Mailing List Archive

Nothing I'm aware of. Contact me off-list if you have any spamples. Maybe
there are other indicators.
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Mon, Feb 1, 2021 at 10:39 AM Valentijn Sessink <valentijn@sessink.nl>
wrote:

> Hi all,
>
> Just very recently, I saw several phishing mails using QR codes to
> direct readers to phishing sites. No "a href" stuff, just a "please
> point your phone's camera to our QR code" - and fill out our malicious
> form.
>
> I searched for a plugin - but didn't find any reference to
> "spamassassin" and "QR". Is anyone aware of a plugin that reads and
> decodes QR-codes - then adds them to the list of domains-to-be-checked?
> (I.e. checked against blocklists et al)
>
> Best regards,
>
> Valentijn
>

On 2021-02-02 03:37, Kevin A. McGrail wrote:
> Nothing I'm aware of. Contact me off-list if you have any spamples.
> Maybe there are other indicators.

+1

> On Mon, Feb 1, 2021 at 10:39 AM Valentijn Sessink
> <valentijn@sessink.nl> wrote:

i like samples aswell

>> (I.e. checked against blocklists et al)

the images can be matched in clamav, send image sample to sanesecurity

if its sendgrid forwards its mostly still need more rbl listed

Benny Pedersen <me@junc.eu> writes:

> On 2021-02-02 03:37, Kevin A. McGrail wrote:
>> Nothing I'm aware of. Contact me off-list if you have any spamples.
>> Maybe there are other indicators.
>
> +1
>
>> On Mon, Feb 1, 2021 at 10:39 AM Valentijn Sessink
>> <valentijn@sessink.nl> wrote:
>
> i like samples aswell
>
>>> (I.e. checked against blocklists et al)
>
> the images can be matched in clamav, send image sample to sanesecurity
>
> if its sendgrid forwards its mostly still need more rbl listed
>

What about doing a proper SA plugin that find the DR in an image,
decodeds it and injects the associated text/URL as a document part to be
parsed by SA?

Something like what is being described there maybe
https://docparser.com/blog/barcode-pdf-documents-images/

Best regards,

Olivier

--

On 2021-02-02 09:29, Olivier wrote:

> What about doing a proper SA plugin that find the DR in an image,
> decodeds it and injects the associated text/URL as a document part to
> be
> parsed by SA?

i remember there was a ExtractText plugin that could do multiple jobs
depending on attachments, but since the pmc member died, its not
possible to find this plugin anymore

https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CustomPlugins

> Something like what is being described there maybe
> https://docparser.com/blog/barcode-pdf-documents-images/

clamav is our frind there

to make it better ask to have QR code decode could be a first step

Hi,

On 02-02-2021 03:37, Kevin A. McGrail wrote:
> Nothing I'm aware of.  Contact me off-list if you have any spamples.

I have. I hope it passes your filter :-)

On-list: the only thing in the last QR-code phishing mail I received
that actually makes it a phishing mail is the following part:

<img alt=3D"QR Code - Bevestigen aanvraag" style=
=3D"display:block;border:0;outline:none;text-decoration:none;-ms-interpolat=
ion-mode:bicubic" title=3D"QR Code - Bevestigen aanvraag" src=3D"https://pr=
oxy.duckduckgo.com/iu/?u=3Dhttps://chenoneproduction.s3.ap-southeast-1.amaz=
onaws.com/static/a0fd.png" width=3D"184">

No further links, no traces to other bad stuff but the worst part is: I
couldn't even find spelling mistakes 8-S

Best regards,

Valentijn
--
Durgerdamstraat 29, 1507 JL Zaandam; telefoon 075-7100071

I already did that ... it collects URLs, Email boxes and  BTC wallets from QR (despite the full image is a QR code or the image 'contains' a QR) and injects them back into SA
If there is interest in the community, maybe i can make it a standalone plugin and send it to Kevin for consideration...
------Pedreter

On Tuesday, February 2, 2021, 09:30:36 AM GMT+1, Olivier <olivier.nicole@cs.ait.ac.th> wrote:

Benny Pedersen <me@junc.eu> writes:

> On 2021-02-02 03:37, Kevin A. McGrail wrote:
>> Nothing I'm aware of.  Contact me off-list if you have any spamples.
>> Maybe there are other indicators.
>
> +1
>
>> On Mon, Feb 1, 2021 at 10:39 AM Valentijn Sessink
>> <valentijn@sessink.nl> wrote:
>
> i like samples aswell
>
>>> (I.e. checked against blocklists et al)
>
> the images can be matched in clamav, send image sample to sanesecurity
>
> if its sendgrid forwards its mostly still need more rbl listed
>

What about doing a proper SA plugin that find the DR in an image,
decodeds it and injects the associated text/URL as a document part to be
parsed by SA?

Something like what is being described there maybe
https://docparser.com/blog/barcode-pdf-documents-images/

Best regards,

Olivier

--

On 2021-02-02 11:28, Pedro David Marco wrote:
> I already did that ... it collects URLs, Email boxes and BTC wallets
> from QR (despite the full image is a QR code or the image 'contains' a
> QR) and injects them back into SA
>
> If there is interest in the community, maybe i can make it a
> standalone plugin and send it to Kevin for consideration...

so code already exists ?

https://github.com/Dendreo/php-qrcode-detector-decoder, if it just was
perl :=)

back to ExtractText

On Tue, 2 Feb 2021 10:47:49 +0100
Valentijn Sessink wrote:


> On-list: the only thing in the last QR-code phishing mail I received
> that actually makes it a phishing mail is the following part:
>
> <img alt=3D"QR Code - Bevestigen aanvraag" style=
> =3D"display:block;border:0;outline:none;text-decoration:none;-ms-interpolat=
> ion-mode:bicubic" title=3D"QR Code - Bevestigen aanvraag"
> src=3D"https://pr=
> oxy.duckduckgo.com/iu/?u=3Dhttps://chenoneproduction.s3.ap-southeast-1.amaz=
> onaws.com/static/a0fd.png" width=3D"184">

So the QR code is remote. If you fetch it could look like the recipient
read the email, encouraging more spam to that account.

On 2021-02-01 16:39, Valentijn Sessink wrote:

> Just very recently, I saw several phishing mails using QR codes to
> direct readers to phishing sites. No "a href" stuff, just a "please
> point your phone's camera to our QR code" - and fill out our malicious
> form.

this phishing mails sent via sendgrid, its currently rejected if using
zen.spamhaus.org in mta stage

no qr code decoder needed

if undetected use KAM Channel in spamassassin helps

http://multirbl.valli.org/lookup/167.89.100.140.html

On 02-02-2021 14:48, RW wrote:
> On Tue, 2 Feb 2021 10:47:49 +0100
>> src=3D"https://pr=
>> oxy.duckduckgo.com/iu/?u=3Dhttps://chenoneproduction.s3.ap-southeast-1.amaz=
>> onaws.com/static/a0fd.png" width=3D"184">
> So the QR code is remote. If you fetch it could look like the recipient
> read the email, encouraging more spam to that account.

Unfortunately, yes that's right :-(

V.

On 2 Feb 2021, at 10:30, Valentijn Sessink wrote:

> On 02-02-2021 14:48, RW wrote:
>> On Tue, 2 Feb 2021 10:47:49 +0100
>>> src=3D"https://pr=
>>> oxy.duckduckgo.com/iu/?u=3Dhttps://chenoneproduction.s3.ap-southeast-1.amaz=
>>> onaws.com/static/a0fd.png" width=3D"184">
>> So the QR code is remote. If you fetch it could look like the
>> recipient
>> read the email, encouraging more spam to that account.
>
> Unfortunately, yes that's right :-(

It's generally a bad idea for any mail software to automatically fetch
remote content without conscious specific human initiative for mail
which is not carefully authenticated, with careful attention to which
trusted senders are authorized to trigger such retrievals.

(Yes, I know that some garbage MUAs break that rule. That's no reason to
make the same reckless mistake in server-side filtering.)

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On Tue, 2 Feb 2021, Valentijn Sessink wrote:

> On 02-02-2021 03:37, Kevin A. McGrail wrote:
>> Nothing I'm aware of.  Contact me off-list if you have any spamples.
>
> I have. I hope it passes your filter :-)

I'd appreciate a spample too.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
4 days until International Zero Tolerance of FGM Day

On Tue, 2 Feb 2021, RW wrote:

> On Tue, 2 Feb 2021 10:47:49 +0100
> Valentijn Sessink wrote:
>
>
>> On-list: the only thing in the last QR-code phishing mail I received
>> that actually makes it a phishing mail is the following part:
>>
>> <=
> DEFANGED_IMG alt=3D"QR Code - Bevestigen aanvraag" style=
>> =3D"display:block;border:0;outline:none;text-decoration:none;-ms-interpolat=
>> ion-mode:bicubic" title=3D"QR Code - Bevestigen aanvraag"
>> src=3D"https://pr=
>> oxy.duckduckgo.com/iu/?u=3Dhttps://chenoneproduction.s3.ap-southeast-1.amaz=
>> onaws.com/static/a0fd.png" width=3D"184">
>
> So the QR code is remote. If you fetch it could look like the recipient
> read the email, encouraging more spam to that account.

Not if they are retrieving it by bouncing off DDG (or Gargle, or Imgur,
or...)


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
4 days until International Zero Tolerance of FGM Day

On Tue, 2 Feb 2021, John Hardin wrote:

> On Tue, 2 Feb 2021, RW wrote:
>
>> On Tue, 2 Feb 2021 10:47:49 +0100
>> Valentijn Sessink wrote:
>>
>>> On-list: the only thing in the last QR-code phishing mail I received
>>> that actually makes it a phishing mail is the following part:
>>>
>>> <=
>> DEFANGED_IMG alt=3D"QR Code - Bevestigen aanvraag" style=
>>> =3D"display:block;border:0;outline:none;text-decoration:none;-ms-interpolat=
>>> ion-mode:bicubic" title=3D"QR Code - Bevestigen aanvraag"
>>> src=3D"https://pr=
>>> oxy.duckduckgo.com/iu/?u=3Dhttps://chenoneproduction.s3.ap-southeast-1.amaz=
>>> onaws.com/static/a0fd.png" width=3D"184">
>>
>> So the QR code is remote. If you fetch it could look like the recipient
>> read the email, encouraging more spam to that account.
>
> Not if they are retrieving it by bouncing off DDG (or Gargle, or Imgur,
> or...)

...assuming of course those sites *host* the image themselves, and don't
just redirect the request elsewhere.

Bill's comment is correct - it's a bad idea to blindly retrieve remote
content.

However: scanning attached and embedded images (and PDFs) for text, and
URIs (bare or QR encoded) to include would potentially be useful.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
4 days until International Zero Tolerance of FGM Day

Pedreter,

> I already did that ... it collects URLs, Email boxes and BTC wallets from QR (despite the full image is
> a QR code or the image 'contains' a QR) and injects them back into SA
>
> If there is interest in the community, maybe i can make it a standalone plugin and send it to Kevin
> for consideration...

I think it is of some intertest. It does not concern the case at hand
(remote image) but could come handy for an attachment.

Best regards,

Olivier

>
> ------
> Pedreter
>
> On Tuesday, February 2, 2021, 09:30:36 AM GMT+1, Olivier <olivier.nicole@cs.ait.ac.th> wrote:
>
> Benny Pedersen <me@junc.eu> writes:
>
>> On 2021-02-02 03:37, Kevin A. McGrail wrote:
>>> Nothing I'm aware of. Contact me off-list if you have any spamples.
>>> Maybe there are other indicators.
>>
>> +1
>>
>>> On Mon, Feb 1, 2021 at 10:39 AM Valentijn Sessink
>>> <valentijn@sessink.nl> wrote:
>>
>> i like samples aswell
>>
>>>> (I.e. checked against blocklists et al)
>>
>> the images can be matched in clamav, send image sample to sanesecurity
>>
>> if its sendgrid forwards its mostly still need more rbl listed
>
>>
>
> What about doing a proper SA plugin that find the DR in an image,
> decodeds it and injects the associated text/URL as a document part to be
> parsed by SA?
>
> Something like what is being described there maybe
> https://docparser.com/blog/barcode-pdf-documents-images/
>
> Best regards,
>
> Olivier

--

On 2/2/2021 11:34 AM, John Hardin wrote:
> On Tue, 2 Feb 2021, John Hardin wrote:
>
>> On Tue, 2 Feb 2021, RW wrote:
>>
>>> On Tue, 2 Feb 2021 10:47:49 +0100
>>> Valentijn Sessink wrote:
>>>
>>>> On-list: the only thing in the last QR-code phishing mail I received
>>>> that actually makes it a phishing mail is the following part:
>>>>
>>>> <=
>>> DEFANGED_IMG alt=3D"QR Code - Bevestigen aanvraag" style=
>>>> =3D"display:block;border:0;outline:none;text-decoration:none;-ms-interpolat=
>>>>
>>>> ion-mode:bicubic" title=3D"QR Code - Bevestigen aanvraag"
>>>> src=3D"https://pr=
>>>> oxy.duckduckgo.com/iu/?u=3Dhttps://chenoneproduction.s3.ap-southeast-1.amaz=
>>>>
>>>> onaws.com/static/a0fd.png" width=3D"184">
>>>
>>> So the QR code is remote. If you fetch it could look like the recipient
>>> read the email, encouraging more spam to that account.
>>
>> Not if they are retrieving it by bouncing off DDG (or Gargle, or
>> Imgur, or...)
>
> ...assuming of course those sites *host* the image themselves, and
> don't just redirect the request elsewhere.
>
> Bill's comment is correct - it's a bad idea to blindly retrieve remote
> content.
>
> However: scanning attached and embedded images (and PDFs) for text,
> and URIs (bare or QR encoded) to include would potentially be useful.
>
>

Yes, pre-fetch QR analysis would be useful; sort of like SHORTURL decodes.

Here's some useful PERL with: Barcode::ZBar
Reading QR Codes from Perl - ETOOBUSY (polettix.it)
<https://github.polettix.it/ETOOBUSY/2020/01/22/zbar/>