Koozali.org formerly Contribs.org

Block spear phishing using spoofed email addresses

Offline ReetP

  • *
  • 2,677
Re: Block spear phishing using spoofed email addresses
« Reply #15 on: October 26, 2020, 04:53:46 PM »
OK - so here is a basic outline. No idea how to test it - need some spoofed mails !

/etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/84fromnamespoof
signal-event email-update

Check the logs in qpsmtpd and spamd

Code: [Select]
ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
header   __PLUGIN_FROMNAME_EMAIL  eval:check_fromname_contains_email()
Describe FROMNAME_EMAIL Does From name contain an email address
header   __PLUGIN_FROMNAME_DIFFERENT  eval:check_fromname_different()
Describe FROMNAME_DIFFERENT Is the From:name different to the From:addr header
header   __PLUGIN_FROMNAME_OWNERS_DIFFER  eval:check_fromname_owners_differ()
Describe FROMNAME_OWNERS_DIFFER From:name and From:addr owners differ
header   __PLUGIN_FROMNAME_DOMAIN_DIFFER  eval:check_fromname_domain_differ()
Describe FROMNAME_DOMAIN_DIFFER From:name domain differs to from header
header   __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
Describe FROMNAME_SPOOF From:name and From:address don't match and owners differ
header __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()
Describe FROMNAME_EQUALS_TO From:name address matches To:address
dns_check 1
endif # Mail::SpamAssassin::Plugin::FromNameSpoof

Note the sample lines from the PM file

Code: [Select]
# Samples from the pm file

#header   __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
#header   __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()

#meta     FROMNAME_SPOOF_EQUALS_TO  (__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO)
#describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
#score    FROMNAME_SPOOF_EQUALS_TO 1.2

Be pleased if someone wants to try and test this with the 3.4.2 rpm in smedev and we could add this as an option in spamassassin.

Cpan info here:

https://metacpan.org/pod/Mail::SpamAssassin::Plugin::FromNameSpoof
« Last Edit: October 26, 2020, 04:57:23 PM by ReetP »
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Block spear phishing using spoofed email addresses
« Reply #16 on: October 27, 2020, 09:27:35 AM »
I can see that it is in the test build of 3.4.2 that I built a year or two back and which is in the SME Dev repo.

On it since last year.

Could you advise about the content of /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/84fromnamespoof

Thank you.

Offline ReetP

  • *
  • 2,677
Re: Block spear phishing using spoofed email addresses
« Reply #17 on: October 27, 2020, 10:21:54 AM »
On it since last year.

Cool. Hope to have a 3.4.4 done soon.
Just figuring some build options.

Quote
Could you advise about the content of /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/84fromnamespoof

All I know is written above.

Anything else you'll have to figure from the documentation or reading about.

I've done the hard work :lol: You need to do a bit yourself now.... !

Try using their sample code first as above.

Uncomment it and wrap it with the 'if' sections.

Email update, check local.cf for content, send/wait for spoof mail while watching logs.

Better if you can generate a spoof mail to test.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 2,677
Re: Block spear phishing using spoofed email addresses
« Reply #18 on: October 27, 2020, 11:13:41 AM »
On it since last year.

Just a thought but why did you not comment on this bug with your testing? The package could probably have been released to benefit others..... Just using it silently helps no one but yourself.

https://bugs.contribs.org/show_bug.cgi?id=10597

If you test things PLEASE let developers know.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Block spear phishing using spoofed email addresses
« Reply #19 on: October 27, 2020, 12:18:40 PM »
I usually do: https://bugs.contribs.org/show_bug.cgi?id=10597#c13

Not really into SA, don't know how I ended up with it, Geoip2 seemed to work otherwise.

http://distro.ibiblio.org/smeserver/releases/9.2/smeupdates/x86_64/RPMS/spamassassin-3.4.2-2.el6.sme.x86_64.rpm      2019-Jan-20 17:27:30
« Last Edit: October 27, 2020, 12:52:26 PM by bunkobugsy »

Offline ReetP

  • *
  • 2,677
Re: Block spear phishing using spoofed email addresses
« Reply #20 on: October 27, 2020, 02:45:14 PM »
http://distro.ibiblio.org/smeserver/releases/9.2/smeupdates/x86_64/RPMS/spamassassin-3.4.2-2.el6.sme.x86_64.rpm      2019-Jan-20 17:27:30

Ahhh - OK.

Sorry - it seems that someone released this and never closed out the bug :shock:

I thought it was still testing!
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Block spear phishing using spoofed email addresses
« Reply #21 on: October 28, 2020, 11:12:41 PM »
Cool. Hope to have a 3.4.4 done soon.
Just figuring some build options.

Even 3.4.3 has a new plugin that could be useful (if it works):

# OLEVBMacro - Detects both OLE macros and VB code inside Office documents
#
# It tries to discern between safe and malicious code but due to the threat
# macros present to security, many places block these type of documents
# outright.
#
# For this plugin to work, Archive::Zip and IO::String modules are required.
# loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro

To enable, uncomment the loadplugin configuration options in file v343.pre
« Last Edit: October 28, 2020, 11:16:19 PM by bunkobugsy »

Re: Block spear phishing using spoofed email addresses
« Reply #22 on: October 28, 2020, 11:57:50 PM »
So I uncommented relevant loadplugin line in /etc/mail/spamassassin/v342.pre

added to /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/84fromnamespoof:

header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
describe FROMNAME_SPOOF From:name and From:address don't match and owners differ
score FROMNAME_SPOOF 1.2

ignored 'ifplugin' section and ran signal-event email-update
but nothing relevant is showing up in spamd log other than some T_FROMNAME_SPOOFED_EMAIL

Maybe because adding every TLD from geoip badcountries list to WBL panel blacklist  ^.*@.*\.tld$  really cut back on spam.
SMEOptimizer had to go for now, community blacklist was blocking a lot of legitimate mail.
« Last Edit: October 29, 2020, 12:06:41 AM by bunkobugsy »

Offline ReetP

  • *
  • 2,677
Re: Block spear phishing using spoofed email addresses
« Reply #23 on: October 29, 2020, 12:09:34 AM »
Even 3.4.3 has a new plugin that could be useful (if it works):

Yeah - give me a bloody chance!!

On top of building and importing smeserver-smeadmin (was sme9admin but we've removed the number), smeserver-systemd-control (ripped from nethesis for control of systemctl), smeserver-wsdd (worked my Mr Fage to give you netBIOS type browsing on shares without SMB v1) I have also had to built and imported new version of DCC for Spamassassin, test built Spamassassin 3.4.4 to see if it will work on EL7, fix the smeserer-arpwatch import I buggered up for Brian, and then spent a lot of time with Terry trying to figure out if we can build plague on CentOS 8. Non trivial.

On top of that I have had to try and teach my companys web dev (a seriously smart woman) how to run some PHP apps that they really should be able to debug themselves, and try and do some other work to keep some food on the table.

If my wife (my boss) knew how much time I have given to SME today alone she would have a hissy fit.

Now, I am just a volunteer here. I am no great hacky person - just an amateur. And pretty well *everything* I can do I learned by getting involved and DOING something.

So, please, get involved and actually do something. Set up a build machine. Try building an rpm. Post your patch. Test some of the contribs that have been built - properly. If you can't, then read, and learn, ask us questions, and try. Make it happen - don't just leave a few pointers and wishes and hope that 'someone else' will fix it.

*I* can't really afford the time. But you have to find some and make it happen.

Sorry - long day, and my eyes are square.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 2,677
Re: Block spear phishing using spoofed email addresses
« Reply #24 on: October 29, 2020, 12:16:42 AM »
So I uncommented relevant loadplugin line in /etc/mail/spamassassin/v342.pre

Good catch - I missed that. Probably needs a template or something

That is important and needs going on a bug/NFR against Spamassassin with the other stuff here.

Quote
ignored 'ifplugin' section and ran signal-event email-update
but nothing relevant is showing up in spamd log other than some T_FROMNAME_SPOOFED_EMAIL

OK.

Quote
Maybe because adding every TLD from geoip badcountries list to WBL panel blacklist  ^.*@.*\.tld$  really cut back on spam.

When you test you HAVE to be methodical. So you added that and now have nothing much to test against :-(

Can you please remove that and see what happens?

Quote
SMEOptimizer had to go for now, community blacklist was blocking a lot of legitimate mail.

There is either a thread here or you can open a bug, but it should be reported.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Block spear phishing using spoofed email addresses
« Reply #25 on: October 29, 2020, 12:30:08 AM »
Sorry, didn't mean to push anybody or demand anything.
Just added my findings.
I realy love SME 9.3, I think it's top notch and will run it for a (good) while.
I don't think I can be of any real use (with my level of understanding perl) other than testing.
Will try to test SME10 contribs. (was going to anyway)
« Last Edit: October 29, 2020, 12:36:12 AM by bunkobugsy »

Offline ReetP

  • *
  • 2,677
Re: Block spear phishing using spoofed email addresses
« Reply #26 on: October 29, 2020, 12:44:28 AM »
Sorry, didn't mean to push anybody or demand anything.

I know - but when we read it, that's how it seems....

Quote
Just added my findings.

Indeed. They are good. Be methodical and document it properly. Add bugs. The more you do, the more you learn.

Quote
I realy love SME 9.3, I think it's top notch and will run it for a (good) while.

We all do. Yes, it'll run for decades. But support is being terminated by RHEL/CentOS. Any new issues will not be fixed. We have to move on (there are still quite a few v7 and v8 out machines still out there!!). Believe me, I am no lover of systemd..... !

Quote
I don't think I can be of any real use (with my level of understanding perl) other than testing. Will try to test SME10 contribs. (was going to anyway)

I think that you, along with many others, completely misjudge just how much you know, how much some of us know, and how much use you really can be. Yo do not have to be some perl guru - I'm not.

Seriously, we have a couple of absolutely top notch people. But a lot of us are not geniuses - quite a few of us are really just part time hacks!!! We do it for fun.

My skills are not that great. I can code a little - but I am no programmer. I can build & import rpms - but that is because I have bothered to ask questions and learn - not because I am some super cool hacker. I do it by a simple method, and I break lots of things too :-)

Go have a look at my old posts from years ago, and bugs. You will see what happened over the years. I am no smarter. Just a bit wiser.

So, don't put yourself down. Come and join in. None of us bite. We all like to learn and help each other. That way we all get better.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Block spear phishing using spoofed email addresses
« Reply #27 on: October 29, 2020, 09:55:49 AM »
@ReetP and @mmccarn: can't really thank you enough for your help! :)

I've got my hands full today, with any luck I'll install SA 3.4 tomorrow and try to include this check.

Re: Block spear phishing using spoofed email addresses
« Reply #28 on: October 30, 2020, 01:56:46 PM »
They just went to another level: virused .doc files are zipped and pwd protected, pwd in mail body.

So there's no need to uncomment loadplugin line in /etc/mail/spamassassin/v342.pre and
to create /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/84fromnamespoof

It can be be done the documented way: https://wiki.contribs.org/Email#Custom_Rule_Scores
FromNameSpoof tests already defined in the regularly updated /var/lib/spamassassin/3.004002/updates_spamassassin_org/72_active.cf file with commented out scores.
A lot of rules are defined here but they score 0, so just by analyzing email and customizing scores spam can be deferred.

Just create /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores:

loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
score T_FROMNAME_SPOOFED_EMAIL 1.3
score T_GB_FROMNAME_SPOOFED_EMAIL_IP 1.5

then   signal-event email-update

Offline ReetP

  • *
  • 2,677
Re: Block spear phishing using spoofed email addresses
« Reply #29 on: October 30, 2020, 02:05:06 PM »
I'd like a bug against spamassassin in v10 but there is no package yet.

I'll try and get it done in the next few days.

Up to my neck in real life right now!!
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation