You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Albert Whale <ae...@ABS-CompTech.com> on 2004/07/31 15:27:22 UTC
Detecting Phishers is not working.
I've implemented the recommendations from the Spam Assassin list
regarding the SpamCop-URI interface, however the issue is still rearing
it's Ugly head.
Here's a message fragment which is what is needed in the detection rules:
<p><strong><font size="2" face="Arial, Helvetica, sans-serif"><a target="_blank"
href="http://211.202.3.208/event_1201/popup.files/.eBay/eBayISAPI.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid="
>http://scgi.ebay.com/verify_id=ebay
&fraud alert id code=00937614</a></font></strong></p>
The problem is that I do not fell comfortable in waiting for Spam
Reporting facilty having information about the Phisher before it is
recieved (and in these cases, neither were detected from the URI filtering).
Is there a method to the take the first and second part Web Addresses
and compare them?
What about a New Filter which increases the Scoring value if the hidden
address is a Numeric value and the second address is a FQDN ?
My last suggestion in detecting and eliminating Phishers is that the Web
address is validated with the address shown, and then a comparision of
the Network, Whois, or other test is made.
Of course none of these tests need be applied unless there is a valid
HTML section, in the Email.
Any suggestions?
--
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM ZapperTM - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here.
President of the Pittsburgh InfraGard
Re: Detecting Phishers is not working.
Posted by Jeff Chan <je...@surbl.org>.
On Tuesday, August 3, 2004, 5:47:57 AM, Albert Whale wrote:
> Jeff Chan wrote:
>>Well first, SURBLs don't have many IP addresses. Most entries
>>in the lists are domain names.
> Most Phishers are based on IP Addresses. Is the SURBL a Good Match,
Yes, our phishing data have disproportionately more IP
addresses than the regular spam web site data do.
>>Second it doesn't take "a few million" messages for an entry
>>to get onto a SURBL list. For some of the lists it requires
>>only one to be detected. Please see the Lists document on
>>our site for more information:
> Well, I say a Few million get out of the Phishers, before someone
> reports it. I want to detect it, and stop it before needing to rely on
> a first responder acting on behalf of someone else. I guess I am
> looking for this new Detection tool to be the First Responder.
Remember though that there are several sources of data for
SURBLs. Some of the data sources such as the OutBlaze
spam traps probably pick up phishing spams pretty quickly,
along with other kinds of spams. Spamtrap processing is
probably all automatic and pretty fast. There are spamtraps
feeding into WS also.
> This certainly is NOT going to replace the lists in the SURBL, but is
> may also permit that this detection could 'feed' data into the SURBL.
If you develop a good phishing data source we would be
interested in carrying it in a SURBL.
> Back to a previous point. Since most Phishers are using IP Addresses in
> the Web Link, is there an existing test for this, or do I need to
> develop it?
SURBLs handle both domains and IP addresses currently.
No new coding is needed for that.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Detecting Phishers is not working.
Posted by David Hooton <da...@gmail.com>.
On Tue, 03 Aug 2004 08:47:57 -0400, Albert Whale
<ae...@abs-comptech.com> wrote:
> Moving to the Users List.
>
> >>I guess the issue here Jeff, is that there are a few million injections
> >>of the message before it makes it into the Database. I want to detect
> >>it as soon as it occurs (and not require that it be relying on any other
> >>device externally for the detection).
> >>
> >>
> >>How does the IP Address make it into the SURBL List?
Hi Albert,
Well if you're talking Phishing Data I would be the person to talk to.
Data is collected from a reasonable set of information streams
including customer message intercepts, end user reported messages,
spamtraps and a couple of somewhat abstract however effective methods.
If you've got something to report please shoot it to postmaster at
corp.mailsecurity.net.au
> >Well first, SURBLs don't have many IP addresses. Most entries
> >in the lists are domain names.
> >
> >
> Most Phishers are based on IP Addresses. Is the SURBL a Good Match, or
> am I attempting to develop a New Detection Tool?
The Phishing list is mainly IP's, we will list whatever the malicious
URL is domain based or otherwise.
> >Second it doesn't take "a few million" messages for an entry
> >to get onto a SURBL list. For some of the lists it requires
> >only one to be detected. Please see the Lists document on
> >our site for more information:
> >
> Well, I say a Few million get out of the Phishers, before someone
> reports it.
You'd be incredibly surprised how fast some are caught. We're still
working on a 100% reliable 98% automated solution but until then the
updates are still made as submissions arrive.
> I want to detect it, and stop it before needing to rely on
> a first responder acting on behalf of someone else. I guess I am
> looking for this new Detection tool to be the First Responder.
I'm interested - can you outline what you're planning?
> This certainly is NOT going to replace the lists in the SURBL, but is
> may also permit that this detection could 'feed' data into the SURBL.
Again, tell me more :)
> Back to a previous point. Since most Phishers are using IP Addresses in
> the Web Link, is there an existing test for this, or do I need to
> develop it?
Reversed octet IP addresses can be fed into SURBL's we use them all
day every day..
--
Regards,
David Hooton
Re: Detecting Phishers is not working.
Posted by Albert Whale <ae...@ABS-CompTech.com>.
Moving to the Users List.
Jeff Chan wrote:
>On Monday, August 2, 2004, 6:00:21 AM, Albert Whale wrote:
>
>
>>Jeff Chan wrote:
>>
>>
>
>
>
>>>uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2')
>>>describe WS_URI_RBL URI's domain appears in sa-blacklist
>>>tflags WS_URI_RBL net
>>>
>>>score WS_URI_RBL 3.0
>>>
>>>
>
>
>
>>Well, if the RBL contains a score of 3.0 and the minimum for detection
>>is a 5 or a 6, how is this of any value? Do you see a little of what I
>>mean?
>>
>>
>
>The reason for a score below the threshold is to mitigate false
>positives by requiring other rules to also fire. That's a basic
>feature of Spam Assassin, and it's more of a diverse, collaborative
>approach to detecting spam than outright blocking based on a
>single characteristic. Certainly, if you're comfortable with the
>lack of false positives in a given SURBL rule, or any other rules
>for that matter, you can raise the score of that rule. Adjusting
>scores and choosing rules is how you can tune SA to your liking
>and to the type of mail you get.
>
>
Agreed, I understnad this wholey.
>
>
>>I guess the issue here Jeff, is that there are a few million injections
>>of the message before it makes it into the Database. I want to detect
>>it as soon as it occurs (and not require that it be relying on any other
>>device externally for the detection).
>>
>>
>>How does the IP Address make it into the SURBL List?
>>
>>
>
>Well first, SURBLs don't have many IP addresses. Most entries
>in the lists are domain names.
>
>
Most Phishers are based on IP Addresses. Is the SURBL a Good Match, or
am I attempting to develop a New Detection Tool?
>Second it doesn't take "a few million" messages for an entry
>to get onto a SURBL list. For some of the lists it requires
>only one to be detected. Please see the Lists document on
>our site for more information:
>
>
Well, I say a Few million get out of the Phishers, before someone
reports it. I want to detect it, and stop it before needing to rely on
a first responder acting on behalf of someone else. I guess I am
looking for this new Detection tool to be the First Responder.
This certainly is NOT going to replace the lists in the SURBL, but is
may also permit that this detection could 'feed' data into the SURBL.
Back to a previous point. Since most Phishers are using IP Addresses in
the Web Link, is there an existing test for this, or do I need to
develop it?
> http://www.surbl.org/lists.html
>
>Also unless there's a specific development issue here, this
>discussion should probably move to the spamassassin-users
>list.
>
>Jeff C.
>
>
>
--
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM ZapperTM - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here.
President of the Pittsburgh InfraGard
Re: Detecting Phishers is not working.
Posted by Jeff Chan <je...@surbl.org>.
On Monday, August 2, 2004, 6:00:21 AM, Albert Whale wrote:
> Jeff Chan wrote:
>>uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2')
>>describe WS_URI_RBL URI's domain appears in sa-blacklist
>>tflags WS_URI_RBL net
>>
>>score WS_URI_RBL 3.0
> Well, if the RBL contains a score of 3.0 and the minimum for detection
> is a 5 or a 6, how is this of any value? Do you see a little of what I
> mean?
The reason for a score below the threshold is to mitigate false
positives by requiring other rules to also fire. That's a basic
feature of Spam Assassin, and it's more of a diverse, collaborative
approach to detecting spam than outright blocking based on a
single characteristic. Certainly, if you're comfortable with the
lack of false positives in a given SURBL rule, or any other rules
for that matter, you can raise the score of that rule. Adjusting
scores and choosing rules is how you can tune SA to your liking
and to the type of mail you get.
> I guess the issue here Jeff, is that there are a few million injections
> of the message before it makes it into the Database. I want to detect
> it as soon as it occurs (and not require that it be relying on any other
> device externally for the detection).
> How does the IP Address make it into the SURBL List?
Well first, SURBLs don't have many IP addresses. Most entries
in the lists are domain names.
Second it doesn't take "a few million" messages for an entry
to get onto a SURBL list. For some of the lists it requires
only one to be detected. Please see the Lists document on
our site for more information:
http://www.surbl.org/lists.html
Also unless there's a specific development issue here, this
discussion should probably move to the spamassassin-users
list.
Jeff C.
Re: Detecting Phishers is not working.
Posted by Albert Whale <ae...@ABS-CompTech.com>.
Jeff Chan wrote:
>On Saturday, July 31, 2004, 6:27:22 AM, Albert Whale wrote:
>
>
>>I've implemented the recommendations from the Spam A
>>
>Actually that IP address is on the ws and ph lists (the latter
>of which is only in multi.surbl.org). But if you're running
>SpamCopURI with ws.surbl.org, it should have caught 211.202.3.208
>
>A sample rule and score for using ws might look like this:
>
> http://www.surbl.org/quickstart.html
>
>uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2')
>describe WS_URI_RBL URI's domain appears in sa-blacklist
>tflags WS_URI_RBL net
>
>score WS_URI_RBL 3.0
>
>Jeff C.
>
>
>
Well, if the RBL contains a score of 3.0 and the minimum for detection
is a 5 or a 6, how is this of any value? Do you see a little of what I
mean?
I guess the issue here Jeff, is that there are a few million injections
of the message before it makes it into the Database. I want to detect
it as soon as it occurs (and not require that it be relying on any other
device externally for the detection).
How does the IP Address make it into the SURBL List?
--
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM ZapperTM - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here.
President of the Pittsburgh InfraGard
Re: Detecting Phishers is not working.
Posted by Jeff Chan <je...@surbl.org>.
On Saturday, July 31, 2004, 6:27:22 AM, Albert Whale wrote:
> I've implemented the recommendations from the Spam Assassin list
> regarding the SpamCop-URI interface, however the issue is still rearing
> it's Ugly head.
> Here's a message fragment which is what is needed in the detection rules:
> <p><strong><font size="2" face="Arial, Helvetica, sans-serif"><a target="_blank"
> href="http://211.202.3.20-MUNGED-8/event_1201/popup.files/.eBay/eBayISAPI.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid="
>>http://scgi.ebay.com/verify_id=ebay
> &fraud alert id code=00937614</a></font></strong></p>
> The problem is that I do not fell comfortable in waiting for Spam
> Reporting facilty having information about the Phisher before it is
> recieved (and in these cases, neither were detected from the URI filtering).
Actually that IP address is on the ws and ph lists (the latter
of which is only in multi.surbl.org). But if you're running
SpamCopURI with ws.surbl.org, it should have caught 211.202.3.208
A sample rule and score for using ws might look like this:
http://www.surbl.org/quickstart.html
uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2')
describe WS_URI_RBL URI's domain appears in sa-blacklist
tflags WS_URI_RBL net
score WS_URI_RBL 3.0
Jeff C.
Re: Detecting Phishers is not working.
Posted by Fred <te...@i-is.com>.
Loren Wilton wrote:
> SARE has some phishing rules for various things. I just sent a
> handful more out for test last night, but as it happens none of them
> were ebay specific, since I don't seem to get a lot of ebay phishing
> mails.
We have a set of rules for phishing but it's called spoof on our site (and
the ruleset name). These rules do include spoofs against ebay, this was my
first target when I created these rules.
http://www.rulesemporium.com/rules/70_sare_spoof.cf
# Try to identify EBAY spoofs by looking for elements which should always
appear.
# If we have a From and an URL of one of these guys, we should also have a
received line to match!
header __RCVD_EBAY Received =~ /(?:email)?[^\s@]ebay\.com/i
header __FROM_EBAY From =~ /\@(?:email)?ebay\.com/i
uri __URI_EBAY /ebay\.com/i
meta SARE_FORGED_EBAY (__FROM_EBAY && __URI_EBAY && !__RCVD_EBAY)
describe SARE_FORGED_EBAY Message appears to be forged, (ebay.com)
score SARE_FORGED_EBAY 102.0
The rule is not 100% effective but it works for the majority of these spams.
This set is targetting spoofs from: ebay, paypal, usbank, and citibank
Also looking for spoofed message id's from aol, msn, hotmail, yahoo, excite
and others.
Re: Detecting Phishers is not working.
Posted by Loren Wilton <lw...@earthlink.net>.
SARE has some phishing rules for various things. I just sent a handful more
out for test last night, but as it happens none of them were ebay specific,
since I don't seem to get a lot of ebay phishing mails.
I did come up with a rule similar to what you are asking for, but it is
specific to bank scams at the moment. I'm sure it could be adjusted though.
Loren