You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by gb...@apache.org on 2020/06/13 10:27:51 UTC
svn commit: r1878802 -
/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm
Author: gbechis
Date: Sat Jun 13 10:27:51 2020
New Revision: 1878802
URL: http://svn.apache.org/viewvc?rev=1878802&view=rev
Log:
Add an option phishing_uri_noparam to discard uri parameters
when checking phishing uris.
Modified:
spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm
Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm?rev=1878802&r1=1878801&r2=1878802&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/Phishing.pm Sat Jun 13 10:27:51 2020
@@ -83,14 +83,62 @@ sub set_config {
my @cmds;
push(@cmds, {
setting => 'phishing_openphish_feed',
+ is_admin => 1,
type => $Mail::SpamAssassin::Conf::CONF_TYPE_STRING,
}
);
+
+=head1 ADMIN PREFERENCES
+
+The following options can be used in site-wide (C<local.cf>)
+configuration files to customize how the module handles phishing uris
+
+=cut
+
+=over 4
+
+=item phishing_openphish_feed
+
+Absolute path of the downloaded OpenPhish datafeed.
+
+=back
+
+=cut
push(@cmds, {
setting => 'phishing_phishtank_feed',
+ is_admin => 1,
type => $Mail::SpamAssassin::Conf::CONF_TYPE_STRING,
}
);
+=over 4
+
+=item phishing_phishtank_feed
+
+Absolute path of the downloaded PhishTank datafeed.
+
+=back
+
+=cut
+ push(@cmds, {
+ setting => 'phishing_uri_noparam',
+ is_admin => 1,
+ default => 0,
+ type => $Mail::SpamAssassin::Conf::CONF_TYPE_BOOL,
+ }
+ );
+=over 4
+
+=item phishing_uri_noparam ( 0 | 1 ) (default: 0)
+
+If this option is set uri parameters will not be take into consideration
+when parsing the phishing uris datafeed.
+If this option is enabled and the url without parameters is "generic"
+(like https://www.kisa.link/url_redirector.php?url=...) the url will be
+skipped.
+
+=back
+
+=cut
$conf->{parser}->register_commands(\@cmds);
}
@@ -103,6 +151,7 @@ sub _read_configfile {
my ($self) = @_;
my $conf = $self->{main}->{registryboundaries}->{conf};
my @phtank_ln;
+ my $stripped_cluri;
local *F;
if ( defined($conf->{phishing_openphish_feed}) && ( -f $conf->{phishing_openphish_feed} ) ) {
@@ -111,10 +160,14 @@ sub _read_configfile {
chomp;
#lines that start with pound are comments
next if(/^\s*\#/);
+ $stripped_cluri = $_;
+ if ( $conf->{phishing_uri_noparam} eq 1 ) {
+ $stripped_cluri =~ s/\?.*//;
+ }
my $phishdomain = $self->{main}->{registryboundaries}->uri_to_domain($_);
if ( defined $phishdomain ) {
- push @{$self->{PHISHING}->{$_}->{phishdomain}}, $phishdomain;
- push @{$self->{PHISHING}->{$_}->{phishinfo}->{$phishdomain}}, "OpenPhish";
+ push @{$self->{PHISHING}->{$stripped_cluri}->{phishdomain}}, $phishdomain;
+ push @{$self->{PHISHING}->{$stripped_cluri}->{phishinfo}->{$phishdomain}}, "OpenPhish";
}
}
@@ -135,11 +188,14 @@ sub _read_configfile {
@phtank_ln = split(/,/, $_);
$phtank_ln[1] =~ s/\"//g;
-
+ $stripped_cluri = $phtank_ln[1];
+ if ( $conf->{phishing_uri_noparam} eq 1 ) {
+ $stripped_cluri =~ s/\?.*//;
+ }
my $phishdomain = $self->{main}->{registryboundaries}->uri_to_domain($phtank_ln[1]);
if ( defined $phishdomain ) {
- push @{$self->{PHISHING}->{$phtank_ln[1]}->{phishdomain}}, $phishdomain;
- push @{$self->{PHISHING}->{$phtank_ln[1]}->{phishinfo}->{$phishdomain}}, "PhishTank";
+ push @{$self->{PHISHING}->{$stripped_cluri}->{phishdomain}}, $phishdomain;
+ push @{$self->{PHISHING}->{$stripped_cluri}->{phishinfo}->{$phishdomain}}, "PhishTank";
}
}
@@ -155,10 +211,11 @@ sub check_phishing {
my $feedname;
my $domain;
- my $uris = $pms->get_uri_detail_list();
+ my $stripped_cluri;
+ my $dcnt;
+ my $uris = $pms->get_uri_detail_list();
my $rulename = $pms->get_current_eval_rule_name();
-
while (my($uri, $info) = each %{$uris}) {
# we want to skip mailto: uris
next if ($uri =~ /^mailto:/i);
@@ -168,10 +225,20 @@ sub check_phishing {
if (($info->{types}->{a}) || ($info->{types}->{parsed})) {
# check url
foreach my $cluri (@{$info->{cleaned}}) {
- if ( exists $self->{PHISHING}->{$cluri} ) {
+ $stripped_cluri = $cluri;
+ if( $self->{main}->{conf}->{phishing_uri_noparam} eq 1 ) {
+ $stripped_cluri =~ s/\?.*//;
+ $dcnt = $stripped_cluri =~ tr/\///;
+ }
+ # If uri without parameters are considered, skip too short uris
+ # like https://www.google.com/url?sa=t&url=http://badsite.com
+ if( ($self->{main}->{conf}->{phishing_uri_noparam} eq 1) && ($dcnt <= 3) ) {
+ next;
+ }
+ if ( exists $self->{PHISHING}->{$stripped_cluri} ) {
$domain = $self->{main}->{registryboundaries}->uri_to_domain($cluri);
- $feedname = $self->{PHISHING}->{$cluri}->{phishinfo}->{$domain}[0];
- dbg("HIT! $domain [$cluri] found in $feedname feed");
+ $feedname = $self->{PHISHING}->{$stripped_cluri}->{phishinfo}->{$domain}[0];
+ dbg("HIT! $domain [$stripped_cluri] found in $feedname feed");
$pms->test_log("$feedname ($domain)");
$pms->got_hit($rulename, "", ruletype => 'eval');
return 1;