Re: [Assp-test] Message body modification

Mon, 02 Mar 2020 23:18:56 -0800 

this regex (all in one line) example will call sub 
CorrectASSPcfg::tagSubject if a match is found - values are bold

(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.? 
*)?(?{local %_ = qw, fname paul  sname jones  domain OurCharity.org 
,})(?:(??{$_{'fname'}})[.\x20_\-]+(??{$_{'sname'}})|(??{$_{'sname'}})[,\x20](??{$_{'fname'}})|(??{$_{'fname'}})\.(??{$_{'sname'}})\@(??{$_{'domain'}})))\s*"?[^<]*<[^\@]+\@(?!(??{$_{'domain'}}))\x3E(?{&CorrectASSPcfg::tagSubject($fh)})


this example requires the hidden variable 'AllowCodeInRegex' to be set to 
1 




in the sub CorrectASSPcfg::tagSubject you can do and modify what ever you 
want (even the complete mail)

modify the subject - example

my $fh = shift;
return unless $fh;
return unless exists $main::Con{$fh};

my $this = $main::Con{$fh};
my $HeaderRe = $main::HeaderRe;
my $HeaderValueRe = $main::HeaderValueRe;

$this->{header} =~ s/($HeaderRe*)(subject:)($HeaderValueRe)/$1$2 
your_tag$3/io;
$this->{maillength} = $this->{headerlength} = length($this->{header});

mlog($fh,"info: found match for local name in external mail - subject was 
modified");

return 1;



Thomas



Von:    "K Post" <nntp.p...@gmail.com>
An:     "ASSP development mailing list" <assp-test@lists.sourceforge.net>
Datum:  18.02.2020 19:33
Betreff:        Re: [Assp-test] Message body modification



I know we've been round and round on this, but it continues to be a 
problem, and it's only getting worse.   Spear phishing via CEO name 
spoofing is all too common and ASSP doesn't yet do all that much to to 
protect.

Today our staff got hit with another spear phishing email from a gmail 
account that was created with our director's name on it.  The staff is 
trained very well and they didn't fall for it, but it was really cleverly 
crafted and obviously had some inside information that if followed would 
have been terrible for the organization.  There's no way that ASSP could 
have detected this.  It wasn't HMM/Bayesian spammy, it came from a good IP 
(gmail).  DKIM signed, spf pass, etc.  To a computer, nothing about it was 
bad.  However, if ASSP were able to say "hey, this email has the 
director's name in the FROM, but it isn't from 
director.n...@ourcharity.org.  I'd better warn the user" we would have 
been safer.

My original idea was to insert an HTML warning into the body of the 
message like Google and other providers do.  That's apparently a 100+ hour 
project.  I tried to get funding, but got laughed at...

What if instead, there were some kind of manually maintained rule based 
matching on the FROM line that could modify only the subject. instead of 
being overly complicated and inserting a warning in the body?  Kind of 
like the spam prepend that low threshold mails get?  

Your sample rules in this thread are good, but they score the message.  
That's not what I'm suggesting.  I do NOT want to block or even score 
these messages - there's plenty of times that the director sends 
legitimate message from personal gmail/hotmail/whatever and it of course 
has her name.  BUT, to either have an HTML warning in the body or even 
just [EXTERNAL MESSAGE] or something prepended to the subject when ASSP 
detects this would be an outstanding feature.

We really only need to check the FROM line.  Sender, Reply to, etc doesn't 
matter.  ASSP will keep doing it's job blocking spoofed headers, but the 
NAME of the sender is that we're considering.

How about something like:
to:first:last:notfrom:WarnMsg

*@ourcharity:Sally:Smith:sally.sm...@ourcharity.org:Caution: External 
Email

matches mail sent to *@OurCharity.org, with a from line where the name 
(not the email address, but the name itself) is a combination of FirstName 
& LastName.* that ASSP tests against (.*FirstName.*LastName.*, 
.*Lastname.*FirstName>8, where the from email isn't 
sally.sm...@ourcharity.org

Even better:
*@ourcharity:Paul:Jones:paul.jo...@ourcharity.org|pjones12...@gmail.com:Caution:
 
External Email Not From Paul

Which would catch the same thing, but not warn if the message is from 
either Paul's known gmail account or his @OurCharity.org account.

Does this simplification of the rules and only warning in the subject 
instead of modifying the body make this easy enough for you to implement? 
I understand that this isn't simple, but based on discussions that I've 
had with counterparts elsewhere, they're all seeing the same problem.

Would a body warning be great?  Of course, but since that's too much work, 
I'm hopeful that subject modification based on these rules could be a 
possibility.

Thanks






On Thu, Nov 7, 2019 at 9:46 PM K Post <nntp.p...@gmail.com> wrote:
Thanks for the nudge in the right direction.  I'll take a look at that 
regex Showing the sender address in Outlook won't fly.  It's a good idea, 
but users would hate it and it doesn't solve the issue for mobile users 
(where most of our users get tricked into a quick reply).

How much would you need for a 100 hour or so sponsorship of this?  I doubt 
our charity can come up with the funds, but I'd try!!

On Mon, Nov 4, 2019 at 9:12 AM Thomas Eckardt <thomas.ecka...@thockar.com> 
wrote:
Such a feature is not worth the effort. 

https://www.howto-outlook.com/howto/viewsenderaddress.htm 

There are too many pitfalls and too many required manual configuration 
tweaks and exceptions to be handled. 
examples: 
- assp does not know user and mailbox names - requires manual tweaks using 
lists and/or regular expressions 
- to keep the manual configuration impact low, a complex and very variable 
LDAP and/or external scripting will be required 
- a per local domain configuration will be required 
- several bounce sender tagging mechanism will make problems (example: <
bob.jones=ourcharity....@domain.com> ) 
.... 

So, with this feature you would have to configure matching sets for each 
user. But you can do this now already - in 'bombHeaderRe'. If you got a 
regular expression working for one user, it is easy to build them for 
every user. 
example: 

~<<<(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.? 
*)?(?{local %_ = qw, fname bob  sname jones  domain ourcharity.org 
,})(?:(??{$_{'fname'}})[. _\-]+(??{$_{'sname'}})|(??{$_{'sname'}})[, 
](??{$_{'fname'}})|(??{$_{'fname'}})\.(??{$_{'sname'}})\@(??{$_{'domain'}})))\s*"?[^<]*<[^\@]+\@(?!(??{$_{'domain'}}))\x3E>>>~=>YOURSCORE
 


this example requires the hidden variable 'AllowCodeInRegex' to be set to 
1 
and a small change in assp.pl - will be published soon 

or more simple, but much more needs to be change in each line 

~<<<(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.? 
*)?(?:bob[. _\-]+jones|jones[, ]bob|bob.jones\@ourcharity\.org
))\s*"?[^<]*<[^\@]+\@(?!ourcharity\.org)\x3E>>>~=>YOURSCORE 



How ever, if you think you need such a feature, you'll need to sponsor it 
or find a sponsor. I expect an effort of two weeks but not less than 100 
hours to implement and test this feature as a level-1 plugin. 

Thomas





Von:        "K Post" <nntp.p...@gmail.com> 
An:        "ASSP development mailing list" <
assp-test@lists.sourceforge.net> 
Datum:        04.11.2019 00:28 
Betreff:        Re: [Assp-test] Message body modification 



Right, but what I'm trying to accomplish (as described in detail in my 
previous thread) is flagging, maybe just with subject modification mail 
from outside senders with a name that matches one of our organization's 
senders.  I'd love to be able to have ASSP insert a warning, not on all 
mail, but only when there's a suspicious name match.  We can't reasonably 
quarantine all external email, the messages in question don't have links 
or attachments to block. 

For example Bob Jones <bob.jo...@ourcharity.org> is the real address 
within our organization.  We're seeing name spoofing mail from Bob Jones <
bob.jones.ourcharity....@gmail.com> or Bob Jones <
president123mad...@gmail.com>.  It shows up in outlook as Bob Jones in the 
inbox.   Lots of times, the message even had the signature that the person 
actually uses.  We've had even some of our most savvy users get tricked.  
 The messages slips through assp, because they're innocuous sounding "are 
you in the office? I need your help"  "I've got a favor to ask, reply when 
you get this please?"  Whatever, user gets fooled, replies, and then that 
gmail address is whitelisted.  The next mail asks for the purchase of gift 
cards, etc.  Common scheme.  If we could change even just the subject line 
like [Potential Spoof]: <real subject> that would help the recipient.  
Inserting a warning into the body would be even better! 

To do the matching though, we'd need to list the names our people and 
their correct address and have ASSP flag only when there's a match from 
outside.   Of course there are lots of legitimate instances where our 
people email from their real personal email address to our staff.  Those 
would get a subject or body modification too, but that's okay.  We don't 
have the budge to have a third part system do this.   

Would you mind taking a look at the original thread for more detail and 
explanation of what I'm thinking?  I think it's at least worth discussion 
- I think there's some real value to the ASSP community being how often 
we're getting name spoofing messages.   


On Sat, Nov 2, 2019 at 3:34 AM Thomas Eckardt <thomas.ecka...@thockar.com> 
wrote: 
simple company rules are the solution: 

- every mail from outside the company is subject to be malicious - open 
attachments or following links in such mails, requires a full manually 
verification of the email before any action is done - on any doubt the 
mail has to be quarantained 
- qurantined mails are untouchable as long as they are not released by an 
authorisized person or system 
- every mail from outside the company passed an assp system 
- every mail from/to inside the company will never reach any assp system 
(except assp reporting) 
- every mail from outside contains a X-ASSP header but at least the ASSP 
received header - this header has to be used by the mail client and/or 
server to classify the mail 

>can I insert something into the bodies of selected messages as it is sent 
to the real mail server 

there is no such code in assp.pl - only ASSP_AFC is able to manipulate the 
mail body (replace attachments , SMIME) 

>without having that warning message saved in the corpus

assp stores the incoming mail + assp headers  - never the content sent to 
the server 

Thomas 



Von:        "K Post" <nntp.p...@gmail.com> 
An:        "ASSP development mailing list" <
assp-test@lists.sourceforge.net> 
Datum:        01.11.2019 18:02 
Betreff:        [Assp-test] Message body modification 



Thomas, quick question: can I insert something into the bodies of selected 
messages as it is sent to the real mail server without having that warning 
message saved in the corpus? 

Early last month, I sent "An idea: Visual warnings in message body" but 
received no replies.   
We're seeing SO many of these, that I might try to figure this out on my 
own if there isn't broad appeal.   

Thanks 

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************



_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test






















					Reply via email to