Mailing List Archive

Best Possible Way To Block Phish/Malware URL
Guys,

Can anybody suggest me a best possible way to block phish/malware url from body of an email using spamassassin.


I Tried GoogleSafeBrowsing but not helping much as it has very low detection ratio.


Regards,
Siddhesh
Re: Best Possible Way To Block Phish/Malware URL [ In reply to ]
KADAM, SIDDHESH skrev den 2020-07-07 13:13:

> Can anybody suggest me a best possible way to block phish/malware url
> from body of an email using spamassassin.

report to https://phishtank.com/ 1 step :=)

next is to use https://sanesecurity.com/ with phishtank signatures

using phishtank signatures in spamassassin needs more ram

> I Tried GoogleSafeBrowsing but not helping much as it has very low
> detection ratio.

is another reporting problem
Re: Best Possible Way To Block Phish/Malware URL [ In reply to ]
On 7/7/20 1:13 PM, KADAM, SIDDHESH wrote:
> Guys,
>
> Can anybody suggest me a best possible way to block phish/malware url from body
> of an email using spamassassin.
>
> I Tried GoogleSafeBrowsing but not helping much as it has very low detection ratio.
>
> Regards,
> Siddhesh

iirc "ramprasad at NETCORE.CO.IN" should be able to help you.
Re: Best Possible Way To Block Phish/Malware URL [ In reply to ]
On 7/7/20 1:20 PM, Benny Pedersen wrote:
> KADAM, SIDDHESH skrev den 2020-07-07 13:13:
>
>> Can anybody suggest me a best possible way to block phish/malware url
>> from body of an email using spamassassin.
>
> report to https://phishtank.com/ 1 step :=)
>
> next is to use https://sanesecurity.com/ with phishtank signatures
>
> using phishtank signatures in spamassassin needs more ram

domains listed in Phishtank are picked up by SURBL

Phishtank signatures in SpamAssassin? you probably mean ClamAV

>> I Tried GoogleSafeBrowsing but not helping much as it has very low
>> detection ratio.
>
> is another reporting problem
whatever that may mean
Re: Best Possible Way To Block Phish/Malware URL [ In reply to ]
Axb skrev den 2020-07-07 13:23:

> domains listed in Phishtank are picked up by SURBL

and rbldnsd support a fix of this
https://www.isc.org/blogs/qname-minimization-and-privacy/

i have disabled it in bind9

> Phishtank signatures in SpamAssassin?

https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_Phishing.txt

> you probably mean ClamAV

no

>>> I Tried GoogleSafeBrowsing but not helping much as it has very low
>>> detection ratio.
>> is another reporting problem
> whatever that may mean

if all phishes is reported to google then safebrowsing would be more
usefull
Re: Best Possible Way To Block Phish/Malware URL [ In reply to ]
On 7/7/20 2:39 PM, Benny Pedersen wrote:
> Axb skrev den 2020-07-07 13:23:
>
>> domains listed in Phishtank are picked up by SURBL
>
> and rbldnsd support a fix of this
> https://www.isc.org/blogs/qname-minimization-and-privacy/
>
> i have disabled it in bind9
>
>> Phishtank signatures in SpamAssassin?
>
> https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_Phishing.txt
>
>
>> you probably mean ClamAV
>
> no

That isn't only Phishtank data...
and using that data in that particular way hardly scales to bigger setups

>
>>>> I Tried GoogleSafeBrowsing but not helping much as it has very low
>>>> detection ratio.
>>> is another reporting problem
>> whatever that may mean
>
> if all phishes is reported to google then safebrowsing would be more
> usefull

FTR: GoogleSafeBrowsing is not free for all, anymore
Re: Best Possible Way To Block Phish/Malware URL [ In reply to ]
Hai!

>>>>> I Tried GoogleSafeBrowsing but not helping much as it has very low
>>>>> detection ratio.

>>>> is another reporting problem
>>> whatever that may mean

>> if all phishes is reported to google then safebrowsing would be more
>> usefull

> FTR: GoogleSafeBrowsing is not free for all, anymore

If i recall correctly the ClamAV support for that also was stopped months
ago. Due toi exactly that.

bye, Raymond
Re: Best Possible Way To Block Phish/Malware URL [ In reply to ]
Axb skrev den 2020-07-07 14:46:

> That isn't only Phishtank data...

+1

> and using that data in that particular way hardly scales to bigger
> setups

data could be stored in DB_File just like GeoIP2, that saves ram imho

> FTR: GoogleSafeBrowsing is not free for all, anymore

that explains low hitratio ? :=)
Re: Best Possible Way To Block Phish/Malware URL [ In reply to ]
On 7/7/20 2:57 PM, Benny Pedersen wrote:
> Axb skrev den 2020-07-07 14:46:
>
>> That isn't only Phishtank data...
>
> +1
>
>> and using that data in that particular way hardly scales to bigger setups
>
> data could be stored in DB_File just like GeoIP2, that saves ram imho

rblnsd is the way to go:
- you can control TTL
- its scales to millions of minions
- it's cheap in terms of RAM and cycles
- low maintenance
- does not add load to clients.
Re: Best Possible Way To Block Phish/Malware URL [ In reply to ]
Hai!

>> That isn't only Phishtank data...
>
> +1

>> and using that data in that particular way hardly scales to bigger setups
>
> data could be stored in DB_File just like GeoIP2, that saves ram imho

Treansferring the complete set over and over might now be the best way of
doing the distribution of datasets like that...

I agree with Alex, sets like that should be rdldnsd based to make it
scalable imho.

>> FTR: GoogleSafeBrowsing is not free for all, anymore

> that explains low hitratio ? :=)

:-)

Bye, Raymond