You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Albert Whale <ae...@ABS-CompTech.com> on 2004/07/19 05:04:15 UTC
Catching more phishers
I could use a little assistance in tracking more phisher Spam. Here's a
sample from one from Korea, with all o the rulesets available, none
capture this type of spam. The spam redirects the user to a web page
different than the one displayed in the email. I would think that this
is a simple rule to implement.
<a target="_blank"
href="http://211.202.3.208/event_1201/popup.files/.eBay/eBayISAPI.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=">
http://scgi.ebay.com/verify_id=ebay&fraud alert id code=00937614</a>
Any suggestions?
--
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM ZapperTM - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here.
President of the Pittsburgh InfraGard
Re: Catching more phishers - Not Really a SURBL Case
Posted by Jesse Houwing <j....@rulesemporium.com>.
-----Original Message-----
From: Albert Whale <ae...@ABS-CompTech.com>
To: Matt Kettler <mk...@evi-inc.com>,
spamassassin-users@incubator.apache.org
Date: Mon, 19 Jul 2004 22:01:39 -0400
Subject: Re: Catching more phishers - Not Really a SURBL Case
> Matt Kettler wrote:
> >
> > Well YOUR message didn't trigger the minimum, but who knows what the
> > spam would have scored.
>
> Actually the Spam message looks a great deal like the Real McCoy. To
> the untrained eye, it is a Phisher used to Capture Account information.
>
> >
> > Remember, a nonspam message quoting spam is not the same thing as a
> > spam itself.. The headers are different, and the changes to the body
> > text both drop the bayes score considerably.
> >
> >
> OK so the message didn't trigger as SPAM. I need to figure out how to
> detect the Phisher, and ALWAYS trigger the SPAM sensor.
>
> Perhaps it's not the SURBL Test. But as in the following example, the
> first half of this http reference is not even close to the displayed
> URL, thus the nature of the Phisher:
>
> <a target="_blank"
> href="http://211.202.3.208/event_1201/popup.files/.eBay/eBayISAPI.php?M
> fcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=">
>
> http://scgi.ebay.com/verify_id=ebay&fraud alert id code=00937614</a>
>
> Is this programmable in SPAM Assassin?
I tried a rule that checked for this a while back, but with no luck. There
are many newsletters that show for example:
http://t-mobile.com as url and actually link to
http://newsletters.newsmail.com/?738648236483
Also microsoft, devpartner, codeproject and others use this technique. I've
stopped working on it, but if I can find it somewhere you might want to work
on it some more.
Jesse
Re: Catching more phishers - Not Really a SURBL Case
Posted by David Hooton <da...@gmail.com>.
On Mon, 19 Jul 2004 21:23:28 -0500 (CDT), David B Funk
<db...@engineering.uiowa.edu> wrote:
> What are the chances that legitmate eBay, CitiBank, PayPal messages
> will contain a URI that uses an IP address rather than proper host names?
> (or contain a link to a ".biz", ".info", etc site)
Good question - I would say incredibly low - it doesn't make for good
scalability if you're emailing it out to lots of customers, nor is it
good branding.
> Just make up a meta rule that says 'if From == (eBay|CitiBank|PayPal)' &&
> ( NORMAL_HTTP_TO_IP || BIZ_TLD ) then PHISH!!
Please share! - sharing is caring :)
FWIW - I manage the phishing SURBL data source, if you or anyone else
has a good feed of these emails I am always interested in the data.
We're currently adding quite a lot of addresses each week, however I
am certain we're not getting them all!
--
Regards,
David Hooton
Re: Catching more phishers - Not Really a SURBL Case
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Mon, 19 Jul 2004, Albert Whale wrote:
> OK so the message didn't trigger as SPAM. I need to figure out how to
> detect the Phisher, and ALWAYS trigger the SPAM sensor.
>
> Perhaps it's not the SURBL Test. But as in the following example, the
> first half of this http reference is not even close to the displayed
> URL, thus the nature of the Phisher:
>
> <a target="_blank"
> href="http://211.202.3.208/event_1201/popup.files/.eBay/eBayISAPI.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=">
>
> http://scgi.ebay.com/verify_id=ebay&fraud alert id code=00937614</a>
>
> Is this programmable in SPAM Assassin?
What are the chances that legitmate eBay, CitiBank, PayPal messages
will contain a URI that uses an IP address rather than proper host names?
(or contain a link to a ".biz", ".info", etc site)
Just make up a meta rule that says 'if From == (eBay|CitiBank|PayPal)' &&
( NORMAL_HTTP_TO_IP || BIZ_TLD ) then PHISH!!
If details are desired, I can share mine.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Catching more phishers - Not Really a SURBL Case
Posted by Jeff Chan <je...@surbl.org>.
Phishing detection is probably best done by hand. There is a
hand-checked phishing list included in multi.surbl.org:
http://www.surbl.org/lists.html#ph
> ph - Phishing data source
> Phishing data is kindly provided by MailSecurity. Since the
> phishing list is relatively small so far, it is not offered as
> a separate list, instead finding a home in the combined list
> multi.surbl.org. Despite that, it should be quite valuable to
> include in URI checking, so we're grateful for MailSecurity
> making it publically available as a service to the Internet
> community.
On the other hand any spam that pretends to be from a bank,
paypal, ebay, etc. should automatically be somewhat suspicious....
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Catching more phishers - Not Really a SURBL Case
Posted by David Hooton <da...@gmail.com>.
On Mon, 19 Jul 2004 23:25:40 -0700, Loren Wilton <lw...@earthlink.net> wrote:
> > > Well YOUR message didn't trigger the minimum, but who knows what the
> > > spam would have scored.
> >
> I think you are missing the point here. You are quoting one line from the
> phish message that happens to be the bogus url. That is good for a few
> points from SURBL or the like.
>
> However, the WHOLE MESSAGE, with headers, could quite possibly trigger quite
> a bunch of rules, even if the body text looks virtually correct. Its been
> my experience that the headers will trip up a phish about 95% of the time,
> without ever looking at the body of the message at all.
Add to this a well trained BAYES DB - we have a corpus of phishing
messages which we regularly train bayes from in order to ensure we
catch as many of the critters as possible. Bayes is incredibly good @
catching this stuff.
The long and the short of it is that no one rule is ever going to
solve the problem, you need to have multiple angles of attack to
ensure that you are covering all bases, not just the immediately
obvious ones.
--
Regards,
David Hooton
Re: Catching more phishers - Not Really a SURBL Case
Posted by Loren Wilton <lw...@earthlink.net>.
> > Well YOUR message didn't trigger the minimum, but who knows what the
> > spam would have scored.
>
> Actually the Spam message looks a great deal like the Real McCoy. To
> the untrained eye, it is a Phisher used to Capture Account information.
>
> > Remember, a nonspam message quoting spam is not the same thing as a
> > spam itself.. The headers are different, and the changes to the body
> > text both drop the bayes score considerably.
> >
> >
> OK so the message didn't trigger as SPAM. I need to figure out how to
> detect the Phisher, and ALWAYS trigger the SPAM sensor.
I think you are missing the point here. You are quoting one line from the
phish message that happens to be the bogus url. That is good for a few
points from SURBL or the like.
However, the WHOLE MESSAGE, with headers, could quite possibly trigger quite
a bunch of rules, even if the body text looks virtually correct. Its been
my experience that the headers will trip up a phish about 95% of the time,
without ever looking at the body of the message at all.
Loren
Re: Catching more phishers - Not Really a SURBL Case
Posted by Albert Whale <ae...@ABS-CompTech.com>.
Matt Kettler wrote:
>
> Well YOUR message didn't trigger the minimum, but who knows what the
> spam would have scored.
Actually the Spam message looks a great deal like the Real McCoy. To
the untrained eye, it is a Phisher used to Capture Account information.
>
> Remember, a nonspam message quoting spam is not the same thing as a
> spam itself.. The headers are different, and the changes to the body
> text both drop the bayes score considerably.
>
>
OK so the message didn't trigger as SPAM. I need to figure out how to
detect the Phisher, and ALWAYS trigger the SPAM sensor.
Perhaps it's not the SURBL Test. But as in the following example, the
first half of this http reference is not even close to the displayed
URL, thus the nature of the Phisher:
<a target="_blank"
href="http://211.202.3.208/event_1201/popup.files/.eBay/eBayISAPI.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=">
http://scgi.ebay.com/verify_id=ebay&fraud alert id code=00937614</a>
Is this programmable in SPAM Assassin?
--
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM ZapperTM - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here.
President of the Pittsburgh InfraGard
Re: Catching more phishers
Posted by Matt Kettler <mk...@evi-inc.com>.
At 07:46 AM 7/19/2004, Albert Whale wrote:
> >> X-EVI-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.772,
> required 5,
> >> BAYES_20 -1.43, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10,
> >> WS_URI_RBL 3.00)
> >
>This is just what I suspected, it was detected, but not sufficiently
>enough to trigger the minimum. This is more important than the present
>scoring.
Well YOUR message didn't trigger the minimum, but who knows what the spam
would have scored.
Remember, a nonspam message quoting spam is not the same thing as a spam
itself.. The headers are different, and the changes to the body text both
drop the bayes score considerably.
Re: Catching more phishers
Posted by Albert Whale <ae...@ABS-CompTech.com>.
Matt Kettler wrote:
>
>> X-EVI-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.772,
>> required 5,
>> BAYES_20 -1.43, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10,
>> WS_URI_RBL 3.00)
>
This is just what I suspected, it was detected, but not sufficiently
enough to trigger the minimum. This is more important than the present
scoring.
--
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM ZapperTM - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here.
President of the Pittsburgh InfraGard
Re: Catching more phishers
Posted by Matt Kettler <mk...@evi-inc.com>.
At 11:04 PM 7/18/2004, Albert Whale wrote:
>I could use a little assistance in tracking more phisher Spam. Here's a
>sample from one from Korea, with all o the rulesets available, none
>capture this type of spam. The spam redirects the user to a web page
>different than the one displayed in the email. I would think that this
>is a simple rule to implement.
It hit SURBL here:
>X-EVI-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.772, required 5,
> BAYES_20 -1.43, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10,
> WS_URI_RBL 3.00)
Re: Catching more phishers
Posted by Lucas Albers <ad...@cs.montana.edu>.
Albert Whale said:
> I could use a little assistance in tracking more phisher Spam. Here's a
> sample from one from Korea, with all o the rulesets available, none
> capture this type of spam. The spam redirects the user to a web page
> different than the one displayed in the email. I would think that this
> is a simple rule to implement.
>
look for sare for rules on this.
The rules are:
If the mail is sent from an ebay account and is not relayed through an
ebay mail server, reject it as a phish attempt.
--
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana