[Bug 6848] New: HTML URI spoofing detection

Tue, 02 Oct 2012 12:23:55 -0700 

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6848

          Priority: P2
            Bug ID: 6848
          Assignee: [email protected]
           Summary: HTML URI spoofing detection
          Severity: normal
    Classification: Unclassified
                OS: Linux
          Reporter: [email protected]
          Hardware: PC
            Status: NEW
           Version: unspecified
         Component: RuleQA
           Product: Spamassassin

Hello,

This is a "duplicate" of several bug reports, or call it a boomrang.

I wrote to the sa-users mailinglist about a specific problem with some specific
spams. In the begining I wrote rawbody rules with complex regexes, but folowing
advices given by a few mailinglist users, I ended up with this basic use of the
URIDetail plugin.

And now I would like to submit a few rules to the ruleqa. Of course, as it's
specific to a spam campaign, I expect those rules to fail this test, but it
could be  agood idea to store them as a usefull "template" for spoofed URIs and
other phishing attempts.

## Canada Post
uri_detail   AJB_CANPOST_BADLINK   raw !~ /canadapost\./ text =~
/(?:https?:\/\/|www\.)canadapost\./ type =~ /^a$/
describe     AJB_CANPOST_BADLINK   Found a mismatch between href and anchored
text pretending to link to www.canadapost.ca
score        AJB_CANPOST_BADLINK   1.0
## youtube
uri_detail AJB_UTUBE_BADLINK   raw !~ /youtube\./ text =~
/(?:https?:\/\/|www\.)youtube\./ type =~ /^a$/
describe   AJB_UTUBE_BADLINK   Found a mismatch between href and anchored text
pretending to link to www.youtube.com
score      AJB_UTUBE_BADLINK   0.5
# because of link trackers (from massmailer for example), we must meta this
with other rulz to be sure we face our fake yutube botnet
header    __AJB_EMPTY_SUBJ    Subject =~ /^$/
meta      AJB_FK_UTUBE_BOTNET     AJB_UTUBE_BADLINK && MIME_HTML_ONLY &&
__AJB_EMPTY_SUBJ
describe  AJB_FK_UTUBE_BOTNET     mismatch between href and anchored + empty
subject = botnet
score     AJB_FK_UTUBE_BOTNET     5.5

Those rules are pretty effective against the spam capmaings hitting my servers,
and I'm already working on rules based on this kind for other spoofed domains
like Royal Bank of Canada, Paypal and ING direct (with metas on the received
header).

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to