That's one heck of a regex, but I get the idea.. Thank you.
How much overhead would this add if it was set for 20-30 people?
Is the AllowCodeInRegex feature documented anywhere? I only see:
- it is now possible to use the regex-eval-code function in regular
expressions without any restriction
how ever - it is highly recommended to NOT enable the required hidden
feature ('AllowCodeInRegex'). If regex files are not protected from
unauthorized write access,
assp/perl can be forced to execute any code at runtime!
I don't like doing anything you don't recommend - you obviously know your
stuff. Provided my ASSP server is inaccessible to others, is this still a
big risk?
Why are you using the hex codes in the regex? Just preference or a
requirement of using AllowCodeInRegex?
Again, thanks
Ken
On Tue, Mar 3, 2020 at 2:19 AM Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:
> this regex (all in one line) example will call sub
> CorrectASSPcfg::tagSubject if a match is found - values are bold
>
> (?:^|\n)(?:*from|sender|reply-to*):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.?
> *)?(?{local %_ = qw, fname *paul* sname* jones* domain *OurCharity.org*
> ,})(?:(??{$_{'fname'}})[.\x20_\-]+(??{$_{'sname'}})|(??{$_{'sname'}})[,\x20](??{$_{'fname'}})|(??{$_{'fname'}})\.(??{$_{'sname'}})\@(??{$_{'domain'}})))\s*"?[^<]*<[^\@]+\@(?!(??{$_{'domain'}}))\x3E(?{&CorrectASSPcfg::tagSubject($fh)})
>
>
> *this example requires the hidden variable 'AllowCodeInRegex' to be set to
> 1*
>
>
>
>
> in the sub CorrectASSPcfg::tagSubject you can do and modify what ever you
> want (even the complete mail)
>
> modify the subject - example
>
> my $fh = shift;
> return unless $fh;
> return unless exists $main::Con{$fh};
>
> my $this = $main::Con{$fh};
> my $HeaderRe = $main::HeaderRe;
> my $HeaderValueRe = $main::HeaderValueRe;
>
> $this->{header} =~ s/($HeaderRe*)(subject:)($HeaderValueRe)/$1$2
> your_tag$3/io;
> $this->{maillength} = $this->{headerlength} = length($this->{header});
>
> mlog($fh,"info: found match for local name in external mail - subject was
> modified");
>
> return 1;
>
>
>
> Thomas
>
>
>
> Von: "K Post" <nntp.p...@gmail.com>
> An: "ASSP development mailing list" <
> assp-test@lists.sourceforge.net>
> Datum: 18.02.2020 19:33
> Betreff: Re: [Assp-test] Message body modification
> ------------------------------
>
>
>
> I know we've been round and round on this, but it continues to be a
> problem, and it's only getting worse. Spear phishing via CEO name
> spoofing is all too common and ASSP doesn't yet do all that much to to
> protect.
>
> Today our staff got hit with another spear phishing email from a gmail
> account that was created with our director's name on it. The staff is
> trained very well and they didn't fall for it, but it was really cleverly
> crafted and obviously had some inside information that if followed would
> have been terrible for the organization. There's no way that ASSP could
> have detected this. It wasn't HMM/Bayesian spammy, it came from a good IP
> (gmail). DKIM signed, spf pass, etc. To a computer, nothing about it was
> bad. However, if ASSP were able to say "hey, this email has the director's
> name in the FROM, but it isn't from director.n...@ourcharity.org. I'd
> better *warn* the user" we would have been safer.
>
> My original idea was to insert an HTML warning into the body of the
> message like Google and other providers do. That's apparently a 100+ hour
> project. I tried to get funding, but got laughed at...
>
> What if instead, there were some kind of manually maintained rule based
> matching on the FROM line that *could modify only the subject*. instead
> of being overly complicated and inserting a warning in the body? Kind of
> like the spam prepend that low threshold mails get?
>
> Your sample rules in this thread are good, but they score the message.
> That's not what I'm suggesting. I do NOT want to block or even score these
> messages - there's plenty of times that the director sends legitimate
> message from personal gmail/hotmail/whatever and it of course has her
> name. BUT, to either have an HTML warning in the body or even just
> [EXTERNAL MESSAGE] or something prepended to the subject when ASSP detects
> this would be an outstanding feature.
>
> We really only need to check the FROM line. Sender, Reply to, etc doesn't
> matter. ASSP will keep doing it's job blocking spoofed headers, but the
> NAME of the sender is that we're considering.
>
> How about something like:
> to:first:last:notfrom:WarnMsg
>
> *@ourcharity:Sally:Smith:sally.sm...@ourcharity.org:Caution: External
> Email
>
> matches mail sent to *@OurCharity.org, with a from line where the name
> (not the email address, but the name itself) is a combination of FirstName
> & LastName.* that ASSP tests against (.*FirstName.*LastName.*,
> .*Lastname.*FirstName>8, where the from email isn't
> sally.sm...@ourcharity.org
>
> Even better:
> *@ourcharity:Paul:Jones:paul.jo...@ourcharity.org|pjones12...@gmail.com:Caution:
> External Email Not From Paul
>
> Which would catch the same thing, but not warn if the message is from
> either Paul's known gmail account or his @OurCharity.org account.
>
> Does this simplification of the rules and only warning in the subject
> instead of modifying the body make this easy enough for you to implement? I
> understand that this isn't simple, but based on discussions that I've had
> with counterparts elsewhere, they're all seeing the same problem.
>
> Would a body warning be great? Of course, but since that's too much work,
> I'm hopeful that subject modification based on these rules could be a
> possibility.
>
> Thanks
>
>
>
>
>
>
> On Thu, Nov 7, 2019 at 9:46 PM K Post <*nntp.p...@gmail.com*
> <nntp.p...@gmail.com>> wrote:
> Thanks for the nudge in the right direction. I'll take a look at that
> regex Showing the sender address in Outlook won't fly. It's a good idea,
> but users would hate it and it doesn't solve the issue for mobile users
> (where most of our users get tricked into a quick reply).
>
> How much would you need for a 100 hour or so sponsorship of this? I doubt
> our charity can come up with the funds, but I'd try!!
>
> On Mon, Nov 4, 2019 at 9:12 AM Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> Such a feature is not worth the effort.
>
> *https://www.howto-outlook.com/howto/viewsenderaddress.htm*
> <https://www.howto-outlook.com/howto/viewsenderaddress.htm>
>
> There are too many pitfalls and too many required manual configuration
> tweaks and exceptions to be handled.
> examples:
> - assp does not know user and mailbox names - requires manual tweaks using
> lists and/or regular expressions
> - to keep the manual configuration impact low, a complex and very variable
> LDAP and/or external scripting will be required
> - a per local domain configuration will be required
> - several bounce sender tagging mechanism will make problems (example: <
> *bob.jones=ourcharity....@domain.com* <bob.jones.ourcharity....@gmail.com>>
> )
> ....
>
> So, with this feature you would have to configure matching sets for each
> user. But you can do this now already - in 'bombHeaderRe'. If you got a
> regular expression working for one user, it is easy to build them for every
> user.
> example:
>
> ~<<<(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.?
> *)?(?{local %_ = qw, fname *bob* sname *jones* domain *ourcharity.org*
> <http://ourcharity.org/> ,})(?:(??{$_{'fname'}})[.
> _\-]+(??{$_{'sname'}})|(??{$_{'sname'}})[,
> ](??{$_{'fname'}})|(??{$_{'fname'}})\.(??{$_{'sname'}})\@(??{$_{'domain'}})))\s*"?[^<]*<[^\@]+\@(?!(??{$_{'domain'}}))\x3E>>>~=>YOURSCORE
>
> this example requires the hidden variable 'AllowCodeInRegex' to be set to 1
> and a small change in *assp.pl* <http://assp.pl/> - will be published soon
>
> or more simple, but much more needs to be change in each line
>
> ~<<<(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.?
> *)?(?:*bob*[. _\-]+*jones*|*jones*[, ]*bob*|*bob.jones\@ourcharity\.org*
> ))\s*"?[^<]*<[^\@]+\@(?!*ourcharity\.org*)\x3E>>>~=>YOURSCORE
>
>
>
> How ever, if you think you need such a feature, you'll need to sponsor it
> or find a sponsor. I expect an effort of two weeks but not less than 100
> hours to implement and test this feature as a level-1 plugin.
>
> Thomas
>
>
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 04.11.2019 00:28
> Betreff: Re: [Assp-test] Message body modification
> ------------------------------
>
>
>
> Right, but what I'm trying to accomplish (as described in detail in my
> previous thread) is flagging, maybe just with subject modification mail
> from outside senders with a name that matches one of our organization's
> senders. I'd love to be able to have ASSP insert a warning, not on all
> mail, but only when there's a suspicious name match. We can't reasonably
> quarantine all external email, the messages in question don't have links or
> attachments to block.
>
> For example Bob Jones <bob.jo...@ourcharity.org> is the real address
> within our organization. We're seeing name spoofing mail from Bob Jones <
> *bob.jones.ourcharity....@gmail.com* <bob.jones.ourcharity....@gmail.com>>
> or Bob Jones <*president123mad...@gmail.com*
> <president123mad...@gmail.com>>. It shows up in outlook as Bob Jones in
> the inbox. Lots of times, the message even had the signature that the
> person actually uses. We've had even some of our most savvy users get
> tricked. The messages slips through assp, because they're innocuous
> sounding "are you in the office? I need your help" "I've got a favor to
> ask, reply when you get this please?" Whatever, user gets fooled, replies,
> and then that gmail address is whitelisted. The next mail asks for the
> purchase of gift cards, etc. Common scheme. If we could change even just
> the subject line like [Potential Spoof]: <real subject> that would help the
> recipient. Inserting a warning into the body would be even better!
>
> To do the matching though, we'd need to list the names our people and
> their correct address and have ASSP flag only when there's a match from
> outside. Of course there are lots of legitimate instances where our
> people email from their real personal email address to our staff. Those
> would get a subject or body modification too, but that's okay. We don't
> have the budge to have a third part system do this.
>
> Would you mind taking a look at the original thread for more detail and
> explanation of what I'm thinking? I think it's at least worth discussion -
> I think there's some real value to the ASSP community being how often we're
> getting name spoofing messages.
>
>
> On Sat, Nov 2, 2019 at 3:34 AM Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> simple company rules are the solution:
>
> - every mail from outside the company is subject to be malicious - open
> attachments or following links in such mails, requires a full manually
> verification of the email before any action is done - on any doubt the mail
> has to be quarantained
> - qurantined mails are untouchable as long as they are not released by an
> authorisized person or system
> - every mail from outside the company passed an assp system
> - every mail from/to inside the company will never reach any assp system
> (except assp reporting)
> - every mail from outside contains a X-ASSP header but at least the ASSP
> received header - this header has to be used by the mail client and/or
> server to classify the mail
>
> >can I insert something into the bodies of selected messages as it is
> sent to the real mail server
>
> there is no such code in *assp.pl* <http://assp.pl/> - only ASSP_AFC is
> able to manipulate the mail body (replace attachments , SMIME)
>
> >without having that warning message saved in the corpus
>
> assp stores the incoming mail + assp headers - never the content sent to
> the server
>
> Thomas
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 01.11.2019 18:02
> Betreff: [Assp-test] Message body modification
> ------------------------------
>
>
>
> Thomas, quick question: can I insert something into the bodies of selected
> messages as it is sent to the real mail server without having that warning
> message saved in the corpus?
>
> Early last month, I sent "An idea: Visual warnings in message body" but
> received no replies.
> We're seeing SO many of these, that I might try to figure this out on my
> own if there isn't broad appeal.
>
> Thanks
>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
