spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <>
Subject Re: Dealing with links to malicious documents
Date Tue, 13 Mar 2018 18:47:56 GMT
On Tue, 13 Mar 2018, Alex wrote:

> Hi,
> On Tue, Mar 13, 2018 at 2:21 PM, John Hardin <> wrote:
>> On Tue, 13 Mar 2018, Olivier Coutu wrote:
>>> In the last few months, we have seen an increase of generic emails (e.g.
>>> regarding unpaid invoices) being sent with links to infected legitimate
>>> websites hosting malware. This malware often comes in the form of docs with
>>> macros e.g.
>>> In a lot of cases, neither the sender nor the URL are listed in any
>>> blacklists at send time, and we are looking into ways to deal with these
>>> links. We have developed some heuristics based on the text but this is more
>>> reactive than proactive and the spams often are very similar to legitimate
>>> emails. Ideally we would be able to see what is /really/ behind these links.
>>> The technologies we know exist are:
>>> a) Link following
>>> Whether it is only for url shorteners or for all links, simulating a click
>>> could give us info on what will happen, but has implications when the
>>> website interprets that like a click from the user and updates their
>>> database in some way such as unsubscribing a user.
>>> b) Link rewriting
>>> Rewrite the link so that it is analysed by the anti-spam provider at
>>> click-time. Costly to implement and breaks message integrity/DKIM. Even
>>> after 24h, a lot of these infected websites are not listed on blacklists.
>>> This method also has privacy implications.
>>> c) DNS-based approaches
>>> Similar to link rewriting, use a dns-firewall such as Cisco Umbrella to
>>> block queries to malicious websites. Our tests indicate that this does not
>>> work very well for the aforementioned infected websites. It might work well
>>> for C&C servers but we feel like that is a bit late to avoid an infection.
>>> Are there other solutions that we have not thought of? Are any of you
>>> having trouble with these types of links?
>> d) Don't accept emails from outside your organization that link to hosted
>> documents. The document needs to be attached, so that it can be scanned.
>> Unfortunately this is not feasible if you're not a (at least
>> semi-)monolithic organization where you can apply such policies.
> I don't think denying access to direct downloads in email is really a
> policy that would work in any moderately sized organization. I tried
> looking at this in the recent past, and it would block a ton of
> legitimate email.

Really? That surprises me a bit. PDFs I could see, but document files?

> Also, in this particular case, you don't know that the link downloads
> something until you actually click on it or follow it.

Ah, yes, that wouldn't work.

>> e) if you are a (semi-)monolithic organization that uses a boundary proxy to
>> control web access, then add such URLs to that proxy's blocklist until the
>> contents can be scanned, or so that the proxy does the redirect-through-AV
>> automatically (not sure if that will work, though).
> I think what some providers do is wrap the URL and at some point later
> (after perhaps the domain or URL itself is listed by an RBL) disable
> the link for when the recipient clicks the link or views the email. I
> don't know how (or whether) they always break DKIM in the process.
> That would be interesting to find out.

  John Hardin KA7OHZ              FALaholic #11174     pgpk -a
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
   Gun Control is marketed to the public using the appealing delusion
   that violent criminals will obey the law.
  Tomorrow: Albert Einstein's 139th Birthday

View raw message