I am trying to write a rule that helps catch phishing emails. These emails
do NOT have any url spoofing in them. They are pure and simple social
engineering.
I have started with the following theory to identify several factors that
contribute to an email such as this which will be expanded if I can get this
first ground work done. Basically, if you have a form in an email and ask
for a credit card, etc. it's probably a phish. That's my theory. I almost
think any <input> tags are likely to be a scam but I haven't researched that
further to see if there are legitimate companies doing forms in their
emails.
However, I am having troubles getting the rules like name=password to match.
My regexp below seems fine but just writing name=password in an email
doesn't trigger the rule. Any insight would be appreciated as I imagine
it's got to be something SpamAssassin specific with regexp's or just my
brain overworked.
Regards,
KAM
#COMBO rules to catch phishing expeditions
#SWITCH TO __KAM_PHISH AFTER TESTING
body KAM_PHISH_01 /<input /i
describe KAM_PHISH_01 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_01 0.15
body KAM_PHISH_02 /credit card fail/i
describe KAM_PHISH_02 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_02 0.15
body KAM_PHISH_03 /\bauthoriz/i
describe KAM_PHISH_03 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_03 0.15
body KAM_PHISH_04 /\bname=cc/i
describe KAM_PHISH_04 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_04 0.15
body KAM_PHISH_05 /\bname=cvv/i
describe KAM_PHISH_05 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_05 0.15
body KAM_PHISH_06 /\bname=pin/i
describe KAM_PHISH_06 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_06 0.15
body KAM_PHISH_07 /\bname=date/i
describe KAM_PHISH_07 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_07 0.15
body KAM_PHISH_08 /\bname=year/i
describe KAM_PHISH_08 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_08 0.15
body KAM_PHISH_09 /\bname=month/i
describe KAM_PHISH_09 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_09 0.15
body KAM_PHISH_10 /\btype=submit/i
describe KAM_PHISH_10 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_10 0.15
body KAM_PHISH_11 /\baccount management\b/i
describe KAM_PHISH_11 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_11 0.15
body KAM_PHISH_12 /\bname=password/i
describe KAM_PHISH_12 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_12 0.15
body KAM_PHISH_13 /<form.*action\=.*>/i
describe KAM_PHISH_13 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_13 0.15
body KAM_PHISH_14 /\bname\=username/i
describe KAM_PHISH_14 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_14 0.15
meta KAM_combo_PHISH ((KAM_PHISH_01 + KAM_PHISH_02 +
KAM_PHISH_03 + KAM_PHISH_04 + KAM_PHISH_05 + KAM_PHISH_06 + KAM_PHISH_07 +
KAM_PHISH_08 + KAM_PHISH_09 + KAM_PHISH_10 + KAM_PHISH_11 + KAM_PHISH_12 +
KAM_PHISH_13 + KAM_PHISH_14) > 6)
describe KAM_combo_PHISH KAM - Phishing Expedition Email
Probability High
score KAM_combo_PHISH 1.0 #RAISE AFTER MORE TESTING
Regards,
KAM
do NOT have any url spoofing in them. They are pure and simple social
engineering.
I have started with the following theory to identify several factors that
contribute to an email such as this which will be expanded if I can get this
first ground work done. Basically, if you have a form in an email and ask
for a credit card, etc. it's probably a phish. That's my theory. I almost
think any <input> tags are likely to be a scam but I haven't researched that
further to see if there are legitimate companies doing forms in their
emails.
However, I am having troubles getting the rules like name=password to match.
My regexp below seems fine but just writing name=password in an email
doesn't trigger the rule. Any insight would be appreciated as I imagine
it's got to be something SpamAssassin specific with regexp's or just my
brain overworked.
Regards,
KAM
#COMBO rules to catch phishing expeditions
#SWITCH TO __KAM_PHISH AFTER TESTING
body KAM_PHISH_01 /<input /i
describe KAM_PHISH_01 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_01 0.15
body KAM_PHISH_02 /credit card fail/i
describe KAM_PHISH_02 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_02 0.15
body KAM_PHISH_03 /\bauthoriz/i
describe KAM_PHISH_03 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_03 0.15
body KAM_PHISH_04 /\bname=cc/i
describe KAM_PHISH_04 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_04 0.15
body KAM_PHISH_05 /\bname=cvv/i
describe KAM_PHISH_05 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_05 0.15
body KAM_PHISH_06 /\bname=pin/i
describe KAM_PHISH_06 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_06 0.15
body KAM_PHISH_07 /\bname=date/i
describe KAM_PHISH_07 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_07 0.15
body KAM_PHISH_08 /\bname=year/i
describe KAM_PHISH_08 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_08 0.15
body KAM_PHISH_09 /\bname=month/i
describe KAM_PHISH_09 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_09 0.15
body KAM_PHISH_10 /\btype=submit/i
describe KAM_PHISH_10 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_10 0.15
body KAM_PHISH_11 /\baccount management\b/i
describe KAM_PHISH_11 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_11 0.15
body KAM_PHISH_12 /\bname=password/i
describe KAM_PHISH_12 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_12 0.15
body KAM_PHISH_13 /<form.*action\=.*>/i
describe KAM_PHISH_13 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_13 0.15
body KAM_PHISH_14 /\bname\=username/i
describe KAM_PHISH_14 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_14 0.15
meta KAM_combo_PHISH ((KAM_PHISH_01 + KAM_PHISH_02 +
KAM_PHISH_03 + KAM_PHISH_04 + KAM_PHISH_05 + KAM_PHISH_06 + KAM_PHISH_07 +
KAM_PHISH_08 + KAM_PHISH_09 + KAM_PHISH_10 + KAM_PHISH_11 + KAM_PHISH_12 +
KAM_PHISH_13 + KAM_PHISH_14) > 6)
describe KAM_combo_PHISH KAM - Phishing Expedition Email
Probability High
score KAM_combo_PHISH 1.0 #RAISE AFTER MORE TESTING
Regards,
KAM