You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by gb...@apache.org on 2020/09/27 13:04:22 UTC
svn commit: r1882066 -
/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm
Author: gbechis
Date: Sun Sep 27 13:04:22 2020
New Revision: 1882066
URL: http://svn.apache.org/viewvc?rev=1882066&view=rev
Log:
Add support to PhishStats free datafeed
Modified:
spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm
Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm?rev=1882066&r1=1882065&r2=1882066&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm Sun Sep 27 13:04:22 2020
@@ -1,6 +1,6 @@
#
# Author: Giovanni Bechis <gb...@apache.org>
-# Copyright 2018,2019 Giovanni Bechis
+# Copyright 2018,2020 Giovanni Bechis
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
@@ -31,23 +31,26 @@ Mail::SpamAssassin::Plugin::Phishing - c
ifplugin Mail::SpamAssassin::Plugin::Phishing
phishing_openphish_feed /etc/mail/spamassassin/openphish-feed.txt
phishing_phishtank_feed /etc/mail/spamassassin/phishtank-feed.csv
+ phishing_phishstats_feed /etc/mail/spamassassin/phishstats-feed.csv
body URI_PHISHING eval:check_phishing()
describe URI_PHISHING Url match phishing in feed
endif
=head1 DESCRIPTION
-This plugin finds uris used in phishing campaigns detected by
-OpenPhish or PhishTank feeds.
+This plugin finds uris used in phishing campaigns detected by
+OpenPhish, PhishTank or PhishStats feeds.
The Openphish free feed is updated every 6 hours and can be downloaded from
https://openphish.com/feed.txt.
-The Premium Openphish feed is not currently supported.
The PhishTank free feed is updated every 1 hours and can be downloaded from
http://data.phishtank.com/data/online-valid.csv.
To avoid download limits a registration is required.
+The PhishStats feed is updated every 90 minutes and can be downloaded from
+https://phishstats.info/phish_score.csv.
+
=cut
package Mail::SpamAssassin::Plugin::Phishing;
@@ -110,6 +113,7 @@ Absolute path of the downloaded OpenPhis
type => $Mail::SpamAssassin::Conf::CONF_TYPE_STRING,
}
);
+
=over 4
=item phishing_phishtank_feed
@@ -126,6 +130,7 @@ Absolute path of the downloaded PhishTan
type => $Mail::SpamAssassin::Conf::CONF_TYPE_BOOL,
}
);
+
=over 4
=item phishing_uri_noparam ( 0 | 1 ) (default: 0)
@@ -139,6 +144,40 @@ skipped.
=back
=cut
+ push(@cmds, {
+ setting => 'phishing_phishstats_feed',
+ is_admin => 1,
+ type => $Mail::SpamAssassin::Conf::CONF_TYPE_STRING,
+ }
+ );
+
+=over 4
+
+=item phishing_phishstats_feed
+
+Absolute path of the downloaded PhishStats datafeed.
+
+=back
+
+=cut
+ push(@cmds, {
+ setting => 'phishing_phishstats_minscore',
+ is_admin => 1,
+ default => 6,
+ type => $Mail::SpamAssassin::Conf::CONF_TYPE_NUMERIC,
+ }
+ );
+
+=over 4
+
+=item phishing_phishstats_minscore ( 0 - 10 ) (default: 6)
+
+Minimum score to take into consideration for phishing uris downloaded
+from PhishStats datafeed.
+
+=back
+
+=cut
$conf->{parser}->register_commands(\@cmds);
}
@@ -150,7 +189,7 @@ sub finish_parsing_end {
sub _read_configfile {
my ($self) = @_;
my $conf = $self->{main}->{registryboundaries}->{conf};
- my @phtank_ln;
+ my (@phtank_ln, @phstats_ln);
my $stripped_cluri;
local *F;
@@ -204,6 +243,40 @@ sub _read_configfile {
: die "error reading config file: $!";
close(F) or die "error closing config file: $!";
}
+
+ if ( defined($conf->{phishing_phishstats_feed}) && (-f $conf->{phishing_phishstats_feed} ) ) {
+ open(F, '<', $conf->{phishing_phishstats_feed});
+ for ($!=0; <F>; $!=0) {
+ #skip first line
+ next if ( $. eq 1);
+ chomp;
+ #lines that start with pound are comments
+ next if(/^\s*\#/);
+
+ # CSV: Date,Score,URL,IP
+ @phstats_ln = split(/,/, $_);
+ $phstats_ln[1] =~ s/\"//g;
+ $phstats_ln[2] =~ s/\"//g;
+ if ( $conf->{phishing_phishstats_minscore} >= $phstats_ln[1] ) {
+ next;
+ }
+ $stripped_cluri = $phstats_ln[2];
+ if ( $conf->{phishing_uri_noparam} eq 1 ) {
+ $stripped_cluri =~ s/\?.*//;
+ }
+ my $phishdomain = $self->{main}->{registryboundaries}->uri_to_domain($phstats_ln[2]);
+ if ( defined $phishdomain ) {
+ push @{$self->{PHISHING}->{$stripped_cluri}->{phishdomain}}, $phishdomain;
+ push @{$self->{PHISHING}->{$stripped_cluri}->{phishinfo}->{$phishdomain}}, "PhishStats";
+ }
+ }
+
+ defined $_ || $!==0 or
+ $!==EBADF ? dbg("PHISHING: error reading config file: $!")
+ : die "error reading config file: $!";
+ close(F) or die "error closing config file: $!";
+ }
+
}
sub check_phishing {