Mailing List Archive

On Friday 27 October 2023 at 16:56:36, DEMBLANS Mathieu wrote:

> Hi,
> Anyone know if there is a way to request an external API throught a
> spamsassassin plugin ? It will be to search an URL extracted by SA from a
> body of a mail and check if it's referenced with an API request on an
> external service (virustotal or other). We receive some mails with URL
> inside whose page contains malware. One day, a user will click on it...
> If I can junk it before, it would be great.

You may want to be cautious about "checking" URLs in this way, because some
emails will contain things like "to unsubscribe, click here" or "accept
meeting invitation?" and so on.

You do not really want some automated system "clicking" on URLs like that and
triggering external events either without the user's knowledge (they haven't
even seen the email at this stage) or indeed doing something they do not want.


Antony.

--
Because it messes up the order in which people normally read text.
> Why is top-posting such a bad thing?
> > Top-posting.
> > > What is the most annoying way of replying to e-mail?

Please reply to the list;
please *don't* CC me.

On Fri, 27 Oct 2023, Antony Stone wrote:

> On Friday 27 October 2023 at 16:56:36, DEMBLANS Mathieu wrote:
>
>> Hi,
>> Anyone know if there is a way to request an external API throught a
>> spamsassassin plugin ? It will be to search an URL extracted by SA from a
>> body of a mail and check if it's referenced with an API request on an
>> external service (virustotal or other). We receive some mails with URL
>> inside whose page contains malware. One day, a user will click on it...
>> If I can junk it before, it would be great.
>
> You may want to be cautious about "checking" URLs in this way, because some
> emails will contain things like "to unsubscribe, click here" or "accept
> meeting invitation?" and so on.
>
> You do not really want some automated system "clicking" on URLs like that and
> triggering external events either without the user's knowledge (they haven't
> even seen the email at this stage) or indeed doing something they do not want.

It doesn't sound like it will *visit* the link, just ask some service if
the like has a reputation.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
4 days until Halloween

On Friday 27 October 2023 at 17:07:41, John Hardin wrote:

> On Fri, 27 Oct 2023, Antony Stone wrote:
> > On Friday 27 October 2023 at 16:56:36, DEMBLANS Mathieu wrote:
> >> Hi,
> >> Anyone know if there is a way to request an external API throught a
> >> spamsassassin plugin ? It will be to search an URL extracted by SA from
> >> a body of a mail and check if it's referenced with an API request on an
> >> external service (virustotal or other). We receive some mails with URL
> >> inside whose page contains malware. One day, a user will click on it...
> >> If I can junk it before, it would be great.
> >
> > You may want to be cautious about "checking" URLs in this way, because
> > some emails will contain things like "to unsubscribe, click here" or
> > "accept meeting invitation?" and so on.
> >
> > You do not really want some automated system "clicking" on URLs like that
> > and triggering external events either without the user's knowledge (they
> > haven't even seen the email at this stage) or indeed doing something
> > they do not want.
>
> It doesn't sound like it will *visit* the link, just ask some service if
> the like has a reputation.

Fair enough; I still think it's something worth keeping in mind, though,
depending on what the OP meant by "virustotal or other" :)

Antony.

--
The truth is rarely pure, and never simple.

- Oscar Wilde

Please reply to the list;
please *don't* CC me.

On 2023-10-27 at 10:56:36 UTC-0400 (Fri, 27 Oct 2023 14:56:36 +0000)
DEMBLANS Mathieu <demblans.m@mipih.fr>
is rumored to have said:

> Hi,
> Anyone know if there is a way to request an external API throught a
> spamsassassin plugin ?

There is no existing SA plugin which implements an interface to any
generic web API (such as REST endpoints) but there's no reason one could
not write a plugin to access such external APIs. Spamhaus has done this,
for example. Also see SpamAssassin::Plugin::URIDNSBL, which implements a
process for using the DNSBL mechanism with URIs, as is used by multiple
blocklist providers.

> It will be to search an URL extracted by SA from a body of a mail and
> check if it's referenced with an API request on an external service
> (virustotal or other).

Look at how the various URIBL* rules and SpamAssassin::Plugin::URIDNSBL
work.

> We receive some mails with URL inside whose page contains malware.
> One day, a user will click on it...
> If I can junk it before, it would be great.

The current URIBL* rules may be helpful, if you are able to use them. If
you use other people's open DNS resolvers, that can take a small amount
of work, to stand up your own autonomous caching resolver.

If you need a web API backend rather than a DNSBL, you would need to
write that plugin specifically for that backend.

We do accept feature requests in the Bugzilla, but at this point we do
not have a list of developers waiting to take on the feature request
list, so if you really need it, you'd need to create it yourself.




--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire