You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by gb...@apache.org on 2020/09/27 13:04:22 UTC

svn commit: r1882066 - /spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm

Author: gbechis
Date: Sun Sep 27 13:04:22 2020
New Revision: 1882066

URL: http://svn.apache.org/viewvc?rev=1882066&view=rev
Log:
Add support to PhishStats free datafeed

Modified:
    spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm

Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm?rev=1882066&r1=1882065&r2=1882066&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm Sun Sep 27 13:04:22 2020
@@ -1,6 +1,6 @@
 #
 # Author: Giovanni Bechis <gb...@apache.org>
-# Copyright 2018,2019 Giovanni Bechis
+# Copyright 2018,2020 Giovanni Bechis
 #
 # <@LICENSE>
 # Licensed to the Apache Software Foundation (ASF) under one or more
@@ -31,23 +31,26 @@ Mail::SpamAssassin::Plugin::Phishing - c
   ifplugin Mail::SpamAssassin::Plugin::Phishing
     phishing_openphish_feed /etc/mail/spamassassin/openphish-feed.txt
     phishing_phishtank_feed /etc/mail/spamassassin/phishtank-feed.csv
+    phishing_phishstats_feed /etc/mail/spamassassin/phishstats-feed.csv
     body     URI_PHISHING      eval:check_phishing()
     describe URI_PHISHING      Url match phishing in feed
   endif
 
 =head1 DESCRIPTION
 
-This plugin finds uris used in phishing campaigns detected by 
-OpenPhish or PhishTank feeds.
+This plugin finds uris used in phishing campaigns detected by
+OpenPhish, PhishTank or PhishStats feeds.
 
 The Openphish free feed is updated every 6 hours and can be downloaded from
 https://openphish.com/feed.txt.
-The Premium Openphish feed is not currently supported.
 
 The PhishTank free feed is updated every 1 hours and can be downloaded from
 http://data.phishtank.com/data/online-valid.csv.
 To avoid download limits a registration is required.
 
+The PhishStats feed is updated every 90 minutes and can be downloaded from
+https://phishstats.info/phish_score.csv.
+
 =cut
 
 package Mail::SpamAssassin::Plugin::Phishing;
@@ -110,6 +113,7 @@ Absolute path of the downloaded OpenPhis
         type => $Mail::SpamAssassin::Conf::CONF_TYPE_STRING,
         }
     );
+
 =over 4
 
 =item phishing_phishtank_feed
@@ -126,6 +130,7 @@ Absolute path of the downloaded PhishTan
         type => $Mail::SpamAssassin::Conf::CONF_TYPE_BOOL,
         }
     );
+
 =over 4
 
 =item phishing_uri_noparam ( 0 | 1 ) (default: 0)
@@ -139,6 +144,40 @@ skipped.
 =back
 
 =cut
+    push(@cmds, {
+        setting => 'phishing_phishstats_feed',
+        is_admin => 1,
+        type => $Mail::SpamAssassin::Conf::CONF_TYPE_STRING,
+        }
+    );
+
+=over 4
+
+=item phishing_phishstats_feed
+
+Absolute path of the downloaded PhishStats datafeed.
+
+=back
+
+=cut
+    push(@cmds, {
+        setting => 'phishing_phishstats_minscore',
+        is_admin => 1,
+        default => 6,
+        type => $Mail::SpamAssassin::Conf::CONF_TYPE_NUMERIC,
+        }
+    );
+
+=over 4
+
+=item phishing_phishstats_minscore ( 0 - 10 ) (default: 6)
+
+Minimum score to take into consideration for phishing uris downloaded
+from PhishStats datafeed.
+
+=back
+
+=cut
     $conf->{parser}->register_commands(\@cmds);
 }
 
@@ -150,7 +189,7 @@ sub finish_parsing_end {
 sub _read_configfile {
   my ($self) = @_;
   my $conf = $self->{main}->{registryboundaries}->{conf};
-  my @phtank_ln;
+  my (@phtank_ln, @phstats_ln);
   my $stripped_cluri;
 
   local *F;
@@ -204,6 +243,40 @@ sub _read_configfile {
                 : die "error reading config file: $!";
     close(F) or die "error closing config file: $!";
   }
+
+  if ( defined($conf->{phishing_phishstats_feed}) && (-f $conf->{phishing_phishstats_feed} ) ) {
+    open(F, '<', $conf->{phishing_phishstats_feed});
+    for ($!=0; <F>; $!=0) {
+        #skip first line
+        next if ( $. eq 1);
+        chomp;
+        #lines that start with pound are comments
+        next if(/^\s*\#/);
+
+	# CSV: Date,Score,URL,IP
+        @phstats_ln = split(/,/, $_);
+        $phstats_ln[1] =~ s/\"//g;
+        $phstats_ln[2] =~ s/\"//g;
+	if ( $conf->{phishing_phishstats_minscore} >= $phstats_ln[1] ) {
+	  next;
+	}
+        $stripped_cluri = $phstats_ln[2];
+	if ( $conf->{phishing_uri_noparam} eq 1 ) {
+          $stripped_cluri =~ s/\?.*//;
+	}
+        my $phishdomain = $self->{main}->{registryboundaries}->uri_to_domain($phstats_ln[2]);
+        if ( defined $phishdomain ) {
+          push @{$self->{PHISHING}->{$stripped_cluri}->{phishdomain}}, $phishdomain;
+          push @{$self->{PHISHING}->{$stripped_cluri}->{phishinfo}->{$phishdomain}}, "PhishStats";
+        }
+    }
+
+    defined $_ || $!==0  or
+      $!==EBADF ? dbg("PHISHING: error reading config file: $!")
+                : die "error reading config file: $!";
+    close(F) or die "error closing config file: $!";
+  }
+
 }
 
 sub check_phishing {