On Fri, May 12, 2023 at 11:57:57AM -0400, Alex wrote:
> I'm curious what people think of URL rewriting or otherwise having some
Such rewriting would break digital signatures, and would not work at
all e.g. on encrypted e-mails.
> kind of idea of whether a URL could or should be scanned at some later time
> to determine if it's potentially malicious at the current time where it may
> not have been initially?
>
> Is anyone implementing that in open source?
Like, for example, in Firefox browser? It does that (by default I
think) when you click on any website.
In Firefox preferences, click under "Privacy & Security" and look for
checkboxes under "Deceptive Content and Dangerous Software Protection".
> What are the disadvantages of doing this? I'm not talking about actually
> checking the URL in advance, but I suppose some kind of wrapper that scans
> it at the time the user visits.
Disadvantage with firefox blocklists like above is that someone has
to report that malicious site is malicious. See:
https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work But there are so many definitions of "malicious" that other more
heuristic-based approaches (which would not need previous reporting)
like antiviruses would employ might not work (e.g. if it is not just
"executable malicious code downloaded to computer"; but for example
Is shopping site that looks veeeery similar like more popular brand
also malicious? How about banking site? How about fake news? How
about regular news? Opinions might range from "none of those is
malicuos" to "all of them are malicious" :-)
But none of that has much connection with SpamAssassin (well, I guess
a plugin for SA might do URL body rewriting for some other tool to
intercept, but it is way outside of its scope. Just use some
configurable proxy tool if you want to enforce it in your
organization instead of depending on Mozilla lists)
--
Opinions above are GNU-copylefted.