body URL rewrite

Problems/questions regarding the MailCleaner configuration

Moderators: FlorianB, Pascal, bourgeois, mentor

fgarcia
Posts: 9
Joined: Tue Jul 07, 2015 10:45 am
How did you hear about Mailcleaner: google, articles about open source solutions

body URL rewrite

Postby fgarcia » Sat Jan 20, 2018 9:45 pm

Hi,
I have a terrible problem with phishing, my users receive periodically messages from phishers requesting their passwords for a lot of stupid reasons, most of these emails are blocked in mailcleaner, but some of them passed all filters and go to the users inbox... and users... users are users :(, when some of them send is password to the phisher they access to the user mailbox and use their account to send spam or another attacks. What I want is rewrite all the links in mails to redirect to a intermediate page with some recomendations before following the link, I have found this plugin for spamassassin:

https://spamassassin.apache.org/full/3. ... shTag.html

Autor page:
http://umut.topkara.org/PhishTag/

Seems like that is exactly what I need, but for some reason don't work, this is my config:

in local.cf
loadplugin PhishTag /usr/mailcleaner/share/spamassassin/plugins/PhishTag.pm
trigger_ratio 100
rawbody __HAS_LINK1 /a href/i
header __HAS_LINK2 To:addr =~ /fgarpe\@mytestnet\.net/i
meta HAS_LINK (( __HAS_LINK1 + __HAS_LINK2) > 1)
trigger_target HAS_LINK http://www.antiphishing.org/consumer_recs.html
describe HAS_LINK Has links for fgarpe
score HAS_LINK 0.1

I have this config in a test enviroinement, what I want in this moment is rewrite all the links that appear in all the emails that are sent to my address.
I can see in the headers of the received emails that the rules are applied correctly:

Spamc (score=-99.9, required=5.0,
RCVD_IN_MSPIKE_H3 -0.0, HAS_LINK 0.1, HTML_MESSAGE 0.0,
RCVD_IN_MSPIKE_WL -0.0, PHISHTAG_TOSS -100, RCVD_IN_DNSWL_NONE -0.0,
URIBL_BLOCKED 0.0)

in debug mode I see this in the spamd.log file:

Sat Jan 20 20:38:00 2018 [14208] dbg: PHISHTAG: Fulfilled http://www.antiphishing.org/consumer_recs.html
Sat Jan 20 20:38:00 2018 [14208] dbg: PHISHTAG: Decided to keep this email and point to http://www.antiphishing.org/consumer_recs.html
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: PRISTINE>>
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] --001a113cdea028b1eb05633a55c2
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] Content-Type: text/plain; charset="UTF-8"
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...]
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] http://www.mytestnet.net
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...]
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] mytestnet <http://www.mytestnet.net>
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...]
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] --001a113cdea028b1eb05633a55c2
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] Content-Type: text/html; charset="UTF-8"
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...]
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] <div dir="ltr"><div><a href="http://www.mytestnet.net">http://www.mytestnet.net</a><br><br></div><a href="http://www.mytestnet.net">mytestnet</a><br></div>
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...]
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] --001a113cdea028b1eb05633a55c2--
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: PRISTINE>>
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] --001a113cdea028b1eb05633a55c2
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] Content-Type: text/plain; charset="UTF-8"
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...]
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] http://www.antiphishing.org/consumer_recs.html
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...]
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] mytestnet <http://www.antiphishing.org/consumer_recs.html>
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...]
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] --001a113cdea028b1eb05633a55c2
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] Content-Type: text/html; charset="UTF-8"
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...]
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] <div dir="ltr"><div><a href="http://www.antiphishing.org/consumer_recs.html">http://www.antiphishing.org/consumer_recs.html</a><br><br></div><a href="http://www.antiphishing.org/consumer_recs.html">mytestnet</a><br></div>
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...]
Sat Jan 20 20:38:01 2018 [14208] dbg: generic: [...] --001a113cdea028b1eb05633a55c2--

Seems like the plugin works... but in my inbox I see the original message, not the converted message :(

Can someone help me?
steeleyjim
Posts: 2
Joined: Thu Jan 28, 2016 5:30 pm
How did you hear about Mailcleaner: work

Re: body URL rewrite

Postby steeleyjim » Fri Mar 16, 2018 10:37 pm

Hi, I am interested to know if you managed to get this working.

It seems like URL rewrite or link protection is becoming a necessary feature and the likes of mimecast and Symantec to name a few, offer it already.

We have a huge problem with phishing mails getting through and I am trying to find a solution other than changing to another product.
FlorianB
Posts: 296
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: job

Re: body URL rewrite

Postby FlorianB » Sat Mar 17, 2018 11:39 am

Hello,
The way Spamassassin (spamc talking to spamd exactly) works in MailCleaner is different of usual MailScanner + Spamassassin, so it can't change body in anyway.
Some Postfix or Exim filter should probably be used to do this as MailScanner himself will handle message modification so spamassassin can't change anything.
If I have some free time (and I'll have some), I'll probably work on this deeper as it could be interesting.
Regards,
Florian
User avatar
bourgeois
Site Admin
Posts: 44
Joined: Tue Sep 05, 2006 4:39 pm
How did you hear about Mailcleaner: TEAM
Location: St-Sulpice CH
Contact:

Re: body URL rewrite

Postby bourgeois » Sun Mar 18, 2018 10:51 am

Hi
The first point to reduce targeted phishing is to configure the domain and MailCleaner as best as possible
- Add a strict SPF to your domain in your DNS
- activate the SPF control into MailCleaner SMTP check "Reject wrong SPF (fail result) :"
- activate the "Reject unauthorized messages from this domain : " option in the domain conf in MailCleaner
this should avoid 99% of targeted phishing with sender usurpation

OB
steeleyjim
Posts: 2
Joined: Thu Jan 28, 2016 5:30 pm
How did you hear about Mailcleaner: work

Re: body URL rewrite

Postby steeleyjim » Tue Apr 17, 2018 5:14 pm

Hi bourgeois, whilst this obviously helps with preventing unwanted email and is useful it doesn't address the fact that rival products have the ability to rewrite a URL.

Hopefully there will be some progress on this in the near future.

Thanks.

Return to “Configuration”

Who is online

Users browsing this forum: No registered users and 5 guests