spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Axb <axb.li...@gmail.com>
Subject Re: Dealing with links to malicious documents
Date Tue, 13 Mar 2018 18:41:54 GMT
On 03/13/2018 07:13 PM, Olivier Coutu wrote:
> In the last few months, we have seen an increase of generic emails (e.g. 
> regarding unpaid invoices) being sent with links to infected legitimate 
> websites hosting malware. This malware often comes in the form of docs 
> with macros e.g. https://pastebin.com/VHz41RUL
> 
> In a lot of cases, neither the sender nor the URL are listed in any 
> blacklists at send time, and we are looking into ways to deal with these 
> links. We have developed some heuristics based on the text but this is 
> more reactive than proactive and the spams often are very similar to 
> legitimate emails. Ideally we would be able to see what is /really/ 
> behind these links.
> 
> The technologies we know exist are:
> 
> a) Link following
> Whether it is only for url shorteners or for all links, simulating a 
> click could give us info on what will happen, but has implications when 
> the website interprets that like a click from the user and updates their 
> database in some way such as unsubscribing a user.
> 
> b) Link rewriting
> Rewrite the link so that it is analysed by the anti-spam provider at 
> click-time. Costly to implement and breaks message integrity/DKIM. Even 
> after 24h, a lot of these infected websites are not listed on 
> blacklists. This method also has privacy implications.
> 
> c) DNS-based approaches
> Similar to link rewriting, use a dns-firewall such as Cisco Umbrella to 
> block queries to malicious websites. Our tests indicate that this does 
> not work very well for the aforementioned infected websites. It might 
> work well for C&C servers but we feel like that is a bit late to avoid 
> an infection.
> 
> Are there other solutions that we have not thought of? Are any of you 
> having trouble with these types of links?

Why not write a bunch of SA URI rules and/or ClamAV sigs to handle them.

Mime
View raw message