looking at the past discussions about this problem, no rule doing such
checks could be "simple", mostly because of possible whitespaces and
aitrubited in HTML tags.

Does anyone successfully use plugin or at least rules that catch fake URLs?
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm

Re: fake URL's in mail

Posted by Adam Katz <an...@khopis.com>.

On 03/25/2011 04:59 AM, Matus UHLAR - fantomas wrote:
> Are there REALLY that MANY massmailers that can not post
> valid URL's? Something is rotten in the state od Denmark...

Yes.  Here is an example of ham in this category (obfuscated from an
opt-in newsletter I received a few days ago):

> .. you can do so on my website at: www.example.org
> [http://r20.rs6.net/tn.jsp?llr=t3gsdecfb&et=1204949082340&s=635&e=001QT_SegTbXU1N7K_IcTndRqXABrEhqSbxbIYhGmFwcCswh8kkaQwhQAma4PuTWPg1awoSp0UNBpvRfUEVliJItwZU4La1KsxUcV_nET7t-EcK0AEUgxApBBjsSLSUbjQZ4HxS17k1-0U=]
> or in the mail at ...

This is not uncommon.  I've seen it in surveys sent as follow-ups to
orders, in newsletters, in "ha ha you didn't opt out" ads from companies
I previously had business with, and I'm sure a few other examples.
Shortened URLs are also used for this.

(I've never understood why they don't use a hash table for those
tracking URLs so that they don't get truncated...)

>> On 23/03/2011 4:36 PM, Adam Katz wrote:
>>> Even with such a mechanism in place, it unduly penalizes the 
>>> little guys.

On 03/25/2011 05:00 AM, Matus UHLAR - fantomas wrote:
> even little guys should be able to send correct URLs

Those are correct URLs.  They merely track subscriber clicks in order to
get statistics and report them back to their customer (the newsletter
organizer or sales company).

> On 23.03.11 16:42, Lawrence @ Rogers wrote:
>> Agreed. It's just one of those impractical things and just ain't 
>> worth the effort.
> 
> you have never received phishing attack of your domain, did you?

If you intend this to target phishing, I would propose going the other
direction with it -- instead of needing to whitelist the hundreds to
thousands of sites that might do link tracking or another form of
redirection, go the other way and mark popular phishing targets for this
scan.

Another option is to use a shortened URL detector and a bulk mail
detector (like __NOT_A_PERSON) to cleanse the results, though I still
think it would be clunky and FP-ridden.

Re: fake URL's in mail

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

> >> On 03/21/2011 09:37 AM, Matus UHLAR - fantomas wrote:
> >>>>> Does anyone successfully use plugin or at least rules that
> >>>>> catch fake URLs?

> On 03/23/2011 11:43 AM, Matus UHLAR - fantomas wrote:
> > I know about the problem with "legal" mail and spoofed URL's. That's
> > why I asked about plugin that would be able to accept whitelists.

On 23.03.11 12:06, Adam Katz wrote:
> That would require an ENORMOUS whitelist and very close attention to its
> upkeep.  I do not see this as practical without using a URIBL-style
> mechanism (which would also require high maintenance).  Even with such a
> mechanism in place, it unduly penalizes the little guys.

Enormous? Are there REALLY that MANY massmailers that can not post valid
URL's? Something is rotten in the state od Denmark...

Note that the strength of the check can be still tuned, e.g. there's
difference between

<A HREF="https://example.com">http://example.com</A>
<A HREF="http://subdomain.example.com">http://example.com</A>
<A HREF="http://bulkmailer.example.net">http://company.example.com</A>

and between

<A HREF="http://phishingpage.example.org">http://vistim.example.com</A>

However, I would be satisfied even with blacklisting of those invalid one's.
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.

Re: fake URL's in mail

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

> On 23/03/2011 4:36 PM, Adam Katz wrote:
>> That would require an ENORMOUS whitelist and very close attention to its
>> upkeep.  I do not see this as practical without using a URIBL-style
>> mechanism (which would also require high maintenance).

>> Even with such a
>> mechanism in place, it unduly penalizes the little guys.

even little guys should be able to send correct URLs

On 23.03.11 16:42, Lawrence @ Rogers wrote:
> Agreed. It's just one of those impractical things and just ain't worth  
> the effort.

you have never received phishing attack of your domain, did you?

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.

Re: fake URL's in mail

Posted by "Lawrence @ Rogers" <la...@nl.rogers.com>.

On 23/03/2011 4:36 PM, Adam Katz wrote:
> On 03/23/2011 11:43 AM, Matus UHLAR - fantomas wrote:
>>> On 03/21/2011 09:37 AM, Matus UHLAR - fantomas wrote:
>>>>>> Does anyone successfully use plugin or at least rules that
>>>>>> catch fake URLs?
>> On 21.03.11 13:36, Adam Katz wrote:
>>> __SPOOFED_URL, a rule already shipping with SA, does this.
>> I know about the problem with "legal" mail and spoofed URL's. That's
>> why I asked about plugin that would be able to accept whitelists.
> That would require an ENORMOUS whitelist and very close attention to its
> upkeep.  I do not see this as practical without using a URIBL-style
> mechanism (which would also require high maintenance).  Even with such a
> mechanism in place, it unduly penalizes the little guys.
>
Agreed. It's just one of those impractical things and just ain't worth 
the effort.

Regards,
Lawrence

Re: fake URL's in mail

Posted by Adam Katz <an...@khopis.com>.

On 03/23/2011 11:43 AM, Matus UHLAR - fantomas wrote:
>> On 03/21/2011 09:37 AM, Matus UHLAR - fantomas wrote:
>>>>> Does anyone successfully use plugin or at least rules that
>>>>> catch fake URLs?

> On 21.03.11 13:36, Adam Katz wrote:
>> __SPOOFED_URL, a rule already shipping with SA, does this.

> I know about the problem with "legal" mail and spoofed URL's. That's
> why I asked about plugin that would be able to accept whitelists.

That would require an ENORMOUS whitelist and very close attention to its
upkeep.  I do not see this as practical without using a URIBL-style
mechanism (which would also require high maintenance).  Even with such a
mechanism in place, it unduly penalizes the little guys.

Re: fake URL's in mail

Posted by Michael Scheidell <mi...@secnap.com>.

On 3/23/11 2:50 PM, Matus UHLAR - fantomas wrote:
>> On 3/23/11 2:43 PM, Matus UHLAR - fantomas wrote:
>>> I know about the problem with "legal" mail and spoofed URL's. That's why I
>>> asked about plugin that would be able to accept whitelists.
>>>
>>> I don't see if it's possible to combine this with matching some domains
>>> while not matching others, e.g. allow
>>>
>>> <a href="http://example.com/">http://example.net</a>
>>>
>>> while not allowing
>>>
>>> <a href="http://example.org/">http://example.net</a>
>>>
>>> but I doubt this is possible with this kind of rules.
> On 23.03.11 14:45, Michael Scheidell wrote:
>> that is why you do it with clamav.
>> clamav will trigger (if set up to do that) if the a href doesn't match.
>> and with clamav, you can set up exclusions (whitelist)
> I'd be glad if I could do this, no matter if with clamav (however I find it
> better within spamassassin since users could set up own whitelist the SA
> way).
>
> You are apparently talking about the PhishingAlwaysBlockSSLMismatch and/or
> PhishingAlwaysBlockCloak but can you please point me to how to do these
> black/whitelists?
>
this should help:

<www.clamav.net/doc/latest/phishsigs_howto.pdf>

if you create a user interface and let them whitelist those briliant 
marketing email that do stupid things, you should be able to script 
adding to wl.

note:

an a ref with a visable string of 'click here for crap' is considered 
ok, while a a ref of bankofamerica.com.hacker.in.ru with a visable 
string of bankofamerica.com will trigger the phish sig.



-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Best Intrusion Prevention Product, Networks Product Guide
    * Certified SNORT Integrator
    * Hot Company Award, World Executive Alliance
    * Best in Email Security, 2010 Network Products Guide
    * King of Spam Filters, SC Magazine

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________

Re: fake URL's in mail

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

> On 3/23/11 2:43 PM, Matus UHLAR - fantomas wrote:
>> I know about the problem with "legal" mail and spoofed URL's. That's why I
>> asked about plugin that would be able to accept whitelists.
>>
>> I don't see if it's possible to combine this with matching some domains
>> while not matching others, e.g. allow
>>
>> <a href="http://example.com/">http://example.net</a>
>>
>> while not allowing
>>
>> <a href="http://example.org/">http://example.net</a>
>>
>> but I doubt this is possible with this kind of rules.

On 23.03.11 14:45, Michael Scheidell wrote:
> that is why you do it with clamav.
> clamav will trigger (if set up to do that) if the a href doesn't match.   
> and with clamav, you can set up exclusions (whitelist)

I'd be glad if I could do this, no matter if with clamav (however I find it
better within spamassassin since users could set up own whitelist the SA
way).

You are apparently talking about the PhishingAlwaysBlockSSLMismatch and/or
PhishingAlwaysBlockCloak but can you please point me to how to do these
black/whitelists?

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors

Re: fake URL's in mail

Posted by Michael Scheidell <mi...@secnap.com>.

On 3/23/11 2:43 PM, Matus UHLAR - fantomas wrote:
> I know about the problem with "legal" mail and spoofed URL's. That's why I
> asked about plugin that would be able to accept whitelists.
>
> I don't see if it's possible to combine this with matching some domains
> while not matching others, e.g. allow
>
> <a href="http://example.com/">http://example.net</a>
>
> while not allowing
>
> <a href="http://example.org/">http://example.net</a>
>
> but I doubt this is possible with this kind of rules.
that is why you do it with clamav.
clamav will trigger (if set up to do that) if the a href doesn't match.  
and with clamav, you can set up exclusions (whitelist)



-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Best Intrusion Prevention Product, Networks Product Guide
    * Certified SNORT Integrator
    * Hot Company Award, World Executive Alliance
    * Best in Email Security, 2010 Network Products Guide
    * King of Spam Filters, SC Magazine

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________

Re: fake URL's in mail

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

> On 03/21/2011 09:37 AM, Matus UHLAR - fantomas wrote:
> >>> Does anyone successfully use plugin or at least rules that catch
> >>> fake URLs?
> 
> > I mean URLs pointing to different address than they appear, like:
> > 
> > <a href="phishing.site/fake/webmail">http://webmail.example.com/</a>

On 21.03.11 13:36, Adam Katz wrote:
> No plugin needed.  __SPOOFED_URL, a rule already shipping with SA, does
> this. Note that it FPs on a significant amount of marketing ham:
> 
> http://ruleqa.spamassassin.org/20110321-r1083702-n/__SPOOFED_URL/detail
> 
>   MSECS    SPAM%     HAM%     S/O    RANK   SCORE  NAME
>       0   2.8104   5.9645   0.320    0.44   (n/a)  __SPOOFED_URL
> 
> rawbody  __SPOOFED_URL	m/<a\s[^>]{0,99}\bhref=(?:3D)?.?(https?:[^>"'
> ]{8,30})[^>]{0,99}>(?:[^<]{0,99}<(?!\/a)[^>]{1,99}>)*(?!\1)https?:\/\/[^<]{5}/i

I know about the problem with "legal" mail and spoofed URL's. That's why I
asked about plugin that would be able to accept whitelists.

I don't see if it's possible to combine this with matching some domains
while not matching others, e.g. allow 

<a href="http://example.com/">http://example.net</a>

while not allowing

<a href="http://example.org/">http://example.net</a>

but I doubt this is possible with this kind of rules.

 
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

Re: fake URL's in mail

Posted by Adam Katz <an...@khopis.com>.

On 03/21/2011 09:37 AM, Matus UHLAR - fantomas wrote:
>>> Does anyone successfully use plugin or at least rules that catch
>>> fake URLs?

> I mean URLs pointing to different address than they appear, like:
> 
> <a href="phishing.site/fake/webmail">http://webmail.example.com/</a>

No plugin needed.  __SPOOFED_URL, a rule already shipping with SA, does
this.  Note that it FPs on a significant amount of marketing ham:

http://ruleqa.spamassassin.org/20110321-r1083702-n/__SPOOFED_URL/detail

  MSECS    SPAM%     HAM%     S/O    RANK   SCORE  NAME
      0   2.8104   5.9645   0.320    0.44   (n/a)  __SPOOFED_URL

rawbody  __SPOOFED_URL	m/<a\s[^>]{0,99}\bhref=(?:3D)?.?(https?:[^>"'
]{8,30})[^>]{0,99}>(?:[^<]{0,99}<(?!\/a)[^>]{1,99}>)*(?!\1)https?:\/\/[^<]{5}/i

Re: fake URL's in mail

Posted by Michael Scheidell <mi...@secnap.com>.

On 3/21/11 12:57 PM, Matus UHLAR - fantomas wrote:
> I use clamav, it somehow doesn't catch them all.
>
> as I have already said, many banks send URL's that do not match, so this is
> not possible to implement genreally (Yes, I know it sucks).
>
with clamav, you can set up a whitelist.

do a 'clamconf' and see if you have these enabled:

PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak = "yes"
PhishingAlwaysBlockSSLMismatch = "yes"



-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Best Intrusion Prevention Product, Networks Product Guide
    * Certified SNORT Integrator
    * Hot Company Award, World Executive Alliance
    * Best in Email Security, 2010 Network Products Guide
    * King of Spam Filters, SC Magazine

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________

Re: fake URL's in mail

Posted by Anthony Cartmell <li...@fonant.com>.

>>>>> Does anyone successfully use plugin or at least rules that catch fake
>>>>> URLs?
>
>> On 3/21/11 12:37 PM, Matus UHLAR - fantomas wrote:
>>> I mean URLs pointing to different address than they appear, like:
>>>
>>> <a href="phishing.site/fake/webmail">http://webmail.example.com/</a>
>
> On 21.03.11 12:41, Michael Scheidell wrote:
>> CLAMAV.
>
> I use clamav, it somehow doesn't catch them all.
>
> as I have already said, many banks send URL's that do not match, so this  
> is
> not possible to implement genreally (Yes, I know it sucks).

I use http://www.mailscanner.info - it highlights links where the URL  
doesn't match the text (among lots of other useful things!).

HTH

Anthony
-- 
www.fonant.com - Quality web sites

Re: fake URL's in mail

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

>>> On 2011/03/21 12:18 PM, Matus UHLAR - fantomas wrote:
>>>> Does anyone successfully use plugin or at least rules that catch fake
>>>> URLs?

> On 3/21/11 12:37 PM, Matus UHLAR - fantomas wrote:
>> I mean URLs pointing to different address than they appear, like:
>>
>> <a href="phishing.site/fake/webmail">http://webmail.example.com/</a>

On 21.03.11 12:41, Michael Scheidell wrote:
> CLAMAV.

I use clamav, it somehow doesn't catch them all.

as I have already said, many banks send URL's that do not match, so this is
not possible to implement genreally (Yes, I know it sucks).

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...

Re: fake URL's in mail

Posted by Michael Scheidell <mi...@secnap.com>.

On 3/21/11 12:37 PM, Matus UHLAR - fantomas wrote:
> On 21.03.11 12:27, Jason Bertoch wrote:
>> On 2011/03/21 12:18 PM, Matus UHLAR - fantomas wrote:
>>> Does anyone successfully use plugin or at least rules that catch fake URLs?
>> Fake URLs?  Do you mean URL obfuscators/redirectors like bit . ly and
>> tiny url . com?
> Ah, no.
>
> I mean URLs pointing to different address than they appear, like:
>
> <a href="phishing.site/fake/webmail">http://webmail.example.com/</a>
>
CLAMAV.



-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Best Intrusion Prevention Product, Networks Product Guide
    * Certified SNORT Integrator
    * Hot Company Award, World Executive Alliance
    * Best in Email Security, 2010 Network Products Guide
    * King of Spam Filters, SC Magazine

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________

Re: fake URL's in mail

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 21.03.11 12:27, Jason Bertoch wrote:
> On 2011/03/21 12:18 PM, Matus UHLAR - fantomas wrote:
>> Does anyone successfully use plugin or at least rules that catch fake URLs?
>
> Fake URLs?  Do you mean URL obfuscators/redirectors like bit . ly and  
> tiny url . com?

Ah, no.

I mean URLs pointing to different address than they appear, like:

<a href="phishing.site/fake/webmail">http://webmail.example.com/</a>

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!

Re: fake URL's in mail

Posted by Jason Bertoch <ja...@i6ix.com>.

On 2011/03/21 12:18 PM, Matus UHLAR - fantomas wrote:
> Does anyone successfully use plugin or at least rules that catch fake URLs?

Fake URLs?  Do you mean URL obfuscators/redirectors like bit . ly and 
tiny url . com?  If so, I've had considerable success with Steve 
Freegard's DecodeShortURLs plugin.  With a couple of manual additions 
the the extensive list included, it's been nice to see them hit URIBL.

http://mail-archives.apache.org/mod_mbox/spamassassin-users/201009.mbox/browser


-- 
/Jason