Hi;
Ned Slider wrote:
>First up, from Mike's inspiration above, I came up with these:
I took your rule and added some meta rules to it. I'm getting hits on
phishes, but I haven't seen any legitimate traffic hit it.
This may be that I have not seen any real bank mail or it could be that
it misses it completely.
I don't have time to test it fully right now, so play at your peril.
header __LOCAL_BANK_0 eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.2.\d+')
describe __LOCAL_BANK_0 Banks
tflags __LOCAL_BANK_0 nice net
header __LOCAL_BANK_1 eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.3.\d+')
describe __LOCAL_BANK_1 Email service providers
tflags __LOCAL_BANK_1 nice net
header __LOCAL_BANK_2 eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.4.\d+')
describe __LOCAL_BANK_2 Organisations
tflags __LOCAL_BANK_2 nice net
header __LOCAL_BANK_3 eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.15.\d+')
describe __LOCAL_BANK_3 Email Marketing Providers
tflags __LOCAL_BANK_3 nice net
header LOCAL_FROM_BANK From:addr =~
/\@(abbey|abbeyinternational|abbeynational|abbey-online|alliance-leicester|bankofamerica|barclays|cahoot|cbonline|ci
tibank|co-operativebank|egg|firstdirect|halifax|hbos|hsbc|lloydstsb|llyodstsb|natwest|nationwide|newegg|neweggbank|northernbank|rbs|secure-halifax|woolwich|ybonline)\
.(com|co\.uk)/i
describe LOCAL_FROM_BANK From a bank
meta LOCAL_BANK_OK (LOCAL_FROM_BANK && (LOCAL_BANK_0 ||
LOCAL_BANK_1 || LOCAL_BANK_2 || LOCAL_BANK_3))
score LOCAL_BANK_OK -0.1
meta LOCAL_BANK_BAD (LOCAL_FROM_BANK && !(LOCAL_BANK_0 ||
LOCAL_BANK_1 || LOCAL_BANK_2 || LOCAL_BANK_3) )
score LOCAL_BANK_BAD 0.1
Rgds
n
Mike Cardwell wrote:
Marc Perkel wrote:
Or maybe I'm trying to reinvent a wheel someone already has up and
running :-)
a bank without SPF or DKIM signing is NOT worth using
Yes - but I think what he's saying is that you have to start with a
list of bank domains, the test those domains with higher scrutiny.
Does such a list exist? One of my users was getting a lot of spam
pretending to be from banks. I ended up just compiling a regular
expression to match against the from header of the emails:
@([-a-zA-Z0-9\.]+[-\.])?(rbs|barclays|halifax|secure-halifax|hsbc|natwest|nationwide|northernbank|cbonline|ybonline|co-operativebank|bank-of-ireland|bankofengland|lloydstsb|bankofscotland|firstdirect|alliance-leicester|abbeynational|egg|new\.egg|woolwich|firsttrustbank|ulsterbank|citibank|icicibank)\.(com|co\.uk)
It's far from comprehensive obviously, but it covers most of what he
was receiving.
If that regular expression matches, and the connecting host is in a
list of what I refer to as "dodgy countries," then I reject the email.
OK, time for some rules to get this thread back on track :)
First up, from Mike's inspiration above, I came up with these:
header LOCAL_FROM_BANK From:addr =~
/\@(abbey|abbeyinternational|abbeynational|abbey-online|alliance-leicester|bankofamerica|barclays|cahoot|cbonline|citibank|co-operativebank|egg|firstdirect|halifax|hbos|hsbc|lloydstsb|llyodstsb|natwest|nationwide|newegg|neweggbank|northernbank|rbs|secure-halifax|woolwich|ybonline)\.(com|co\.uk)/i
describe LOCAL_FROM_BANK From a bank
header LOCAL_FROM_BANK_NET From:addr =~
/\@(abbey|abbeyinternational|abbeynational|abbey-online|alliance-leicester|bankofamerica|barclays|cahoot|cbonline|citibank|co-operativebank|egg|firstdirect|halifax|hbos|hsbc|lloydstsb|llyodstsb|natwest|nationwide|newegg|neweggbank|northernbank|rbs|secure-halifax|woolwich|ybonline)\.net/i
describe LOCAL_FROM_BANK_NET Banks don't send from .net
header LOCAL_FROM_BANK_OBF From:addr =~
/\@(abbey|abbeyinternational|abbeynational|abbey-online|alliance-leicester|bankofamerica|barclays|cahoot|cbonline|citibank|co-operativebank|egg|firstdirect|halifax|hbos|hsbc|lloydstsb|llyodstsb|natwest|nationwide|newegg|neweggbank|northernbank|rbs|secure-halifax|woolwich|ybonline)[-a-zA-Z0-9]{1,5}\.(com|co\.uk|net)/i
describe LOCAL_FROM_BANK_OBF From an obfuscated bank like domain
Hopefully the last two are self explanatory, and with the first I
chose to only test the primary domain (as opposed to Mike's example
above) as I notice this matches the vast majority of phishing examples
I'm seeing, and most legitimate bank emails appear to be sent From
subdomains (eg, email.bank.com) so shouldn't trigger false positives
on this rule.
Maybe they could be further split into domains known never to send
legitimate mail to allow for higher scoring.
Now for some URI rules I've been experimenting with, again originating
from what I've observed in phishing examples, but maybe more widely
applicable (UK examples given but feel free to adapt to your
country/tld of choice):
uri LOCAL_URI_PHISH_UK m{https?://.{1,40}\.(ac|co|gov)\.uk\.\w}
describe LOCAL_URI_PHISH_UK contains obfuscated UK phish link of
form example.co.uk.something
uri LOCAL_URI_PHISH_UK2 m{https?://.{1,40}\.(ac|co|gov)-uk\.\w}
describe LOCAL_URI_PHISH_UK2 contains obfuscated UK phish link
of form example.co-uk.something
uri LOCAL_URI_PHISH_UK3
m{https?://.{1,40}/.{1,60}\.(ac|co|gov)\.uk}
describe LOCAL_URI_PHISH_UK3 contains obfuscated UK phish link
of form example.com/bank.co.uk
uri LOCAL_URI_HIDDEN_DIR m{https?://.{1,40}/\.\w}
describe LOCAL_URI_HIDDEN_DIR contains hidden directory of form
example.com/.something
The first two I've been running for a while and they pretty much catch
what they are intended to (I think that SA contains a similar rule for
.com already). The third rule is something I'm just testing and may be
prone to FPs, and the fourth might be indicative of a hacked server
with a hidden phishing directory.
Any comments?