PDA

View Full Version : Content filter - Anti-phishing



ICEWARP_BRAZIL
02-19-2011, 10:58 AM
Dear forum colleagues,

I will post some content filters we created over the years. Hope it's useful for you.

The first one is an anti-phising filter. It has very good results for us, with very little false positives.

Basically it checks for messages that have an http:// link and ends with .exe or .scr

Where Message is < 50 kB
and Where Message body matches http://[^ ]*/[^ ]*\.(exe|scr)[ '">]
and Where Recipient matches NOT admin@domain.com
Delete message
and Forward to audit-phishing@domain.com
and Edit message header

The body condition should be set as a REGEX. Notice the size limitation on the top, to avoid SMTP performance issues. And in Edit header you can add anything you want, if you want, just to easily identify if the filter was applied in some email.

Where recipient NOT is where I can create exceptions, to not run the filter for certain users.

Of course, customize the audit email (audit-phishing) and set an email account tha has no mailbox size limit, to avoid generating bounce backs in case of mailbox full.

Here's the filter

<CONTENTFILTER>
<FILTER>
<ACTIVE>1</ACTIVE>
<TITLE>Anti-pishing, checks for http links to .exe and .src</TITLE>
<READONLY>0</READONLY>
<CONDITION>
<AND>1</AND>
<LOGICALNOT>0</LOGICALNOT>
<EXPRESSION>2</EXPRESSION>
<CONTAINTYPE>8</CONTAINTYPE>
<MESSAGESIZESMALLER>1</MESSAGESIZESMALLER>
<MESSAGESIZE>51200</MESSAGESIZE>
</CONDITION>
<CONDITION>
<AND>1</AND>
<LOGICALNOT>0</LOGICALNOT>
<HEADERTYPE>6</HEADERTYPE>
<CONTAINTYPE>10</CONTAINTYPE>
<CONTAIN>http://[^ ]*/[^ ]*\.(exe|scr)[ &apos;&quot;&gt;]</CONTAIN>
<MESSAGESIZESMALLER>0</MESSAGESIZESMALLER>
</CONDITION>
<CONDITION>
<AND>1</AND>
<LOGICALNOT>0</LOGICALNOT>
<HEADERTYPE>9</HEADERTYPE>
<CONTAINTYPE>9</CONTAINTYPE>
<CONTAIN>admin@domain.com</CONTAIN>
<MESSAGESIZESMALLER>0</MESSAGESIZESMALLER>
</CONDITION>
<ACCEPT>0</ACCEPT>
<REJECT>0</REJECT>
<DELETE>1</DELETE>
<ENCRYPT>0</ENCRYPT>
<PRIORITY>0</PRIORITY>
<FLAGS>0</FLAGS>
<SCORE>0</SCORE>
<MARKSPAM>0</MARKSPAM>
<STOP>0</STOP>
<EXECUTE>0</EXECUTE>
<FORWARD>audit-phishing@domain.com</FORWARD>
<TARPITSENDER>0</TARPITSENDER>
<FIXRFC822>0</FIXRFC822>
<SMTPRESPONSE>0</SMTPRESPONSE>
<STRIPALL>0</STRIPALL>
<HEADER>
<VAL>0URL exe
</VAL>
</HEADER>
</FILTER>
</CONTENTFILTER>

We've also tried to create such a filter for URLs that start with HTTP and end with .com, but that one is harder and has more false positives, since sometimes it confuses .com file suffixes with .com URLs.

Anyways, if you want to try it (I suggest auditing first always, specially with the .com filter which still I havent put in production), the regex is:

http://[^ ]*/[^ ,>"'/?&=\.]*\.com[ '">]

Example of false positives, usually URLs to opt out and the such:

http://profiles.yahoo.com/wineworld@ymail.com
http://www.dropbox.com/bl/e0d13213a67/user%40domain.com
http://westway.tm00.com/r/m12323234.com

Maybe we can make regex make it not go into action if theres an @ in /filename.com? If anyone that masters regex has any tips, would be appreciated.

Thank you,
Flávio

ICEWARP_BRAZIL
03-26-2011, 03:31 PM
Hello, everyone

Thanks to Tonda from IceWarp for helping with the .com anti-phishing filter. I have it only add a score to anti-spam, but it has been quite effective, although there are a few false positives. To avoid problems with .com Internet domain suffix, this filter uses regex and checks for:

http://www.address.com/filename.com

It's the same logic as the previous filter, and the Regex to check for phishing URLs in the body of message is as such:

http://[^ ]*/[^ ,>"'/@?&=\.]*\.com[ '">]

Hope it can be useful.

- Flávio

matt_c
07-10-2016, 03:28 PM
Thank you for the phishing filter. (www.cyberdefensehub.com/spear-phishing-attacks/). PC support also has some good information on this: http://pcsupport.about.com/od/fixtheproblem/ht/nophishingie7.htm