Feb 10

SpamAssassin rule for blocking phishing email

Posted by Thanadon February 10, 2007 at 7:50 pm 1 views
Filed under: Internet, Security, Spam

I found it on spamassassin svn trunk and you may got some ideas from this rules

PLAIN TEXT
CODE:
  1. # 0.142   0.1814   0.0085    0.955   0.63    0.01  T_PH_SEC
  2. # 0.159   0.2061   0.0000    1.000   0.66    0.01  T_PH_REC
  3. body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i
  4. body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i
  5. describe TVD_PH_SEC Message has a phrase standard for phishing mails
  6. describe TVD_PH_REC Message has a phrase standard for phishing mails
  7. #
  8. # 0.234   0.2997   0.0123    0.961   0.68    0.01  T_PH_TVD_7
  9. # 0.112   0.1390   0.0012    0.992   0.61    0.01  T_PH_TVD_1
  10. body TVD_PH_7 /\baccount .{0,20}suspen/i
  11. body TVD_PH_1 /Dear valued .{1,40}(?:member|customer)/i
  12. #
  13. # 0.153   0.1964   0.0057    0.972   0.64    0.01  T_PH_TVD_FR5
  14. header __PH_TVD_FROM2 From:addr =~ /\@.*ebay/i
  15. meta TVD_PH_FR5 !__ENV_AND_HDR_FROM_MATCH && __PH_TVD_FROM2
  16. #
  17. # 0.134   0.1736   0.0000    1.000   0.64    0.01  T_PP_PHISH
  18. # 0.124   0.1608   0.0000    1.000   0.64    0.01  T_EB_PHISH
  19. header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i
  20. header __FROM_EBAY From:addr =~ /\@ebay\.com$/i
  21. meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP
  22. meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP
  23. #
  24. # 0.209   0.2612   0.0033    0.987   0.69    1.00  TVD_SUBJ_ACC_NUM
  25. headerTVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/
  26. describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference
  27. #
  28. # bug 4457
  29. # this may be dealt with by other/less complex rules
  30. header __LOCAL_PP_S_UPD Subject: =~ m'(?:confirm|update) (?:your|the) (?:billing )?(?:records?|information|account)'i
  31. body __LOCAL_PP_B_UPD m'(?:confirm|update|verify) (?:your|the) (?:(?:current|billing) )?(?:records?|information|account|identity)'i
  32. body __LOCAL_PP_PPCGIURL m'https?://www.paypal.com/cgi-bin/webscr\?'i
  33. uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i
  34. meta T_LOCAL_PP_UPD_BADURL (__FROM_PAYPAL && ((__LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) || __LOCAL_PP_PPCGIURL) && __LOCAL_PP_NONPPURL)
  35. describe T_LOCAL_PP_UPD_BADURL paypal account update, but has bad URL
  36. #
  37. #
  38. ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
  39. #
  40. # bug 4255: with some ideas from Fred Tarasevicius I came up with a rule that
  41. # performs pretty decently, worthy of a general mass-check:
  42. # 0.186   0.2273   0.0030    0.987   0.66    0.01  T_HTTPS_HTTP_MISMATCH_1_12
  43. # 0.186   0.2273   0.0030    0.987   0.66    0.01  T_HTTPS_HTTP_MISMATCH_1_13
  44. # 0.185   0.2253   0.0015    0.993   0.66    0.01  T_HTTPS_HTTP_MISMATCH_1_10
  45. # 0.187   0.2280   0.0045    0.981   0.66    0.01  T_HTTPS_HTTP_MISMATCH_1_14
  46. # 0.186   0.2266   0.0030    0.987   0.66    0.01  T_HTTPS_HTTP_MISMATCH_1_11
  47. # 0.189   0.2280   0.0119    0.951   0.65    0.01  T_HTTPS_HTTP_MISMATCH_1_15
  48. # 0.003   0.0013   0.0089    0.129   0.43    0.01  T_HTTPS_HTTP_MISMATCH_11_15
  49. # 0.019   0.0013   0.0965    0.014   0.33    0.01  T_HTTPS_HTTP_MISMATCH_11_20
  50. # generally, hams seem to have a lot of links, whereas phishing mails don't.
  51. # so compare the domains between https? href and https anchor text, and flag
  52. # if the number of anchors is inside the given range and the domains don't
  53. # match.
  54. # FYI: these rules don't overlap HTTPS_IP_MISMATCH as IPs are ignored in the
  55. # href -- IPs tend not to be used in ham, so don't bother with the overhead of
  56. # this rule.  though the two rules are very similar and could definitely share
  57. # code.  if promoted, the two should get merged together to backup both rules.
  58. #
  59. # used to be T_HTTPS_HTTP_MISMATCH_1_10, has the best results
  60. body  HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
  61. #
  62. endif
  63. #
  64. ########################################################################
  65. #
  66. # Phishing usually comes from official sounding email addresses.  Could
  67. # potentially be used to lower FPs if necessary.
  68. #
  69. #header __TVD_PH_FROM_ACCO From:addr =~ /accounts?\@/i
  70. #header __TVD_PH_FROM_CUST From:addr =~ /customer[^@]*\@/i
  71. #header __TVD_PH_FROM_SUPP From:addr =~ /support\@/i
  72. #header __TVD_PH_FROM_SERV From:addr =~ /service\@/i
  73. #header __TVD_PH_FROM_BILL From:addr =~ /billing\@/i
  74. #header __TVD_PH_FROM_NOTI From:addr =~ /notice\@/i
  75. #header __TVD_PH_FROM_ADMI From:addr =~ /admin\@/i
  76. #header __TVD_PH_FROM_SECU From:addr =~ /secure\@/i
  77. #
  78. #meta __TVD_PH_FROM_ANY __TVD_PH_FROM_ACCO || __TVD_PH_FROM_CUST || __TVD_PH_FROM_SUPP || __TVD_PH_FROM_SERV || __TVD_PH_FROM_BILL || __TVD_PH_FROM_NOTI || __TVD_PH_FROM_ADMI || __TVD_PH_FROM_SECU
  79. #meta T_TVD_PH_FROM_SUBJ_GOOD __TVD_PH_FROM_ANY && T_TVD_PH_SUBJ_GOOD
  80. #meta T_TVD_PH_FROM_SUBJ_GOOD2 __TVD_PH_FROM_ANY && T_TVD_PH_SUBJ_GOOD2
  81. #
  82. ########################################################################
  83. #
  84. # Look at subjects for phishing
  85. #
  86. # 0.214   0.2574   0.0000    1.000   0.93    0.01  T_TVD_PH_SUBJ_ACCOUNTS_POST
  87. # 0.158   0.1906   0.0000    1.000   1.00    0.01  T_TVD_PH_SUBJ_ACCOUNTS_PRE
  88. # 0.102   0.1226   0.0000    1.000   0.79    0.01  T_TVD_PH_SUBJ_SEC_MEASURES
  89. # 0.095   0.1144   0.0000    1.000   0.71    0.01  T_TVD_PH_SUBJ_UPDATE
  90. # 0.180   0.2165   0.0000    1.000   0.86    0.01  T_TVD_PH_SUBJ_URGENT
  91. header TVD_PH_SUBJ_ACCOUNTS_PRE Subject =~ /\baccounts? (?:[a-z_,-]+ )*?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|security|updated?|verifications?|confirm[a-z]+)\b/i
  92. header TVD_PH_SUBJ_SEC_MEASURES Subject =~ /\bsecurity (?:[a-z_,-]+ )*?measures?\b/i
  93. header TVD_PH_SUBJ_UPDATE Subject =~ /\bupdate (?:[a-z_,-]+ )*?(?:access|credit|records?|info(?:rmation)?)\b/i
  94. header TVD_PH_SUBJ_URGENT Subject =~ /^urgent(?:[\s\W]*$|.{1,40}(?:alert|response|assistance|proposal|reply|warning|noti(?:ce|fication)|greeting|matter))/i
  95. header TVD_PH_SUBJ_ACCOUNTS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)|confirm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i
  96. #
  97. meta TVD_PH_SUBJ_META_ALL TVD_PH_SUBJ_META || TVD_PH_SUBJ_ACCOUNTS_PRE || TVD_PH_SUBJ_SEC_MEASURES || TVD_PH_SUBJ_UPDATE || TVD_PH_SUBJ_URGENT || TVD_PH_SUBJ_ACCOUNTS_POST
  98. #
  99. ########################################################################
  100. #
  101. # Look for lesser matched REs and meta them together
  102. #
  103. # 0.251   0.3023   0.0000    1.000   1.00    0.01  T_TVD_PH_SUBJ_META
  104. meta TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
  105. #
  106. header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i
  107. #
  108. header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i
  109. header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i
  110. header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i
  111. header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i
  112. header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i
  113. header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i
  114. header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i
  115. header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i
  116. header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i
  117. header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i
  118. header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i
  119. header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i
  120. header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i
  121. header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i
  122. header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i
  123. header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i
  124. header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i
  125. header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i
  126. header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i
  127. #
  128. ########################################################################
  129. #
  130. meta TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08
  131. meta TVD_PH_BODY_META_ALLTVD_PH_BODY_META || TVD_PH_BODY_ACCOUNTS_PRE || TVD_PH_BODY_ACCOUNTS_POST
  132. body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i
  133. body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i
  134. body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i
  135. body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i
  136. body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i
  137. body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i
  138. body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i
  139. body __TVD_PH_BODY_08 /\bmultiple password failures/i
  140. #
  141. body TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i
  142. body TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:re-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i


Posted on Saturday, February 10th, 2007 at 7:50 pm and under category Internet, Security, Spam. You can read any responses through the RSS 2.0 feed. You can give a response, or trackback from your site.
«
»

Leave a Reply

You must be logged in to post a comment.