the unknown phishing link

Questions and answers about how to do stuff
Post Reply
thewomble
Posts: 50
Joined: 17 Jan 2017 12:52

the unknown phishing link

Post by thewomble »

Just like virus there are also zero day phishing links that have not filtering into any urbl list.

I am trying to get Mailscanner/SA as part of a spam check to add urls is certain free hosting web-sites to be given a score.

In local.cf I have added

Code: Select all

body		WOMBLE_FREEWEB	/tripod\.com|freewebs\.com/
score		WOMBLE_FREEWEB	0.1
describe	WOMBLE_FREEWEB	Body contains link to free website hosting domain
I sent an email in with the phishing link of http://xc-1-n.tripod.com/ which did not tigger the rule.
So I sent the email in with a click here hyper link to http://xc-1-n.tripod.com/, again did not tigger the rule.

Are there any SA boffins out there that can help?

I am looking to score *.tripod.com which would pick xc-1.tripod.com, we have also had phishing using freewebs.com so I am looking add further domains as appropiate.

I am scoring as 0.1 while I play around, looking to increase it later, maybe 3, and create a whitelist rule (if there is any for legit web-sites) but I do not link we will have any as I already blocked freewebs.com on our outbound proxy, but looking to protect our mobile road warriors has they do not go via the proxy when out and about.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: the unknown phishing link

Post by shawniverson »

Did you run sa-update and sa-compile? Restarted mailscanner?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: the unknown phishing link

Post by pdwalker »

yes, let us know if that worked.
thewomble
Posts: 50
Joined: 17 Jan 2017 12:52

Re: the unknown phishing link

Post by thewomble »

I did do both of those.

I did some more reading and found another example that used rawbody

I changed
body TRIPOD1 /\.tripod\.com/
to

Code: Select all

rawbody     TRIPOD1   /\.tripod\.com/
and compiled and restarted MailScanner, it did not work, I went to bed, and went to have a look the following day and found it was working, is there a cache somewhere?
thewomble
Posts: 50
Joined: 17 Jan 2017 12:52

Re: the unknown phishing link

Post by thewomble »

I did end up using this

Code: Select all

rawbody		WOMBLE_FREEWEB	/tripod\.com|freewebs\.com|wix\.com|ukit\.com/
score		WOMBLE_FREEWEB	4.00
describe	WOMBLE_FREEWEB	Body contains hyperlink to free website hosting domain (phishing?) low security
At least the message is tagged as spam, if it fails other test it can quite easily get to score where it quarantined.
Post Reply