You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by John Hardin <jh...@impsec.org> on 2021/01/22 16:54:44 UTC
Need for util_rb_4tld?
Folks:
I've been seeing more frequently lately phishing that leverages web apps
hosted by Google and Microsoft as a collection point.
I couple of days ago I added firebaseapp.com and web.app to the default
util_rb_2tld list to cover firebase apps hosted by Google.
I've just seen a couple of phishes leveraging MS Azure web apps:
multadetrafico.eastus.cloudapp.azure.com
multapendente.westus2.cloudapp.azure.com
Unfortunately these can't be added as they have an Azure zone in the
fourth position and we don't have a util_rb_4tld directive...
So, topic for discussion: do we need to add a util_rb_4tld for this?
Related: does URIBL register names that deep?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim I: Pillage, _then_ burn.
-----------------------------------------------------------------------
Tomorrow: John Moses Browning's 166th Birthday
Re: Need for util_rb_4tld?
Posted by John Hardin <jh...@impsec.org>.
On Sat, 13 Mar 2021, Kevin A. McGrail wrote:
> Can you put a T_ rule in your sandbox or send me something to grep and I'll
> search my ham/spam?
http://www.impsec.org/~jhardin/antispam/make_azurephish_rule.sh
https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/40_local_azurephish.cf?view=log
https://ruleqa.spamassassin.org/20210314-r1887624-n/PHISH_AZURE_CLOUDAPP/detail
> On Sat, Mar 13, 2021 at 11:38 PM John Hardin <jh...@impsec.org> wrote:
>
>> On Sat, 13 Mar 2021, Kevin A. McGrail wrote:
>>
>>> If you have spamples and they aren't able to be blocked otherwise, a 4tld
>>> is certainly something to consider.
>>
>> I have a ruleset generated from my spam corpus in my sandbox. But that's
>> just based on the (relative) trickle of spam me and my wife get.
>>
>> They hav quieted down recently. I don't know whether it's because that
>> technique isn't working out, or they just haven't targeted me lately.
>>
>>> On Fri, Jan 22, 2021 at 11:55 AM John Hardin <jh...@impsec.org> wrote:
>>>
>>>> Folks:
>>>>
>>>> I've been seeing more frequently lately phishing that leverages web apps
>>>> hosted by Google and Microsoft as a collection point.
>>>>
>>>> I couple of days ago I added firebaseapp.com and web.app to the default
>>>> util_rb_2tld list to cover firebase apps hosted by Google.
>>>>
>>>> I've just seen a couple of phishes leveraging MS Azure web apps:
>>>>
>>>> multadetrafico.eastus.cloudapp.azure.com
>>>>
>>>> multapendente.westus2.cloudapp.azure.com
>>>>
>>>> Unfortunately these can't be added as they have an Azure zone in the
>>>> fourth position and we don't have a util_rb_4tld directive...
>>>>
>>>> So, topic for discussion: do we need to add a util_rb_4tld for this?
>>>>
>>>> Related: does URIBL register names that deep?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
-----------------------------------------------------------------------
Today: Daylight Saving Time begins in U.S. - Spring Forward
Re: Need for util_rb_4tld?
Posted by "Kevin A. McGrail" <km...@apache.org>.
Can you put a T_ rule in your sandbox or send me something to grep and I'll
search my ham/spam?
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
On Sat, Mar 13, 2021 at 11:38 PM John Hardin <jh...@impsec.org> wrote:
> On Sat, 13 Mar 2021, Kevin A. McGrail wrote:
>
> > If you have spamples and they aren't able to be blocked otherwise, a 4tld
> > is certainly something to consider.
>
> I have a ruleset generated from my spam corpus in my sandbox. But that's
> just based on the (relative) trickle of spam me and my wife get.
>
> They hav quieted down recently. I don't know whether it's because that
> technique isn't working out, or they just haven't targeted me lately.
>
> > --
> > Kevin A. McGrail
> > Member, Apache Software Foundation
> > Chair Emeritus Apache SpamAssassin Project
> > https://www.linkedin.com/in/kmcgrail - 703.798.0171
> >
> >
> > On Fri, Jan 22, 2021 at 11:55 AM John Hardin <jh...@impsec.org> wrote:
> >
> >> Folks:
> >>
> >> I've been seeing more frequently lately phishing that leverages web apps
> >> hosted by Google and Microsoft as a collection point.
> >>
> >> I couple of days ago I added firebaseapp.com and web.app to the default
> >> util_rb_2tld list to cover firebase apps hosted by Google.
> >>
> >> I've just seen a couple of phishes leveraging MS Azure web apps:
> >>
> >> multadetrafico.eastus.cloudapp.azure.com
> >>
> >> multapendente.westus2.cloudapp.azure.com
> >>
> >> Unfortunately these can't be added as they have an Azure zone in the
> >> fourth position and we don't have a util_rb_4tld directive...
> >>
> >> So, topic for discussion: do we need to add a util_rb_4tld for this?
> >>
> >> Related: does URIBL register names that deep?
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Failure to plan ahead on someone else's part does not constitute
> an emergency on my part. -- David W. Barts in a.s.r
> -----------------------------------------------------------------------
> Tomorrow: Daylight Saving Time begins in U.S. - Spring Forward
>
Re: Need for util_rb_4tld?
Posted by John Hardin <jh...@impsec.org>.
On Sat, 13 Mar 2021, Kevin A. McGrail wrote:
> If you have spamples and they aren't able to be blocked otherwise, a 4tld
> is certainly something to consider.
I have a ruleset generated from my spam corpus in my sandbox. But that's
just based on the (relative) trickle of spam me and my wife get.
They hav quieted down recently. I don't know whether it's because that
technique isn't working out, or they just haven't targeted me lately.
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>
> On Fri, Jan 22, 2021 at 11:55 AM John Hardin <jh...@impsec.org> wrote:
>
>> Folks:
>>
>> I've been seeing more frequently lately phishing that leverages web apps
>> hosted by Google and Microsoft as a collection point.
>>
>> I couple of days ago I added firebaseapp.com and web.app to the default
>> util_rb_2tld list to cover firebase apps hosted by Google.
>>
>> I've just seen a couple of phishes leveraging MS Azure web apps:
>>
>> multadetrafico.eastus.cloudapp.azure.com
>>
>> multapendente.westus2.cloudapp.azure.com
>>
>> Unfortunately these can't be added as they have an Azure zone in the
>> fourth position and we don't have a util_rb_4tld directive...
>>
>> So, topic for discussion: do we need to add a util_rb_4tld for this?
>>
>> Related: does URIBL register names that deep?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
-----------------------------------------------------------------------
Tomorrow: Daylight Saving Time begins in U.S. - Spring Forward
Re: Need for util_rb_4tld?
Posted by "Kevin A. McGrail" <km...@apache.org>.
If you have spamples and they aren't able to be blocked otherwise, a 4tld
is certainly something to consider.
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
On Fri, Jan 22, 2021 at 11:55 AM John Hardin <jh...@impsec.org> wrote:
> Folks:
>
> I've been seeing more frequently lately phishing that leverages web apps
> hosted by Google and Microsoft as a collection point.
>
> I couple of days ago I added firebaseapp.com and web.app to the default
> util_rb_2tld list to cover firebase apps hosted by Google.
>
> I've just seen a couple of phishes leveraging MS Azure web apps:
>
> multadetrafico.eastus.cloudapp.azure.com
>
> multapendente.westus2.cloudapp.azure.com
>
> Unfortunately these can't be added as they have an Azure zone in the
> fourth position and we don't have a util_rb_4tld directive...
>
> So, topic for discussion: do we need to add a util_rb_4tld for this?
>
> Related: does URIBL register names that deep?
>
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Maxim I: Pillage, _then_ burn.
> -----------------------------------------------------------------------
> Tomorrow: John Moses Browning's 166th Birthday
>