Phishing scanner

floyd

Verified User
Joined
Mar 29, 2005
Messages
6,173
Is there some type of phishing scanner for servers available much like the root kit scanners, something that can be run from the server to scan for web sites that match known phishing signatures?
 
Scanning for signatures wouldn't be very effective since having a single letter or comment inside the code that isnt standard would change the signature and still display the same page. A good one would just search through all the client HTML/PHP/etc source code looking for keywords of the big sites and login on the same page then report a list of suspicious pages back to you to review. Not sure if there is anything like this around, someone could always make one though!
 
Take a look here and let me know if it's something you'd like added to SpamBlocker.

And consider reading elsewhere on the page (here) why we should use blocklists rather than SA rulesets.

Note that these are not simple blocklists to implement; they must be implemented during the data section of the smtp protocol. Please don't try this at home unless you know what you're doing :) .

Comments anyone?

Jeff
 
Jeff

I appreciate everything you do in providing Spamblocker. I use all the blocklists.

However I was not speaking of email at all. I am speaking of phishing web sites hosted on the server. Occasionally I get an email from ebay or paypal notifying me about a phishing site that is hosted on one of my servers. Sometimes its a php exploit that allows somebody to upload a site through php and sometimes the user's password is compromised somehow and they simply ftp in and upload the site.

I would to have a scanner of some sort so that I am notified by my own system about a site hosted here long before one of the other companies notifies me. I don't know if there is something better than grep'ing for keywords in all the user's pages. How are ebay and paypal being notified? Is it just through copies of spam they receive?
 
Last edited:
Sorry about the confusion.

Both Ebay and PayPal have a method in place to be notified of phishing sites by users who receive them. I send them all I get. I'm quite sure that's how they find them.

When you get a site phishing Ebay, or PayPal forward the entire email (including headers) to:

spoof at paypal.com

or

spoof at ebay.com

(I presume you know how to make those into real email addresses ;) )

Jeff
 
Comments anyone?

SURBL rejection based on URLs in the message content works good. Easy to implement too. I am using it WITH Spamblocker 2.1.1 exim.conf. IN a nutshell, you add some code to exim.pl, a couple of text files for whitelisting and country domains, and a data condition on exim.conf. There is a writeup on the forums.

I use the code From Erik Mugele's website http://www.teuton.org/~ejm/exim_surbl/ . I'd love for it to be an "official" part of SpamBlocker.

Works like a champ, but it wouldn't solve Floyd's request as-is.

Now. Somebody could use some of the code from Mugele to pull out URI's from all the scanned files (php, html, shtml, etc.) and perform the surbl check on them. I Think it would be very processor intensive if done a few times a day. How many files per server in the home directory... and what if you start scanning even other directories?

Since I know Mugele's script and have used it for the last two years, I know it's routines don't quite catch every single URI in a message. SpamAssassin usually gets those, so they must use different algorithms. We all know spammers obfuscate and encode URIs.

Perhaps modifying it to have a database with file checksums and only rescan the ones that have been changed/added since last scan... it gets complicated for a simple guy like me, but eminently doable.
 
SURBL rejection based on URLs in the message content works good. Easy to implement too. I am using it WITH Spamblocker 2.1.1 exim.conf. IN a nutshell, you add some code to exim.pl, a couple of text files for whitelisting and country domains, and a data condition on exim.conf. There is a writeup on the forums.
Which forum(s)? Ours? Can you point me to the posts/threads?
I use the code From Erik Mugele's website http://www.teuton.org/~ejm/exim_surbl/ . I'd love for it to be an "official" part of SpamBlocker.
I think I can add it as is but I'm not sure what you mean about whitelisting and country domains. Our ordinary whitelisting code will work, but what do you mean about country domains?

Thanks.

Jeff
 
Which forum(s)? Ours? Can you point me to the posts/threads?

http://www.directadmin.com/forum/showthread.php?threadid=10959
(We were discussing erroneously blocking gmail, but it came up in the conversation.)

http://www.directadmin.com/forum/showthread.php?t=10036&page=3


I think I can add it as is but I'm not sure what you mean about whitelisting and country domains. Our ordinary whitelisting code will work, but what do you mean about country domains?

From the author, he says it is part of the SURBL implementation guidelines:

ccTLD File

The Perl subroutine script follows the SURBL Implementation Guidelines found at the SURBL website. The script makes use of a file containing Country Code Top Level Domains. Near the top of the script is the following variable definition example:

my $cctld_file = "/usr/local/etc/exim/ccTLD.txt";

This $cctld_file variable MUST be set to the full path of the file containing the list of ccTLDs or the script will not work.

as for whitelisting... it refers to bad URIs in the message. For example, if the URI "widgets.com" is being rejected... you could add it to the whitelist to avoid the messages that mention it from being rejected, even if they are listed in SURBL.

I happen to have EXACTLY that problem. One of my customer domains, thehighlights.com, is listed in SURBL... has been for years... and no way out. So I whitelist it... so they can mention it in their emails, or receive mail mentioning that string.

Nothing to do with the exim whitelist per se.
 
Last edited:
I happen to have EXACTLY that problem. One of my customer domains, thehighlights.com, is listed in SURBL... has been for years... and no way out. So I whitelist it... so they can mention it in their emails, or receive mail mentioning that string.

Nothing to do with the exim whitelist per se.
Tell us about how that whitelist works.

Care to show us your code?

I'd like to include your code in SpamBlocker3 if applicable. Are you ready/able/willing to share ;) ?

Jeff
 
Tell us about how that whitelist works.

Care to show us your code?

I'd like to include your code in SpamBlocker3 if applicable. Are you ready/able/willing to share ;) ?

Jeff

Of course! I am humbled that I might actually contribute something, but the credit to the code goes to Erik Mungele, a great guy. Let's see.

First of all, carefully read through the intro to the script, to see what applies to you? More than 100,000 messages per day, etc.

STEP 1 - Customize exim.pl
=====================

Backup your current exim.pl. (cp /etc/exim.pl /etc/exim.pl.bak)

Add the following to the end of exim.pl (latest version from your site, nobaloney.net, as of this writing, tested and works on my machine).

Latest version always available at: http://www.teuton.org/~ejm/exim_surbl/

This one is already customized to put the two text files that it needs in the "/etc" directory. You might want to change it. See below.

#
# Copyright (c) 2006-2007 Erik Mugele. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# NOTES
# -----
#
# 1. This script makes use of the Country Code Top Level
# Domains (ccTLD) provided by the SURBL group at
# http://spamcheck.freeapp.net/two-level-tlds
# THE VARIABLE $cctld_file MUST BE SET TO THE FULL PATH AND
# NAME OF THE FILE CONTAINING THE CCTLD LIST! (see below)
#
# 2. This script makes use of whitelisting of popular domains. The
# source of the list can be found here:
# http://spamassassin.apache.org/full/3.1.x/dist/rules/25_uribl.cf
# These are domains that are whitelisted by the SURBL group so it
# doesn't make sense to waste resources doing lookups on them.
# THE VARIABLE $whitelist_file MUST BE SET TO THE FULL PATH AND
# NAME OF THE FILE CONTAINING THE WHITE LIST! (see below)
#
# 3. Per the guidelines at http://www.surbl.org, if your site processes
# more than 100,000 messages per day, you should NOT be using the
# public SURBL name servers but should be rsync-ing from them and
# running your own. See http://www3.surbl.org/rsync-signup.html
#
sub surblspamcheck
{
# Designed and written by Erik Mugele, 2004-2006
# http://www.teuton.org/~ejm
# Version 2.0

# The following variable is the full path to the file containing the
# list of Country Code Top Level Domains (ccTLD).
# ---------------------------------------------------------------------
# THIS VARIABLE MUST BE SET TO THE FULL PATH AND NAME OF THE FILE
# CONTAINING THE CCTLD LIST!
# ---------------------------------------------------------------------
my $cctld_file = "/etc/ccTLD.txt";

# The following variable is the full path to the file containing
# whitelist entries.
# ---------------------------------------------------------------------
# THIS VARIABLE MUST BE SET TO THE FULL PATH AND NAME OF THE FILE
# CONTAINING THE WHITELIST DOMAINS!
# ---------------------------------------------------------------------
my $whitelist_file = "/etc/surbl_whitelist.txt";

# This variable defines the maximum MIME file size that will be checked
# if this script is called by the MIME ACL. This is primarily to
# keep the load down on the server. Size is in bytes.
my $max_file_size = 50000;

# The following two variables enable or disable the SURBL and URIBL
# lookups. Set to 1 to enable and 0 to disable.
my $surbl_enable = 1;
my $uribl_enable = 1;

# Check to see if a decode MIME attachment is being checked or
# just a plain old text message with no attachments
my $exim_body = "";
my $mime_filename = Exim::expand_string('$mime_decoded_filename');
if ($mime_filename) {
# DEBUG Statement
#warn ("MIME FILENAME: $mime_filename\n");
# If the MIME file is too large, skip it.
if (-s $mime_filename <= $max_file_size) {
open(fh,"<$mime_filename");
binmode(fh);
while (read(fh,$buff,1024)) {
$exim_body .= $buff;
}
close (fh);
} else {
$exim_body = "";
}
} else {
$exim_body = Exim::expand_string('$message_body');
}

sub surbllookup {
# This subroutine does the actual DNS lookup and builds and returns
# the return message for the SURBL lookup.
my @params = @_;
my $surbldomain = ".multi.surbl.org";
@dnsbladdr=gethostbyname($params[0].$surbldomain);
# If gethostbyname() returned anything, build a return message.
$return_string = "";
if (scalar(@dnsbladdr) != 0) {
$return_string = "Blacklisted URL in message. (".$params[0].") in";
@surblipaddr = unpack('C4',($dnsbladdr[4])[0]);
if ($surblipaddr[3] & 64) {
$return_string .= " [jp]";
}
if ($surblipaddr[3] & 32) {
$return_string .= " [ab]";
}
if ($surblipaddr[3] & 16) {
$return_string .= " [ob]";
}
if ($surblipaddr[3] & 8) {
$return_string .= " [ph]";
}
if ($surblipaddr[3] & 4) {
$return_string .= " [ws]";
}
if ($surblipaddr[3] & 2) {
$return_string .= " [sc]";
}
$return_string .= ". See http://www.surbl.org/lists.html.";
}
return $return_string;
}

sub uribllookup {
# This subroutine does the actual DNS lookup and builds and returns
# the return message for the URIBL check.
my @params = @_;
my $surbldomain = ".black.uribl.com";
@dnsbladdr=gethostbyname($params[0].$surbldomain);
# If gethostbyname() returned anything, build a return message.
$return_string = "";
if (scalar(@dnsbladdr) != 0) {
$return_string = "Blacklisted URL in message. (".$params[0].") in";
@surblipaddr = unpack('C4',($dnsbladdr[4])[0]);
if ($surblipaddr[3] & 8) {
$return_string .= " [red]";
}
if ($surblipaddr[3] & 4) {
$return_string .= " [grey]";
}
if ($surblipaddr[3] & 2) {
$return_string .= " [black]";
}
$return_string .= ". See http://lookup.uribl.com.";
}
return $return_string;
}

sub converthex {
# This subroutin converts two hex characters to an ASCII character.
# It is called when ASCII obfuscation or Printed-Quatable characters
# are found (i.e. %AE or =AE).
# It should return a converted/plain address after splitting off
# everything that isn't part of the address portion of the URL.
my @ob_parts = @_;
my $address = $ob_parts[0];
for (my $j=1; $j < scalar(@ob_parts); $j++) {
$address .= chr(hex(substr($ob_parts[$j],0,2)));
$address .= substr($ob_parts[$j],2,);
}
$address = (split(/[^A-Za-z0-9._\-]/,$address))[0];
return $address
}

################
# Main Program #
################

if ($exim_body) {
# Find all the URLs in the message by finding the HTTP string
@parts = split /[hH][tT][tT][pP]:\/\//,$exim_body;
if (scalar(@parts) > 1) {
# Read the entries from the ccTLD file.
open (cctld_handle,$cctld_file) or die "Can't open $cctld_file.\n";
while (<cctld_handle>) {
next if (/^#/ || /^$/ || /^\s$/);
push(@cctlds,$_);
}
close (cctld_handle) or die "Close: $!\n";
# Read the entries from the whitelist file.
open (whitelist_handle,$whitelist_file) or die "Can't open $whitelist_file.\n";
while (<whitelist_handle>) {
next if (/^#/ || /^$/ || /^\s$/);
push(@whitelist,$_);
}
close (whitelist_handle) or die "Close: $!\n";
# Go through each of the HTTP parts that were found in the message
for ($i=1; $i < scalar(@parts); $i++) {
# Special case of Quoted Printable EOL marker
$parts[$i] =~ s/=\n//g;
# Split the parts and find the address portion of the URL.
# Address SHOULD be either a FQDN, IP address, or encoded address.
$address = (split(/[^A-Za-z0-9\._\-%=]/,$parts[$i]))[0];
# Check for an =. If it exists, we assume the URL is doing
# Quoted-Printable. Decode it and redine $address
if ($address =~ /=/) {
@ob_parts = split /=/,$address;
$address = converthex(@ob_parts);
}
# Check for a %. If it exists the URL is using % ASCII
# obfuscation. Decode it and redefine $address.
if ($address =~ /%/) {
@ob_parts = split /%/,$address;
$address = converthex(@ob_parts);
}
# Split the the address into the elements separated by periods.
@domain = split /\./,$address;
# Check the length of the domain name. If less then two elements
# at this point it is probably bogus or there is a bug in one of
# the decoding/converting routines above.
if (scalar(@domain) >= 2) {
$return_result="";
# By default, assume that the domain check is on a
# "standard" two level domain
$spamcheckdomain=$domain[-2].".".$domain[-1];
# Check for a two level domain
if (((scalar(@domain) == 2) || (scalar(@domain) >= 5)) &&
(grep(/^$spamcheckdomain$/i,@cctlds))) {
$return_result="cctld";
}
# Check for a three level domain
if (scalar(@domain) == 3) {
if (grep(/^$spamcheckdomain$/i,@cctlds)) {
$spamcheckdomain=$domain[-3].".".$spamcheckdomain;
if (grep(/^$spamcheckdomain$/,@cctlds)) {
$return_result="cctld";
}
}
}
# Check for a four level domain
if (scalar(@domain) == 4) {
# Check to see if the domain is an IP address
if ($domain[-1] =~ /[a-zA-Z]/) {
if (grep(/^$spamcheckdomain$/i,@cctlds)) {
$spamcheckdomain=$domain[-3].".".$spamcheckdomain;
if (grep(/^$spamcheckdomain$/i,@cctlds)) {
$spamcheckdomain=$domain[-4].".".$spamcheckdomain;
}
}
} else {
# Domain is an IP address
$spamcheckdomain=$domain[3].".".$domain[2].
".".$domain[1].".".$domain[0];
}
}
# DEBUG statement
#warn ("FOUND DOMAIN ($mime_filename): $spamcheckdomain\n");
# If whitelisting is enabled check domain against the
# whitelist.
if ($whitelist_file ne "") {
foreach $whitelist_entry (@whitelist) {
chomp($whitelist_entry);
if ($spamcheckdomain =~ m/^$whitelist_entry$/i) {
$return_result="whitelisted";
last;
}
}
}
# If the domain is whitelisted or in the cctld skip adding
# it to the lookup list.
if ($return_result eq "") {
if (scalar(@lookupdomains) > 0) {
# Check so see if the domain already is in the list.
if (not grep(/^$spamcheckdomain$/i,@lookupdomains)) {
push(@lookupdomains,$spamcheckdomain);
}
} else {
push(@lookupdomains,$spamcheckdomain);
}
}
}
}
# If there are items in the lookupdomains list then
# perform lookups on them. If there are not, something is wrong
# and just return false. There should always be something in the list.
if (scalar(@lookupdomains) > 0) {
foreach $i (@lookupdomains) {
# DEBUG statement.
#warn ("CHECKING DOMAIN ($mime_filename): $i\n");
# If SURBL lookups are enabled do an SURBL lookup
if ($surbl_enable == 1) {
$return_result = surbllookup($i);
}
# If URIBL lookups are enabled and the SURBL lookup failed
# do a URIBL lookup
if (($uribl_enable == 1) && ($return_result eq "")) {
$return_result = uribllookup($i);
}
# If we got a hit return the result to Exim
if ($return_result ne "") {
return $return_result;
}
}
}
}
}
# We didn't find any URLs or the URLs we did find were not
# listed so return false.
return false;
}

STEP 2 - Insert Country Top Level Domains file
===================================

You must have downloaded and unpacked the files from http://www.teuton.org/~ejm/exim_surbl/exim_surbl-2.0.tar.gz

Put ccTLD.txt on the "/etc/" folder

Make sure in the code above, the following looks exactly like this, so the script can find the file:

my $cctld_file = "/etc/ccTLD.txt";

That's the location of the Top Level Domains file.

STEP 3 - Insert whitelist file
=====================

From the download, you got a file called "surbl_whitelist.txt". Make sure the script above looks like this:

my $whitelist_file = "/etc/surbl_whitelist.txt";

and put the file in "/etc" folder.

You can customize this file and add or remove any domains that could be trouble. It comes with a some 200+ domains that SURBL has regarded as usually safe, such as apache.org, apple.com, etc., and for which scanning should be avoided to save resources. Add any domains of your own that might be listed in SURBL.

If you need to check if you might have a SURBL listed domain, you can go to this address to check them one by one:

http://www.rulesemporium.com/cgi-bin/uribl.cgi

STEP 4 - Modify exim.conf
====================

Add the following to exim.conf right after "check_message:"

check_message:

############ SURBL DATA ACL CHECK

deny condition = ${if <{$message_size}{100000}{yes}{no}}
condition = ${if eq{$acl_m0}{}{yes}{no}}
set acl_m1 = ${perl{surblspamcheck}}
condition = ${if eq{$acl_m1}{false}{no}{yes}}
message = $acl_m1

############ END SURBL CHECK

Note: I also do Clamav... and it goes immediately after, I am assuming the URI check is done before ClamAV is called. I would think it should go first.

STEP 5 - Restart Exim and monitor results
================================

at shell, "service exim restart"... and then

tail -f /var/log/exim/mainlog

Looks for entries that look like this:

2007-07-09 00:39:18 1I7l1o-0001va-P6 H=ppp-58.8.185.67.revip2.asianet.co.th [58.8.185.67] F=<[email protected]> rejected after DATA: Blacklisted URL in message. (maxibings.com) in [jp] [ab] [ob] [ws] [sc]. See http://www.surbl.org/lists.html.
2007-07-09 00:39:46 1I7l2H-0001vn-9e H=ppp-58.8.185.67.revip2.asianet.co.th [58.8.185.67] F=<[email protected]> rejected after DATA: Blacklisted URL in message. (maxibings.com) in [jp] [ab] [ob] [ws] [sc]. See http://www.surbl.org/lists.html.
2007-07-09 00:39:52 1I7l2N-0001w4-Gq H=33.47.50.60.kmr04-home.tm.net.my [60.50.47.33] F=<[email protected]> rejected after DATA: Blacklisted URL in message. (healtzzone.com) in [jp] [sc]. See http://www.surbl.org/lists.html.
2007-07-09 00:40:16 1I7l2m-0001wL-KF H=train.fortuitousmedia44.com [72.29.77.209] F=<[email protected]> rejected after DATA: Blacklisted URL in message. (fortuitousmedia44.com) in [ob]. See http://www.surbl.org/lists.html.
2007-07-09 00:40:20 1I7l2p-0001wJ-OX H=ppp-58.9.96.31.revip2.asianet.co.th (lfgkdn) [58.9.96.31] F=<[email protected]> rejected after DATA: Blacklisted URL in message. (lyreimburses.com) in [jp] [ob] [sc]. See http://www.surbl.org/lists.html.
2007-07-09 00:40:30 1I7l30-0001wM-0C H=ppp-58.8.185.67.revip2.asianet.co.th [58.8.185.67] F=<[email protected]> rejected after DATA: Blacklisted URL in message. (maxibings.com) in [jp] [ab] [ob] [ws] [sc]. See http://www.surbl.org/lists.html.
2007-07-09 00:45:31 1I7l7r-00023k-Fo H=nat214.ipt.br [200.18.53.214] F=<[email protected]> rejected after DATA: Blacklisted URL in message. (healtdzietts.com) in [jp] [ab] [ob] [ws] [sc]. See http://www.surbl.org/lists.html.

I only picked a few lines... the output is enormous. This is all the stuff that somehow got BY SpamBlocker, through no fault of Spamblocker. I lay the blame on those botnets... they are many individual Windows machines, no way the RBLs can list them all and in time. But we know what products/sites they are trying to push, and we catch them!

Any trouble with this... simple enough to remove.

Take out the check_message code you added, replace your exim.pl from the backup (you made a backup, right?), and and restart exim again.

delete the unneeded ccTLD.txt and surbl_whitelist.txt files from /etc directory.

Again, I have to say the results are nothing short of impressive.

Now, a few words in praise of SpamAssassin... (!)... SA seems to use a different URI extractor algorithm... It catches a few domains that are not caught by the above script, even though it's checking the same SURBL sources. You must have enabled SURBL checks in Spamassassin but that's a whole other issue, and easy enough to do.

If you read this far... may I recommend installing the BOTNET plugin to spamassassin... you'll be astounded. An extra 5.0 points to stuff that's coming in through the zombie networks, and of course you can tweak that to be less, or more points. The default is good for me.

http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar

On my two most spammed domains I have the filters set to discard at 4.0 and 15.0 respectively. (The 4.0 is personal, the 15.0 is a client's). That pretty much takes care of all spam.
 
Floyd, Jeff,

Another dumb idea from me.

What if you turned this around and actively checked your own ips to see whether you are listed as a phishing site, rather than scanning thousands of files per server?

http://rhs.mailpolice.com/lookup/indexnew.php

allows you to lookup any IPs/domains... if you are running a phishing site, you should pop up on that list fairly soon.

It's mail police. They have a rbl lookup. Can a cronjob run on your server once per hour and send your IPs into it? nah, too many queries.

Even better... You are a datacenter. RSYNC the whole shebang into one of your machines, update with whatever frequency they say you should and scan for all the IPs you manage after any difference in synching. The whole thing is about 200K records only.

There are other phishing feeds available elsewhere... they seem to be "for pay".

Too crazy? Maybe I don't know what I am talking about.

edit: mailpolice blocklists are for checking domains (name based), not IPs... I stand corrected. You'd have to keep a current list of all the DOMAINS you host across all your servers. And they no longer offer a txt file, only rbldnsd format. I don't know how practical/easy that would be. Certainly not for the faint of heart.
 
Last edited:
Some healthy stuff in this thread. Now I just have to find time to read it ;) .

Jeff
 
Floyd, Jeff.

Thanks to the Sanesecurity thread somewhere else on the forums, I had the idea that we could use somehow use Clamav to do the scanning for phishing files on the server.

I corresponded with Steve from Sanesecurity, and he wrote a few pointers on writing a Clamav signature file to detect local HTML pages that could be phishing pages.

Here are his thoughts:

Hmmm... nice idea... the signatures could be used to detect bank pages...as they are normally just copied html files:

For example, here's a (currently) live phishing site (so don't enter any data)

http://rio-bg.com/vasov/components/com_cpg/admin/online.lloydstsb.co.uk/ibc/login.html

As you can see, the above page is just a copied tsb bank page, no spelling mistakes... If you created a simple clamav signature database phishserver.ndb and used something like this inside it:

Html.Server.Phishing.Bank.Sanesecurity.07071700.1:3:*:546F206C6F67206F6E20656E74657220796F7572205573657220494420616E642050617373776F7264*706C6561736520646F206E6F74206C657420616E796F6E65206B6E6F77207468652064657461696C7320796F752075736520746F2061636365737320496E7465726E65742062616E6B696E67

It should detect the text "To log on enter your User ID and Password" followed by "please do not let anyone know the details you use to access Internet" and therefore mark it as a fraud....

but... and here is the problems...
a) assumes that you don't actually host any banking sites yourself !
b) you'd have to create a signature for every bank type/holding page

You can see and example of how to create such a signature here:

http://sanesecurity.co.uk/clamav/docs.htm

Hope that's a starting point with the idea :)

Thanks again and sorry if this is a little rushed :)

Cheers,

Steve

Steve's site is http://www.sanesecurity.co.uk. Let me know what you think. I am going to fool around with it too.
 
Did you catch what he called a problem? You'll have to create a signature for every bank.

Jeff
 
I have already asked for access to a corpus of known phishing pages at an antiphishing organization. If they were to grant me access, perhaps a lot could be done.

I wrote two days ago, haven't received a reply yet.
 
Since phishing sites are taken down almost as fast as they're put up, I'm not sure how successful that route would be.

Jeff
 
In a way, most of these phishing sites try to look like the legitimate bank site.... even loading images from them. Perhaps a good trigger could be the fact that a page loads images from known bank sites, paypal, amazon, etc.

There are so many ways to go about it... but we have to look at a lot of examples first.

And the idea is not to erase the sites outright, just to generate a report to the administrator, at least that's my thought.

All in all, I think we would be looking for indicators... certain repeat phrases... ways of loading images... more than a few links to a certain bank, paypal, etc., form requests that save stuff to a database or mail it before redirecting the person to the real bank.

I would still think this is the work of a few dozen bands, and that out of laziness, they would not customize their approach THAT much as it is volume they are looking for. There must be telltale signs that can be detected.
 
actually you've brought up a very good one ... a site that includes visuals from a different URL.

Of course this simply points out that banks could avoid most phishing by eliminating the ability for other sites to call up their images.

Jeff
 
I've implemented the solution mentioned above and it works quite well.
The main area where it could be improved is in regard to the txt files.

1) A cron could be run each month to update the list of TLDs. The URL that returns the list is at the top of the file
2) The whitelist could automatically be updated from a reliable source (I don't have one)

Cheers,

Olivier
 
The section to be added to exim.conf is copyrighted. It is also licensed in a way that is incompatible with the license under which exim.conf is distributed (determined by the distributors of exim), and so I cannot add it to exim.conf. I'm not sure I'd add it anyway, but first the copyright holder would have to assign the copyright irrevocably to me (since I maintain exim.conf for DirectAdmin) and then reissue it under the Gnu General Public License, version 2.

And considering how the author feels about the work, I cannot recommend that. (I still do not guarantee I'd use the code.)

Note that anyone can use the code; just not for distribution. Since what I do, and what JBMC (the publishers of DirectAdmin) do, is distribution, we can't just add the code as written.

Jeff
 
Back
Top