You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Hamad Ali <cr...@hotmail.com> on 2011/03/17 20:10:14 UTC
SA and Spear Phishing
Alright guys, let's forget about me doing masschecks (I didn't know limitations as I haven't seen the trust thingy policy anywhere else http://wiki.apache.org/spamassassin/NightlyMassCheck).This is a totally new mail, let's hope we all stick to the topic.
So this is a summary from the previous mail which had interesting stuff:
- John Hardin said: Phishing is his next project, and that even a well trained naive bayes filter might not detect it.
let's be on touch on this matter then. Any progress or collaboration is highly welcomed on my side
- Warren Togami Jr. suggested: pyzor, Razor and DCC.
Thank you, I have looked into it and as you said, they can help phishing attacks. However this seems to exclude spear phishing attacks. Do you get any spear phishing?
- Michael Scheidell said: "Ditto. I was about to tell him how to stop spear phishing"; it seems because I'm not eligible for participation in nightly masschecks, Michael decided to not tell me how to stop spear phishing.
I think lack of eligibility for participation in masschecks shouldn't influence other problems -- they are two different things. Mind share your tricks?
-- H
Trust inside a Community (was: Re: SA and Spear Phishing)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2011-03-19 at 00:46 +0400, Hamad Ali wrote:
> > Oh, well, the freemail address again is mostly unrelated to discussions
> > on this list -- though yeah, while hiding behind that address is not a
> > show-stopper, using your real address (especially if you provide mail
> > services) might help gain some credibility.
>
> I think this is fair enough. Although I can't do masschecks, but it's
> reasonable and I would like SA to maintain its quality work. I'm
> sending this reply as text/plain (for compliance with old school
> manners),
/me happy :)
> and dropped my interest to do nightly masschecks due to lack of trust
> my free mail can give.
Well, this is not actually about using a freemailer address. That on its
own would be acceptable.
The point is, that you (so far) are a complete stranger, unknown to the
devs, community or anyone for that matter, with no previous track record
or any kind of history as far as this project is concerned. Let's face
it, the trust you can expect from us is "not a blackhat", which pretty
much equals getting help from the community at all.
Frankly, I was quite surprised to see that "stock SA doesn't catch a
particular type of my client's mail, so you should grant this stranger
mass-check privileges" statement. The scores are pretty much at the
heart of SA, and this privilege is about the highest you can be granted.
This is not about you personally, neither about your email address. This
is about earned and justifiable trust inside a community, affecting
*millions* of users world-wide.
> However, when it comes to my online activities, I'm a coward who wants
> to hide his identity.
Fair enough.
> ## back on topic ##
Yes, please.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: SA and Spear Phishing
Posted by Jeff Mincy <je...@delphioutpost.com>.
From: Hamad Ali <cr...@hotmail.com>
Date: Sat, 19 Mar 2011 00:46:08 +0400
## back on topic ##
Anyway, I would highly appreciate any help on spear phishing. A solution, a guess, or just if you know whether you get spear phish at all is good information for me (I started to think that 99% of mail admins never know that they get spear phish because of the extremely high success rate of spear phish).
PS: Spear Phishing is a problem that I noticed many commercial appliances struggle at. This thread is not meant to promote or demote SA, but to address a cutting-edge problem that many software classifiers fail to address.
--H
Either I haven't gotten any spear phishing spam, or the spear phishing
spam is being blocked by SpamAssassin. I'll assume the later.
If there's some particular type of email that you're having trouble with
the easiest way to get help is to post a complete sample including all
the headers using some pastebin and send the link and the x-spam-status
line that you get on your SpamAssassin to the group.
Otherwise all you're going to get vague platitudes like train bayes.
-jeff
RE: SA and Spear Phishing
Posted by Hamad Ali <cr...@hotmail.com>.
> Subject: Re: SA and Spear Phishing
> From: guenther@rudersport.de
> To: users@spamassassin.apache.org
> Date: Thu, 17 Mar 2011 21:38:19 +0100
>
> Oh, well, the freemail address again is mostly unrelated to discussions
> on this list -- though yeah, while hiding behind that address is not a
> show-stopper, using your real address (especially if you provide mail
> services) might help gain some credibility.
>
I think this is fair enough. Although I can't do masschecks, but it's reasonable and I would like SA to maintain its quality work.
I'm sending this reply as text/plain (for compliance with old school manners), and dropped my interest to do nightly masschecks due to lack of trust my free mail can give.
However, when it comes to my online activities, I'm a coward who wants to hide his identity. Yep, you heard it, a coward. It's just me, which is why I prefer to not disclose my employer or my full name.
Obviously, we got a lot of heroes here, and I think having a coward in the collection would be a unique addition that will, somehow, contribute in reducing boredom in the list :D
I think it's also related to cultural backgrounds on how much of freedom is assigned to an individual, which varies from country to country, and employer to another. It seems I'm restricted on this regards, I hope folks here understand.
>From the bright side, I might be plain dump honest, which some of you might consider as a good behavior, regardless of my freemail interface. But this is all off-topic IMO.
## back on topic ##
Anyway, I would highly appreciate any help on spear phishing. A solution, a guess, or just if you know whether you get spear phish at all is good information for me (I started to think that 99% of mail admins never know that they get spear phish because of the extremely high success rate of spear phish).
PS: Spear Phishing is a problem that I noticed many commercial appliances struggle at. This thread is not meant to promote or demote SA, but to address a cutting-edge problem that many software classifiers fail to address.
--H
Re: SA and Spear Phishing
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2011-03-17 at 15:58 -0400, Darxus@chaosreigns.com wrote:
> On 03/17, Hamad Ali wrote:
> > - Michael Scheidell said: "Ditto. I was about to tell him how to stop
> > spear phishing"; it seems because I'm not eligible for participation in
> > nightly masschecks, Michael decided to not tell me how to stop spear
> > phishing.
>
> No. Michael doesn't want to help you and Karsten doesn't want you to
> participate in mass-checks because of your behavior on this list.
*nod* These are unrelated, just coincidentally got discussed in the
same sub-thread.
> Some pretty specific requests have been made of you. I recommend:
>
> 1) Stop posting from a hotmail address, and start posting from an address
> in the primary domain associated with the email hosting service you're
> working on. That's what Karsten meant when he mentioned your
> "freemail address". Yes, it affects how much we trust you.
Oh, well, the freemail address again is mostly unrelated to discussions
on this list -- though yeah, while hiding behind that address is not a
show-stopper, using your real address (especially if you provide mail
services) might help gain some credibility.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SA and Spear Phishing
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2011-03-18 at 15:39 -0700, jdow wrote:
> > You replied to a previous thread by creating a new thread. And that's
> > pissing people off.
>
> Some may figure a person too dumb to use "reply" rather than creating
> a new email is too hopeless to try to work with. Is he worth the energy
> to try to deal with him?
Basically, in some way I'd agree, especially since one generally should
be able to expect quite some knowledge about mail in this group --
though I usually prefer to educate people, rather than plain ignore and
shrug off. Been there, done that, many times.
And BTW, this one is a rather special artifact, caused by the previous
incident of the exact opposite [1], it's reactions triggered, and an
attempt to play nice.
Anyway, even though I started it -- I for one would welcome to finally
drop this part of the off-topic discussion.
Never attribute to malice, that which can be adequately explained by
stupidity. Never attribute to stupidity, that which can be adequately
explained by an accident, or an attempt to correct previous behavior. ;)
> (The best protection against spear phishing is a suspicious mind
> operated by well trained employees. [...]
Aye.
[1] Which, though, he explained how it happened to end up as a reply in
disguise, by accident. While he still should have created a new
message and copy the parts he intended to keep, this still leaves
room for the interpretation of not doing it out of ignorance.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: SA and Spear Phishing
Posted by Hamad Ali <cr...@hotmail.com>.
----------------------------------------
> Date: Fri, 18 Mar 2011 20:42:25 -0700
> From: jdow@earthlink.net
> To: users@spamassassin.apache.org
> Subject: Re: SA and Spear Phishing
>
> Now, I bet SpamAssassin could be run "twice", one with the standard setup
> and the second one with extremely trimmed down rules plus a batch of
> your own rules. If the first one hits the spam gets at least the normal
> spam handling. If the second one hits you frame the email with HTML
> arranged to put that kind of a full screen warning on display PLUS
> wrapping the message itself in a bright red border. The latter would
> be in case of javascript being turned off.
>
> Of course, a second spamassassin may be overkill. The alternative means
> learning other scripted tools like procmail or whatever you use in its
> place. And it may mean writing up a small perl filter to search for the
> evil words or phrases and build the warning around the message.
>
> This might even be a worthwhile tool for other people. If so, take this
> drop of silliness and run with it. It feels like there is some good in
> the idea.
>
Yeah, makes sense that bag of words can fight against a subset of spear phish.
I guess it all comes down to lack of proper evaluation, which makes this subject merely "unknown", rather than anything else.
when it comes to software, it is easier to predict its performance (even without running proper evaluations). but when it comes to humans, it's far more difficult to predict their behavior.
I think that "maybe", we find it easier to throw it on humans, and it turns out to work better, not because it is evaluated to be better, but because it is harder to disprove it due to the complex nature of humans abilities.
> Meanwhile your IP address lives in the headers so the direct path reveals
> more than maybe somebody wanting anonymity might desire. {o.o}
>
> Hamad, this is a group in which you can benefit strongly from candor,
> honesty, and openness. The more information the excellent minds here
> receive the better the help you can receive. (Trust me, that plays hob
> with my paranoia, too.)
>
> {^_^}
I know that.. not that coward (yet). heh.
Re: SA and Spear Phishing
Posted by jdow <jd...@earthlink.net>.
On 2011/03/18 18:33, Hamad Ali wrote:
>
> ----------------------------------------
>> Subject: Re: SA and Spear Phishing
>> From: guenther@rudersport.de
>> To: users@spamassassin.apache.org
>> Date: Sat, 19 Mar 2011 02:02:35 +0100
>> (a) Never hand out your password. Less so in mail. No administrator ever
>> will ask for the user's password.
>> The same applies to any sensitive, personal information. Before
>> handing it out, make sure this is legitimate [1], and you're not
>> using an insecure medium (which mail is).
>>
>> (b) Be conscious about where to send any information. Account details
>> never should be sent off-site.
>>
>> The basic rules against spear phishing, or actually any phishing.
>>
>> Even if (b) doesn't hold due to a cracked account, (a) still does.
>
> I highly regard your input.
>
> I think we have been always yelling that our users are stupid and blah, and the reality still shows that users (which we hope to be educated) are still the weakest element in the security chain. Some people still focus on user training programmes (such as a) b) points what you have list). However, number of other people focus on enhancing the software to build better solutions for the dear stupid clients.
>
> As an engineer, I would make my life with less work if I simply blame the end user for his stupidity (which makes sense from some perspective). However, from the perspective of safety, we know that there are traps and problems that will happen and things will go unplanned, which is why we need to take some actions in advance, similar reasons why we have fire fighting systems to solve human mistakes should they make fire accidentally. Or my mother board shutting down my laptop should it heat way beyond the limits, just in case I wasn't educated enough to take correct actions to fix the fans, heat sink, paste..etc
>
> In my view, if we look at engineers, I see contradicting opinions (some are pro-human training, some are pro-software enhancing). But, if we look at the reality, we will see that we are adapting how the vast majority of humans are deciding to interact with technology. Example? look at firefox v2, or IE v6, they all replaced their little pop warnings for invalid X.509 certs for HTTPS with another alternative approaches: the new alternative approach is blocking the WHOLE user interface, with BIG SCARY RED-Background, with only a little button to by pass the security warning. Why? users didn't bother reading the warnings *shrug*, we told them to read and it didn't work, so we though let's make it more obvious.
>
> The reality in my view is that we are enhancing the user interface for the dear fellow stupids -- thanks to them (e.g. my CEO), I get my pay checks (at least mine) are paid by them!
>
> Now, do you think that the reality is also moving toward enhancing the knowledge of users? I personally haven't seen anything serious in user-awareness programmes. Most companies ignore it, while it's almost semi-impossible to see a mail server without a software anti-bad_stuff filter as a front-end.
>
> What I have observed is improvements on the software side, but haven't seen improvements on human-training side; did you observe such thing? and were they evaluated?
I believe you have implicitly answered your question here and, no, mere
SpamAssassin is not an adequate solution.
Now, I bet SpamAssassin could be run "twice", one with the standard setup
and the second one with extremely trimmed down rules plus a batch of
your own rules. If the first one hits the spam gets at least the normal
spam handling. If the second one hits you frame the email with HTML
arranged to put that kind of a full screen warning on display PLUS
wrapping the message itself in a bright red border. The latter would
be in case of javascript being turned off.
Of course, a second spamassassin may be overkill. The alternative means
learning other scripted tools like procmail or whatever you use in its
place. And it may mean writing up a small perl filter to search for the
evil words or phrases and build the warning around the message.
This might even be a worthwhile tool for other people. If so, take this
drop of silliness and run with it. It feels like there is some good in
the idea.
> There is a survey [1] with hand-made spear-like phish mail (which is
> not real spear from the real internet, but rather tailored by the
> authors), and it showed that user training has aTP that is 74%, whith
> FP being no less than ~26%, and in some cases +50%.
Most people are not paranoid enough. I'm paranoid enough to figure that
I am not paranoid enough. (If that makes sense to you, worry. {^_-})
> ps: I'm using hotmail's web interface to send my stuff, it says it's
> text/plain, and things look compatible with old-school inet manners.
> lemme know if my mails are still awkward, so that I'll use another
> freemail (too afraid to show my personally identifiable information
> -- PII).
Meanwhile your IP address lives in the headers so the direct path reveals
more than maybe somebody wanting anonymity might desire. {o.o}
Hamad, this is a group in which you can benefit strongly from candor,
honesty, and openness. The more information the excellent minds here
receive the better the help you can receive. (Trust me, that plays hob
with my paranoia, too.)
{^_^}
Re: SA and Spear Phishing
Posted by jdow <jd...@earthlink.net>.
On 2011/03/18 21:16, Karsten Bräckelmann wrote:
> On Fri, 2011-03-18 at 20:58 -0700, jdow wrote:
>> Other obvious information to be filtered would include SSNs. For
>> privacy reasons filter for numbers that look like SSNs, reflect to
>> user with a were you sure wrapper, and if the user responds yes send
>> it out in the original format.
>
> The SSN trick already has been included in ClamAV, I believe. And no, it
> doesn't cover internationalization.
Um, ClamAV does not provide the full picture of what I mentioned. I
am speaking of an outgoing filter to catch "illegal" information leaving
the facility. And I envisioned a trip through the user. "Reply to this
with no further editing to forward the original mail onwards.")
Reinvolving the meatware solution "may" help keep data from spreading
improperly. And the filter solution would need more than a specific
format for 9 digits to trigger it. I am sure each company can find sets
of words for filtering. (Unfortunately that set may be different for
each user in many settings.)
{^_^}
Re: SA and Spear Phishing
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2011-03-18 at 20:58 -0700, jdow wrote:
> On 2011/03/18 19:08, Karsten Bräckelmann wrote:
> > Or, tell your users to *never* write down their password or any other
> > account details in mail -- by policy, violation warrants getting fired
> > next day.
>
> Bingo, you've hit on an outgoing anti-phish filter trick. Filter
Unfortunately, no. That's not original work, someone else stated it
years ago.
> all email sent from any account on the system for, at the very
> least, the passwords to several critical accounts. (Run the words
> through the password hash and look for patches to root, admin group
> members, CEO, etc and specifically the sender's account.) Reflect
> messages containing a match to CEO, root, CIO, and the user with
> big nasty red words up front about sending passwords.
>
> It's not fool proof. It will eat machine time in retail bulk lots.
> And it might drive a message home.
Hah! Yeah, I thought about that, though hashing any possible word in
mails (which might include spaces, thus needs to cover multi-words, too)
really would require quite a rack of beefy hardware.
> Other obvious information to be filtered would include SSNs. For
> privacy reasons filter for numbers that look like SSNs, reflect to
> user with a were you sure wrapper, and if the user responds yes send
> it out in the original format.
The SSN trick already has been included in ClamAV, I believe. And no, it
doesn't cover internationalization.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SA and Spear Phishing
Posted by jdow <jd...@earthlink.net>.
On 2011/03/18 19:08, Karsten Bräckelmann wrote:
> On Sat, 2011-03-19 at 05:33 +0400, Hamad Ali wrote:
>> In my view, if we look at engineers, I see contradicting opinions (some
>> are pro-human training, some are pro-software enhancing). But, if we
>> look at the reality, we will see that we are adapting how the vast
>> majority of humans are deciding to interact with technology. Example?
>> look at firefox v2, or IE v6, they all replaced their little pop
>> warnings for invalid X.509 certs for HTTPS with another alternative
>> approaches: the new alternative approach is blocking the WHOLE user
>> interface, with BIG SCARY RED-Background, with only a little button to
>> by pass the security warning. Why? users didn't bother reading the
>> warnings *shrug*, we told them to read and it didn't work, so we
>> though let's make it more obvious.
>
> Ah, good old "go away bloody dialog" user interaction.
>
> You wanna big fucking red sign for phishing mail? You can have it, make
> it lightly trigger on bare-word matches, rewriting the Subject or even
> the body just in case.
>
> Or, tell your users to *never* write down their password or any other
> account details in mail -- by policy, violation warrants getting fired
> next day.
Bingo, you've hit on an outgoing anti-phish filter trick. Filter
all email sent from any account on the system for, at the very
least, the passwords to several critical accounts. (Run the words
through the password hash and look for patches to root, admin group
members, CEO, etc and specifically the sender's account.) Reflect
messages containing a match to CEO, root, CIO, and the user with
big nasty red words up front about sending passwords.
It's not fool proof. It will eat machine time in retail bulk lots.
And it might drive a message home.
Other obvious information to be filtered would include SSNs. For
privacy reasons filter for numbers that look like SSNs, reflect to
user with a were you sure wrapper, and if the user responds yes send
it out in the original format.
{^_^}
Re: SA and Spear Phishing
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2011-03-19 at 05:33 +0400, Hamad Ali wrote:
> I think we have been always yelling that our users are stupid and blah,
> and the reality still shows that users (which we hope to be educated)
> are still the weakest element in the security chain. Some people still
> focus on user training programmes (such as a) b) points what you have
> list). However, number of other people focus on enhancing the software
> to build better solutions for the dear stupid clients.
Well, my point basically was to show that one assumption, or statement,
is incorrect. Yes, user education CAN prevent this type of attack.
> As an engineer, I would make my life with less work if I simply blame
> the end user for his stupidity (which makes sense from some
> perspective). However, from the perspective of safety, we know that
> there are traps and problems that will happen and things will go
> unplanned, which is why we need to take some actions in advance,
> similar reasons why we have fire fighting systems to solve human
> mistakes should they make fire accidentally. [...]
This is a retro-active scenario, after the fact. Not preventing it from
happen, but to keep the outfall under control.
An analogy here would be, to monitor (and rate-limit) sent mail, should
one account get cracked, and abused to phish more accounts on-site.
Talking about spear phishing, sent mail *not* leaving your internal
systems are of special interest to watch.
> In my view, if we look at engineers, I see contradicting opinions (some
> are pro-human training, some are pro-software enhancing). But, if we
> look at the reality, we will see that we are adapting how the vast
> majority of humans are deciding to interact with technology. Example?
> look at firefox v2, or IE v6, they all replaced their little pop
> warnings for invalid X.509 certs for HTTPS with another alternative
> approaches: the new alternative approach is blocking the WHOLE user
> interface, with BIG SCARY RED-Background, with only a little button to
> by pass the security warning. Why? users didn't bother reading the
> warnings *shrug*, we told them to read and it didn't work, so we
> though let's make it more obvious.
Ah, good old "go away bloody dialog" user interaction.
You wanna big fucking red sign for phishing mail? You can have it, make
it lightly trigger on bare-word matches, rewriting the Subject or even
the body just in case.
Or, tell your users to *never* write down their password or any other
account details in mail -- by policy, violation warrants getting fired
next day.
> What I have observed is improvements on the software side, but haven't
> seen improvements on human-training side; did you observe such thing?
> and were they evaluated?
No improvements seen on human training -- did you try? Is it a company
policy?
> ps: I'm using hotmail's web interface to send my stuff, it says it's
> text/plain, and things look compatible with old-school inet manners.
> lemme know if my mails are still awkward, so that I'll use another
It wraps badly. ;) But yes, it's a proper text/plain message.
> freemail (too afraid to show my personally identifiable information --
> PII).
Your employer would not be happy to see you getting help, discussing and
evaluating methods to secure his company?
That really sounds like there has been any serious user education. Not.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: SA and Spear Phishing
Posted by Hamad Ali <cr...@hotmail.com>.
----------------------------------------
> Subject: Re: SA and Spear Phishing
> From: guenther@rudersport.de
> To: users@spamassassin.apache.org
> Date: Sat, 19 Mar 2011 02:02:35 +0100
> (a) Never hand out your password. Less so in mail. No administrator ever
> will ask for the user's password.
> The same applies to any sensitive, personal information. Before
> handing it out, make sure this is legitimate [1], and you're not
> using an insecure medium (which mail is).
>
> (b) Be conscious about where to send any information. Account details
> never should be sent off-site.
>
> The basic rules against spear phishing, or actually any phishing.
>
> Even if (b) doesn't hold due to a cracked account, (a) still does.
I highly regard your input.
I think we have been always yelling that our users are stupid and blah, and the reality still shows that users (which we hope to be educated) are still the weakest element in the security chain. Some people still focus on user training programmes (such as a) b) points what you have list). However, number of other people focus on enhancing the software to build better solutions for the dear stupid clients.
As an engineer, I would make my life with less work if I simply blame the end user for his stupidity (which makes sense from some perspective). However, from the perspective of safety, we know that there are traps and problems that will happen and things will go unplanned, which is why we need to take some actions in advance, similar reasons why we have fire fighting systems to solve human mistakes should they make fire accidentally. Or my mother board shutting down my laptop should it heat way beyond the limits, just in case I wasn't educated enough to take correct actions to fix the fans, heat sink, paste..etc
In my view, if we look at engineers, I see contradicting opinions (some are pro-human training, some are pro-software enhancing). But, if we look at the reality, we will see that we are adapting how the vast majority of humans are deciding to interact with technology. Example? look at firefox v2, or IE v6, they all replaced their little pop warnings for invalid X.509 certs for HTTPS with another alternative approaches: the new alternative approach is blocking the WHOLE user interface, with BIG SCARY RED-Background, with only a little button to by pass the security warning. Why? users didn't bother reading the warnings *shrug*, we told them to read and it didn't work, so we though let's make it more obvious.
The reality in my view is that we are enhancing the user interface for the dear fellow stupids -- thanks to them (e.g. my CEO), I get my pay checks (at least mine) are paid by them!
Now, do you think that the reality is also moving toward enhancing the knowledge of users? I personally haven't seen anything serious in user-awareness programmes. Most companies ignore it, while it's almost semi-impossible to see a mail server without a software anti-bad_stuff filter as a front-end.
What I have observed is improvements on the software side, but haven't seen improvements on human-training side; did you observe such thing? and were they evaluated?
> Yes, these are inherently harder to catch by filters. But still, well
> trained and educated users can stop them dead.
There is a survey [1] with hand-made spear-like phish mail (which is not real spear from the real internet, but rather tailored by the authors), and it showed that user training has aTP that is 74%, whith FP being no less than ~26%, and in some cases +50%.
[1] http://lorrie.cranor.org/pubs/pap1162-sheng.pdf
ps: I'm using hotmail's web interface to send my stuff, it says it's text/plain, and things look compatible with old-school inet manners. lemme know if my mails are still awkward, so that I'll use another freemail (too afraid to show my personally identifiable information -- PII).
Re: SA and Spear Phishing
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2011-03-19 at 04:38 +0400, Hamad Ali wrote:
> > [...] The human mind can be a better filter against
> > such spam than any result of mass checks.
> One of the challenges behind spear phishing is that there is no single
> performance evaluation against it. And this inlcludes user-training
> programmes too. Why? I suspect that either Spear phish works like
> magic so that users don't even recognize it, or that people do not
> publish it to public domains as it might include personally
> identifiable information.
>
> So, it is not that software cannot detect spear, it is just that it is
> not documented. The same applies to user/human training approaches.
> None of them are documented or evaluated against "real" spear phish.
(a) Never hand out your password. Less so in mail. No administrator ever
will ask for the user's password.
The same applies to any sensitive, personal information. Before
handing it out, make sure this is legitimate [1], and you're not
using an insecure medium (which mail is).
(b) Be conscious about where to send any information. Account details
never should be sent off-site.
The basic rules against spear phishing, or actually any phishing.
Even if (b) doesn't hold due to a cracked account, (a) still does.
Yes, these are inherently harder to catch by filters. But still, well
trained and educated users can stop them dead.
[1] Like a police badge. Or an 8mm gun stuck to your head.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Scanning Mailing-List Posts
Posted by jdow <jd...@earthlink.net>.
On 2011/03/18 21:05, Karsten Bräckelmann wrote:
> On Fri, 2011-03-18 at 20:25 -0700, jdow wrote:
>> Interesting: (I think you have bigger problems than mere spear-phishing.
>
>>> 1.6 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
>>> [64p79p213p206 listed in combined.njabl.org]
>>> 0.8 RCVD_IN_SORBS_SOCKS RBL: SORBS: sender is open SOCKS proxy server
>>> [64p79p213p206 listed in dnsbl.sorbs.net]
>
> While that's interesting indeed (and refers to the original sender's IP
> address) -- even though I hate to fork yet another sub-thread...
>
> I strongly advise against scanning list mail. Definitely with lists like
> this one, where discussing spam is the norm, and samples are, though
> frowned upon, to be expected.
Karsten, I assure you I don't. That was the copy he sent to me
straight rather than through SA. I bypass checking at the procmail
level on the setup here for spamassassin groups and a couple other
things.
(I go fairly far back with this stuff. Usually I simply scan for
interesting subjects. I saw this discussion take off and flare so
I stuck my nose in. I'm playing hooky from real work.)
{^_-}
Scanning Mailing-List Posts (was: Re: SA and Spear Phishing)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2011-03-18 at 20:25 -0700, jdow wrote:
> Interesting: (I think you have bigger problems than mere spear-phishing.
> > 1.6 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
> > [64p79p213p206 listed in combined.njabl.org]
> > 0.8 RCVD_IN_SORBS_SOCKS RBL: SORBS: sender is open SOCKS proxy server
> > [64p79p213p206 listed in dnsbl.sorbs.net]
While that's interesting indeed (and refers to the original sender's IP
address) -- even though I hate to fork yet another sub-thread...
I strongly advise against scanning list mail. Definitely with lists like
this one, where discussing spam is the norm, and samples are, though
frowned upon, to be expected.
This list currently is operated on a rather strict subscribe policy.
Posts by non-subscribers will not be allowed through, to (a) prevent
accidental leaking of an address, even in case of a reply, and (b) to
ensure the sender actually receives replies.
Spam to this list *sigh* is either filtered out already by a list server
side SA, or manually by the moderators. Believe me, I am one of them...
> > 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
Well, at least on the direct copies, I got an SPF_PASS instead.
> I am told I am rather "direct" for a woman. Just color me old, tired,
> and Irish (easily irritated.)
The first I knew, Joanne. ;) The last one is news to me.
> Directness is easier than complex circumlocution, which I am getting
> too old for. It seems to make as many fans as enemies. {^_-}
I've been told, Germans are commonly attributed to be rather direct,
too. ;)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SA and Spear Phishing
Posted by jdow <jd...@earthlink.net>.
(My reply to the direct copy....)
On 2011/03/18 17:38, Hamad Ali wrote:
Interesting: (I think you have bigger problems than mere spear-phishing.
> Spam detection software, running on the system "morticia.wizardess.wiz", has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or label
> similar future email. If you have any questions, see
> jdow for details.
>
> Content preview:> Date: Fri, 18 Mar 2011 16:06:15 -0700> From:
jdow@earthlink.net
> > To: users@spamassassin.apache.org> Subject: Re: SA and Spear Phishing
> > And for well targeted spearfishing, he's still stuck because
nothing> distinguishes
> it from his normal mail flow other than "unknown sender"> or DNS
check failures.
> The human mind can be a better filter against> such spam than any result
> of mass checks. [...]
>
> Content analysis details: (6.2 points, 5.0 required)
(edited)
> pts rule name description
> ---- ----------------------
--------------------------------------------------
> 1.6 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
> [64p79p213p206 listed in combined.njabl.org]
> 0.8 RCVD_IN_SORBS_SOCKS RBL: SORBS: sender is open SOCKS proxy server
> [64p79p213p206 listed in dnsbl.sorbs.net]
> 0.4 RCVD_IN_SORBS_MISC RBL: SORBS: sender is open proxy server
> 0.0 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server
> 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
>
>
"I highly appreciate your use of open/honest communication. Not to "pretend"
being the nice boy, nor to defend myself (I'm not offended by that), but
merely to define what is Spear Phishing to make sure we are on same page:
Spear phishing is a form of phishing attacks that are tailored for specific
scenarios/targets based on specific conditions (on top of my head, didn't
google -- honest o/~). E.g. if an attacker knows my boss's name and email
address, and that I'm in charge for certain deals, the attacker can do
better social engineering attacks knowing more information about me."
etc...
A well targeted spear phish is designed to look as much like other
transactions your business and the specific targeted individual might
receive as possible. I do not think I could legitimately ask an email
filter program to guess the intent of each email. You would need to
institute some rules in your company such that requests for specific
information are automatically transferred to a person delegated to work
with law enforcement by the recipient if it gets past the the automated
filters. Otherwise you'll find yourself targeted by "The Boss" when an
email is binned rather than fed on to him.
The delegated person should forward the message to the recipient in a
wrapper warning message, keeping the original as "evidence".
Now you have the nifty problem of picking out of messages the requests
for forbidden data. This will entail learning how to write rules as
your organization's needs will almost assuredly not be merely generic.
At some point each sysadmin must do some of his or her own work.
I am told I am rather "direct" for a woman. Just color me old, tired,
and Irish (easily irritated.) Directness is easier than complex
circumlocution, which I am getting too old for. It seems to make as
many fans as enemies. {^_-}
{o_o}
Re: SA and Spear Phishing
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Sat, 19 Mar 2011 05:42:22 +0400
Hamad Ali <cr...@hotmail.com> wrote:
> Can I assume that your solution that detected a portion of the spear
> phish is 100% SA? In case not fully SA, any hints on its mechanics?
It's not fully SA. We don't use the SA Bayes implementation; we have
our own that considers both individual words and word pairs. We also
have a shared Bayes database among our customer sites. We keep a
window of mail over a few weeks and do nightly Bayes database updates;
our database currently contains tokens from about 1.7 million messages
(~800k spam and ~900k ham).
We also use the APER list at http://code.google.com/p/anti-phishing-email-reply/
that I mentioned before. And finally, we run our own DNSBL lists (described
at http://www.roaringpenguin.com/products/canit-reputation-rbl)
> Any approximate numbers on percentages of detected spear phish vs.
> slipped through ones?
I have no idea. Our customers don't always report statistics back to us.
Regards,
David.
RE: SA and Spear Phishing
Posted by Hamad Ali <cr...@hotmail.com>.
----------------------------------------
> Date: Fri, 18 Mar 2011 21:20:53 -0400
> From: dfs@roaringpenguin.com
> To: users@spamassassin.apache.org
> Subject: Re: SA and Spear Phishing
>
> Spear phishing is inherently hard to detect because it's carefully
> crafted for a small set of victims. We do see it among our customers.
> Sometimes we stop it; sometimes it slips through.
Can I assume that your solution that detected a portion of the spear phish is 100% SA? In case not fully SA, any hints on its mechanics?
Any approximate numbers on percentages of detected spear phish vs. slipped through ones?
> Something they helps a little bit is the Anti-Phishing Email Reply
> project at http://code.google.com/p/anti-phishing-email-reply/ We use
> and contribute to that list, but it's still reactive rather than
> proactive.
This looks promising (news to me). Thank you. Specially spear phishing" often"attempts to spoof identities of known relatives of their targets.
> We also try to mitigate post-phishing damage by rate-limiting outbound
> mail. If a phisher steals your credentials and uses them to start
> spamming, our software will block your account if it exceeds the
> admin-specified recipient-per-hour limit. (It also notifies the admin.)
>
> While this doesn't prevent phishing, it can reduce the damage in the
> large class of cases in which credentials are stolen to be used for
> spamming. It also quickly alerts admins to compromised accounts.
I have read some rants against Hotmail and Yahoo! mails in this list, that they don't rate-limit their abused addresses, which eventually made them bad Internet citizens.
Thanks and regards for your awesome input!
-- H
Re: SA and Spear Phishing
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
> So when it comes to spear phish, in my view, a big question mark
> arises to indicate that its risk is simply "unknow" to mankind. This
> is unknown in the public domain as far as I know, which is why I
> posted this mail to see if any of you see any spear phish within the
> load of SPAM you detect.
Spear phishing is inherently hard to detect because it's carefully
crafted for a small set of victims. We do see it among our customers.
Sometimes we stop it; sometimes it slips through.
Something they helps a little bit is the Anti-Phishing Email Reply
project at http://code.google.com/p/anti-phishing-email-reply/ We use
and contribute to that list, but it's still reactive rather than
proactive.
We also try to mitigate post-phishing damage by rate-limiting outbound
mail. If a phisher steals your credentials and uses them to start
spamming, our software will block your account if it exceeds the
admin-specified recipient-per-hour limit. (It also notifies the admin.)
While this doesn't prevent phishing, it can reduce the damage in the
large class of cases in which credentials are stolen to be used for
spamming. It also quickly alerts admins to compromised accounts.
Regards,
David.
RE: SA and Spear Phishing
Posted by Hamad Ali <cr...@hotmail.com>.
> Date: Fri, 18 Mar 2011 16:06:15 -0700
> From: jdow@earthlink.net
> To: users@spamassassin.apache.org
> Subject: Re: SA and Spear Phishing
> And for well targeted spearfishing, he's still stuck because nothing
> distinguishes it from his normal mail flow other than "unknown sender"
> or DNS check failures. The human mind can be a better filter against
> such spam than any result of mass checks.
> Off hand I get an impression he is throwing around terms without quite
> understanding them.
>
> {^_^}
I highly appreciate your use of open/honest communication. Not to "pretend" being the nice boy, nor to defend myself (I'm not offended by that), but merely to define what is Spear Phishing to make sure we are on same page: Spear phishing is a form of phishing attacks that are tailored for specific scenarios/targets based on specific conditions (on top of my head, didn't google -- honest o/~). E.g. if an attacker knows my boss's name and email address, and that I'm in charge for certain deals, the attacker can do better social engineering attacks knowing more information about me.
One of the challenges behind spear phishing is that there is no single performance evaluation against it. And this inlcludes user-training programmes too. Why? I suspect that either Spear phish works like magic so that users don't even recognize it, or that people do not publish it to public domains as it might include personally identifiable information.
So, it is not that software cannot detect spear, it is just that it is not documented. The same applies to user/human training approaches. None of them are documented or evaluated against "real" spear phish. We are always happily finding enough of bulk-phish to evaluate/measure against, but none of that is really spear.
So when it comes to spear phish, in my view, a big question mark arises to indicate that its risk is simply "unknow" to mankind. This is unknown in the public domain as far as I know, which is why I posted this mail to see if any of you see any spear phish within the load of SPAM you detect.
I would be really grateful if anyone here tells me his observation against spear phish. This is a cutting edge problem and not to compare SA against other appliances (actually I'm quite stuck in deep love with SA :$ -- I find it really hard to waste any single penny to a commercial anti-spam if I can get this for free -- as in freedom!).
Re: SA and Spear Phishing
Posted by jdow <jd...@earthlink.net>.
On 2011/03/18 15:48, Darxus@chaosreigns.com wrote:
> On 03/18, jdow wrote:
>> As far as trust for mass checks "Hamad Ali" would have to trust the
>> custodians of the mass check data with the raw email stream data he
>> submits.
>
> No, participating in mass checks does not require sending in all your raw
> mail. It's nice when people do, but I believe most people run mass-check
> themselves and just upload the logs:
> http://wiki.apache.org/spamassassin/NightlyMassCheck
In which case those maintaining the collation of the results need to
weight incoming data with a trust level. Incoming data from a hotmail
address is basically pointless.
On rereading some of this I wonder if we have an 'ix newcomer who has
an email solution setup to scan as each message is read by his MUA for
presentation rather than scanning all the emails as they are brought
into his machine and stored in his own Dovecot install or equivalent
where his MUA grabs them already filtered. Then his worry about the time
it takes to scan messages is pretty much mooted. All he needs do is run
many parallel checks, as many as his machine supports before going into
paging, and sit back and enjoy.
And for well targeted spearfishing, he's still stuck because nothing
distinguishes it from his normal mail flow other than "unknown sender"
or DNS check failures. The human mind can be a better filter against
such spam than any result of mass checks.
Off hand I get an impression he is throwing around terms without quite
understanding them.
{^_^}
Re: SA and Spear Phishing
Posted by Da...@chaosreigns.com.
On 03/18, jdow wrote:
> As far as trust for mass checks "Hamad Ali" would have to trust the
> custodians of the mass check data with the raw email stream data he
> submits.
No, participating in mass checks does not require sending in all your raw
mail. It's nice when people do, but I believe most people run mass-check
themselves and just upload the logs:
http://wiki.apache.org/spamassassin/NightlyMassCheck
--
"I don't want to die... just yet... not while there's... women."
- J. Matthew Root, 8/23/02 (http://www.jmrart.com/)
http://www.ChaosReigns.com
Re: SA and Spear Phishing
Posted by jdow <jd...@earthlink.net>.
On 2011/03/17 13:28, Darxus@chaosreigns.com wrote:
> On 03/18, Hamad Ali wrote:
>> > No. Michael doesn't want to help you and Karsten doesn't want you to
>> > participate in mass-checks because of your behavior on this list.
>> Are you referring to ban on masschecks, or ban on receiving any sort of
>> help what so ever?
>
> I'm saying it's the same problem.
>
> There's no ban. There's just people not wanting to deal with your
> behavior.
>
>> But for non-masschecks free mails should be irrelevant, shouldn't they?
>
> No.
>
>> Are you saying that my recent mail, titled "SA and Spear Phishing" is also
>> a reply to a previous thread? That's weird (I created a new mail with
>> stuff being pasted).
>
> You replied to a previous thread by creating a new thread. And that's
> pissing people off.
Some may figure a person too dumb to use "reply" rather than creating
a new email is too hopeless to try to work with. Is he worth the energy
to try to deal with him?
As far as trust for mass checks "Hamad Ali" would have to trust the
custodians of the mass check data with the raw email stream data he
submits.
(The best protection against spear phishing is a suspicious mind
operated by well trained employees. And there's not much Hamad can
do about that whether he is legitimate or a cloaked spammer. Poor kid.)
{^_^}
Re: SA and Spear Phishing
Posted by Da...@chaosreigns.com.
On 03/18, Hamad Ali wrote:
> > No. Michael doesn't want to help you and Karsten doesn't want you to
> > participate in mass-checks because of your behavior on this list.
> Are you referring to ban on masschecks, or ban on receiving any sort of
> help what so ever?
I'm saying it's the same problem.
There's no ban. There's just people not wanting to deal with your
behavior.
> But for non-masschecks free mails should be irrelevant, shouldn't they?
No.
> Are you saying that my recent mail, titled "SA and Spear Phishing" is also
> a reply to a previous thread? That's weird (I created a new mail with
> stuff being pasted).
You replied to a previous thread by creating a new thread. And that's
pissing people off.
--
"For every complex problem, there is a solution that is simple, neat,
and wrong." - H. L. Mencken
http://www.ChaosReigns.com
RE: SA and Spear Phishing
Posted by Hamad Ali <cr...@hotmail.com>.
> Date: Thu, 17 Mar 2011 15:58:52 -0400
> From: Darxus@chaosreigns.com
> To: users@spamassassin.apache.org
> Subject: Re: SA and Spear Phishing
> No. Michael doesn't want to help you and Karsten doesn't want you to
> participate in mass-checks because of your behavior on this list.
Are you referring to ban on masschecks, or ban on receiving any sort of help what so ever?
>
> Some pretty specific requests have been made of you. I recommend:
>
> 1) Stop posting from a hotmail address, and start posting from an address
> in the primary domain associated with the email hosting service you're
> working on. That's what Karsten meant when he mentioned your
> "freemail address". Yes, it affects how much we trust you.
But for non-masschecks free mails should be irrelevant, shouldn't they?
> 3) When people clearly express their anger at you for posting, not
> replying to any of the replies, and then responding by creating a
> new thread: Don't respond by doing exactly the same thing again.
> I'm really curious about your logic failure there. You might want
> to try starting new threads less often.
Are you saying that my recent mail, titled "SA and Spear Phishing" is also a reply to a previous thread? That's weird (I created a new mail with stuff being pasted).
Re: SA and Spear Phishing
Posted by Da...@chaosreigns.com.
On 03/17, Hamad Ali wrote:
> Alright guys, let's forget about me doing masschecks (I didn't know
> limitations as I haven't seen the trust thingy policy anywhere
> else [1]http://wiki.apache.org/spamassassin/NightlyMassCheck).
Why do you think that page needs to say that we need to be able to trust
you before we let you contribute data on which the very scores of SA rules
are based?
This is a very serious question, and I'm looking forward to your answer.
(I was the last one to overhaul that page.)
> - Michael Scheidell said: "Ditto. I was about to tell him how to stop
> spear phishing"; it seems because I'm not eligible for participation in
> nightly masschecks, Michael decided to not tell me how to stop spear
> phishing.
No. Michael doesn't want to help you and Karsten doesn't want you to
participate in mass-checks because of your behavior on this list.
Some pretty specific requests have been made of you. I recommend:
1) Stop posting from a hotmail address, and start posting from an address
in the primary domain associated with the email hosting service you're
working on. That's what Karsten meant when he mentioned your
"freemail address". Yes, it affects how much we trust you.
2) Reply to each and every question you've been asked. With inline
quotations. One post per thread (subject) (so two or three emails?).
Inline quotations is what I'm doing here, with what you said preceded
by "> " on each line. This, generally, is the right way to reply
to mailing lists.
3) When people clearly express their anger at you for posting, not
replying to any of the replies, and then responding by creating a
new thread: Don't respond by doing exactly the same thing again.
I'm really curious about your logic failure there. You might want
to try starting new threads less often.
We do really need more people participating in mass-checks. I'd like to
see you improve your relationship with this community so you can do that.
It would also improve your chances of getting your questions answered.
--
"Of course there's strength in numbers. But there's strength in sharp
weaponry too. Ironically, this lead to what we call 'civilization'."
- spore
http://www.ChaosReigns.com
RE: SA and Spear Phishing
Posted by Hamad Ali <cr...@hotmail.com>.
----------------------------------------
> Subject: Re: SA and Spear Phishing
> From: guenther@rudersport.de
> To: users@spamassassin.apache.org
> Date: Sat, 19 Mar 2011 06:02:31 +0100
> [....]
> As I mentioned earlier, spear phishing (which are highly targeted) will
> not have a hard time evading any filter. General phishing would be a
> quite lower hanging fruit, and much easier get caught.
>
IMO spear phish varies depending on how targeted they are:
1- there are ones that are slightly generic to a company, e.g. phishers get a list of emails from their portal along with the rules, and then start sending emails according to that little info -- which can still be very effective though). emails like "hey foo, I'm your colleage bar, wanna check this link?" (the link contains malware)
2- more speficic ones, with more details, such as a phisher knowing specific information on activities the victim running (e.g. sales operation, detailed info about a latest conversation with his boss, and expected list of follow ups).
2- is very hard to solve, even when humans are trained.. we can safely exclude them and wait 100,000s of years until humans evolve, and let's hope that the evolved humans don't have the Ph-gene also evolving with them.
point 1- is what humans can solve partially, based on some dummy/fake spear-looking phish crafted by a human for sake of evaluating the result.
either way, none are evaluated to see their realistic effect on real spear. but at least 1- is evaluated on fake spear-looking mails crafted by some evaluators welling to write papers (better than nothing)
a funny case is, when a spear type -1 turns into a type -2, similar to this case: http://www.schneier.com/blog/archives/2010/05/cory_doctorow_g.html
basically: Cory Doctorow got phished only because he recieved that phish during a specific moment (formating his iPhone).
.
Re: SA and Spear Phishing
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2011-03-18 at 20:47 -0700, jdow wrote:
> Actually it might not be all that hard. Tweak some specific rule matches
> that indicate a high probability of phishing or spearfishing to be
> artificially high numbers. That will at least get them labeled as spam.
This is a per-site approach only. Strictly specific. "At least getting
labeled spam" in the general context sounds like FP prone, which will
never get out.
> Of course, within weeks of inventing such a rule it will be obsolete
> and you'll have to add in the "drug" rules type of de-obfuscation.
As I mentioned earlier, spear phishing (which are highly targeted) will
not have a hard time evading any filter. General phishing would be a
quite lower hanging fruit, and much easier get caught.
> {^_-} Free lunches are worth what they cost and not a penny more.
If one can digest speech, the lunch might really be worthwhile. Free
beer is good also, if it actually is beer. Cheers!
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SA and Spear Phishing
Posted by jdow <jd...@earthlink.net>.
On 2011/03/18 18:38, John Hardin wrote:
> On Thu, 17 Mar 2011, Hamad Ali wrote:
>
>> - John Hardin said: Phishing is his next project, and that even a well
>> trained naive bayes filter might not detect it. let's be on touch on
>> this matter then. Any progress or collaboration is highly welcomed on
>> my side
>
> About the only thing I need from the community are samples, and for spear
> phishing that will be rather difficult.
Actually it might not be all that hard. Tweak some specific rule matches
that indicate a high probability of phishing or spearfishing to be
artificially high numbers. That will at least get them labeled as spam.
One such word might be "password" with certain other words in context.
This is certainly a meta-rule issue. But password plus an address
that is not on a "short list" anywhere within the body of the email
should result in a hefty score.
Of course, within weeks of inventing such a rule it will be obsolete
and you'll have to add in the "drug" rules type of de-obfuscation.
{^_-} Free lunches are worth what they cost and not a penny more.
Re: SA and Spear Phishing
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2011-03-18 at 19:59 -0700, John Hardin wrote:
> On Sat, 19 Mar 2011, Karsten Bräckelmann wrote:
> > Did we just drop the spear, and downgrade to general phishing?
>
> For the purposes of my phishing rules project, yes.
Oh, right -- sorry, previously saw this in the context of *targeted*
spear phishing only, though just realized Hamad's reply was actually
regarding your (general) phishing rules project. :)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SA and Spear Phishing
Posted by John Hardin <jh...@impsec.org>.
On Sat, 19 Mar 2011, Karsten Br�ckelmann wrote:
> On Sat, 2011-03-19 at 05:47 +0400, Hamad Ali wrote:
>>>> - John Hardin said: Phishing is his next project,
>
>> Have you considered the public SA ham/spam corpus,
>> and monkey.org/~jose phishing corpus?
>
> Did we just drop the spear, and downgrade to general phishing?
For the purposes of my phishing rules project, yes.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #9: Accuracy is relative: most combat
shooting standards will be more dependent on "pucker factor" than
the inherent accuracy of the gun.
-----------------------------------------------------------------------
11 days until the M1911 is 100 years old - and still going strong!
Re: SA and Spear Phishing
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2011-03-19 at 05:47 +0400, Hamad Ali wrote:
> > > - John Hardin said: Phishing is his next project, and that even a well
> > > trained naive bayes filter might not detect it. let's be on touch on
> > > this matter then. Any progress or collaboration is highly welcomed on
> > > my side
> >
> > About the only thing I need from the community are samples, and for spear
> > phishing that will be rather difficult.
Yeah, and that again is writing rules. Not bad at all, though one major
point stands -- Bayes is likely to be rather useless against *targeted*
phishing attacks.
Moreover, if an attack really is *targeted*, it won't have too much of a
struggle to evade rules also.
> Have you considered the public SA ham/spam corpus,
^^^^^^
Uhm, there is no such thing. Definitely not recent-ish.
> and monkey.org/~jose phishing corpus?
Did we just drop the spear, and downgrade to general phishing?
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: SA and Spear Phishing
Posted by John Hardin <jh...@impsec.org>.
On Sat, 19 Mar 2011, Hamad Ali wrote:
> ----------------------------------------
>> Date: Fri, 18 Mar 2011 18:38:44 -0700
>> From: jhardin@impsec.org
>> To: users@spamassassin.apache.org
>> Subject: Re: SA and Spear Phishing
>>
>> On Thu, 17 Mar 2011, Hamad Ali wrote:
>>
>>> - John Hardin said: Phishing is his next project, and that even a well
>>> trained naive bayes filter might not detect it. let's be on touch on
>>> this matter then. Any progress or collaboration is highly welcomed on
>>> my side
>>
>> About the only thing I need from the community are samples, and for spear
>> phishing that will be rather difficult.
>
>
> Have you considered the public SA ham/spam corpus, and monkey.org/~jose phishing corpus?
I wasn't aware of the monkey.org corpus; thanks, I'll take a look.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #9: Accuracy is relative: most combat
shooting standards will be more dependent on "pucker factor" than
the inherent accuracy of the gun.
-----------------------------------------------------------------------
11 days until the M1911 is 100 years old - and still going strong!
RE: SA and Spear Phishing
Posted by Hamad Ali <cr...@hotmail.com>.
----------------------------------------
> Date: Fri, 18 Mar 2011 18:38:44 -0700
> From: jhardin@impsec.org
> To: users@spamassassin.apache.org
> Subject: Re: SA and Spear Phishing
>
> On Thu, 17 Mar 2011, Hamad Ali wrote:
>
> > - John Hardin said: Phishing is his next project, and that even a well
> > trained naive bayes filter might not detect it. let's be on touch on
> > this matter then. Any progress or collaboration is highly welcomed on
> > my side
>
> About the only thing I need from the community are samples, and for spear
> phishing that will be rather difficult.
Have you considered the public SA ham/spam corpus, and monkey.org/~jose phishing corpus?
-- H
Re: SA and Spear Phishing
Posted by John Hardin <jh...@impsec.org>.
On Thu, 17 Mar 2011, Hamad Ali wrote:
> - John Hardin said: Phishing is his next project, and that even a well
> trained naive bayes filter might not detect it. let's be on touch on
> this matter then. Any progress or collaboration is highly welcomed on
> my side
About the only thing I need from the community are samples, and for spear
phishing that will be rather difficult.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
People seem to have this obsession with objects and tools as being
dangerous in and of themselves, as though a weapon will act of its
own accord to cause harm. A weapon is just a force multiplier. It's
*humans* that are (or are not) dangerous.
-----------------------------------------------------------------------
11 days until the M1911 is 100 years old - and still going strong!