this regex (all in one line) example will call sub
CorrectASSPcfg::tagSubject if a match is found - values are bold
(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.?
*)?(?{local %_ = qw, fname paul sname jones domain OurCharity.org
,})(?:(??{$_{'fname'}})[.\x20_\-]+(??{$_{'sname'}})|(??{$_{'sname'}})[,\x20](??{$_{'fname'}})|(??{$_{'fname'}})\.(??{$_{'sname'}})\@(??{$_{'domain'}})))\s*"?[^<]*<[^\@]+\@(?!(??{$_{'domain'}}))\x3E(?{&CorrectASSPcfg::tagSubject($fh)})
this example requires the hidden variable 'AllowCodeInRegex' to be set to
1
in the sub CorrectASSPcfg::tagSubject you can do and modify what ever you
want (even the complete mail)
modify the subject - example
my $fh = shift;
return unless $fh;
return unless exists $main::Con{$fh};
my $this = $main::Con{$fh};
my $HeaderRe = $main::HeaderRe;
my $HeaderValueRe = $main::HeaderValueRe;
$this->{header} =~ s/($HeaderRe*)(subject:)($HeaderValueRe)/$1$2
your_tag$3/io;
$this->{maillength} = $this->{headerlength} = length($this->{header});
mlog($fh,"info: found match for local name in external mail - subject was
modified");
return 1;
Thomas
Von: "K Post" <[email protected]>
An: "ASSP development mailing list" <[email protected]>
Datum: 18.02.2020 19:33
Betreff: Re: [Assp-test] Message body modification
I know we've been round and round on this, but it continues to be a
problem, and it's only getting worse. Spear phishing via CEO name
spoofing is all too common and ASSP doesn't yet do all that much to to
protect.
Today our staff got hit with another spear phishing email from a gmail
account that was created with our director's name on it. The staff is
trained very well and they didn't fall for it, but it was really cleverly
crafted and obviously had some inside information that if followed would
have been terrible for the organization. There's no way that ASSP could
have detected this. It wasn't HMM/Bayesian spammy, it came from a good IP
(gmail). DKIM signed, spf pass, etc. To a computer, nothing about it was
bad. However, if ASSP were able to say "hey, this email has the
director's name in the FROM, but it isn't from
[email protected]. I'd better warn the user" we would have
been safer.
My original idea was to insert an HTML warning into the body of the
message like Google and other providers do. That's apparently a 100+ hour
project. I tried to get funding, but got laughed at...
What if instead, there were some kind of manually maintained rule based
matching on the FROM line that could modify only the subject. instead of
being overly complicated and inserting a warning in the body? Kind of
like the spam prepend that low threshold mails get?
Your sample rules in this thread are good, but they score the message.
That's not what I'm suggesting. I do NOT want to block or even score
these messages - there's plenty of times that the director sends
legitimate message from personal gmail/hotmail/whatever and it of course
has her name. BUT, to either have an HTML warning in the body or even
just [EXTERNAL MESSAGE] or something prepended to the subject when ASSP
detects this would be an outstanding feature.
We really only need to check the FROM line. Sender, Reply to, etc doesn't
matter. ASSP will keep doing it's job blocking spoofed headers, but the
NAME of the sender is that we're considering.
How about something like:
to:first:last:notfrom:WarnMsg
*@ourcharity:Sally:Smith:[email protected]:Caution: External
Email
matches mail sent to *@OurCharity.org, with a from line where the name
(not the email address, but the name itself) is a combination of FirstName
& LastName.* that ASSP tests against (.*FirstName.*LastName.*,
.*Lastname.*FirstName>8, where the from email isn't
[email protected]
Even better:
*@ourcharity:Paul:Jones:[email protected]|[email protected]:Caution:
External Email Not From Paul
Which would catch the same thing, but not warn if the message is from
either Paul's known gmail account or his @OurCharity.org account.
Does this simplification of the rules and only warning in the subject
instead of modifying the body make this easy enough for you to implement?
I understand that this isn't simple, but based on discussions that I've
had with counterparts elsewhere, they're all seeing the same problem.
Would a body warning be great? Of course, but since that's too much work,
I'm hopeful that subject modification based on these rules could be a
possibility.
Thanks
On Thu, Nov 7, 2019 at 9:46 PM K Post <[email protected]> wrote:
Thanks for the nudge in the right direction. I'll take a look at that
regex Showing the sender address in Outlook won't fly. It's a good idea,
but users would hate it and it doesn't solve the issue for mobile users
(where most of our users get tricked into a quick reply).
How much would you need for a 100 hour or so sponsorship of this? I doubt
our charity can come up with the funds, but I'd try!!
On Mon, Nov 4, 2019 at 9:12 AM Thomas Eckardt <[email protected]>
wrote:
Such a feature is not worth the effort.
https://www.howto-outlook.com/howto/viewsenderaddress.htm
There are too many pitfalls and too many required manual configuration
tweaks and exceptions to be handled.
examples:
- assp does not know user and mailbox names - requires manual tweaks using
lists and/or regular expressions
- to keep the manual configuration impact low, a complex and very variable
LDAP and/or external scripting will be required
- a per local domain configuration will be required
- several bounce sender tagging mechanism will make problems (example: <
[email protected]> )
....
So, with this feature you would have to configure matching sets for each
user. But you can do this now already - in 'bombHeaderRe'. If you got a
regular expression working for one user, it is easy to build them for
every user.
example:
~<<<(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.?
*)?(?{local %_ = qw, fname bob sname jones domain ourcharity.org
,})(?:(??{$_{'fname'}})[. _\-]+(??{$_{'sname'}})|(??{$_{'sname'}})[,
](??{$_{'fname'}})|(??{$_{'fname'}})\.(??{$_{'sname'}})\@(??{$_{'domain'}})))\s*"?[^<]*<[^\@]+\@(?!(??{$_{'domain'}}))\x3E>>>~=>YOURSCORE
this example requires the hidden variable 'AllowCodeInRegex' to be set to
1
and a small change in assp.pl - will be published soon
or more simple, but much more needs to be change in each line
~<<<(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.?
*)?(?:bob[. _\-]+jones|jones[, ]bob|bob.jones\@ourcharity\.org
))\s*"?[^<]*<[^\@]+\@(?!ourcharity\.org)\x3E>>>~=>YOURSCORE
How ever, if you think you need such a feature, you'll need to sponsor it
or find a sponsor. I expect an effort of two weeks but not less than 100
hours to implement and test this feature as a level-1 plugin.
Thomas
Von: "K Post" <[email protected]>
An: "ASSP development mailing list" <
[email protected]>
Datum: 04.11.2019 00:28
Betreff: Re: [Assp-test] Message body modification
Right, but what I'm trying to accomplish (as described in detail in my
previous thread) is flagging, maybe just with subject modification mail
from outside senders with a name that matches one of our organization's
senders. I'd love to be able to have ASSP insert a warning, not on all
mail, but only when there's a suspicious name match. We can't reasonably
quarantine all external email, the messages in question don't have links
or attachments to block.
For example Bob Jones <[email protected]> is the real address
within our organization. We're seeing name spoofing mail from Bob Jones <
[email protected]> or Bob Jones <
[email protected]>. It shows up in outlook as Bob Jones in the
inbox. Lots of times, the message even had the signature that the person
actually uses. We've had even some of our most savvy users get tricked.
The messages slips through assp, because they're innocuous sounding "are
you in the office? I need your help" "I've got a favor to ask, reply when
you get this please?" Whatever, user gets fooled, replies, and then that
gmail address is whitelisted. The next mail asks for the purchase of gift
cards, etc. Common scheme. If we could change even just the subject line
like [Potential Spoof]: <real subject> that would help the recipient.
Inserting a warning into the body would be even better!
To do the matching though, we'd need to list the names our people and
their correct address and have ASSP flag only when there's a match from
outside. Of course there are lots of legitimate instances where our
people email from their real personal email address to our staff. Those
would get a subject or body modification too, but that's okay. We don't
have the budge to have a third part system do this.
Would you mind taking a look at the original thread for more detail and
explanation of what I'm thinking? I think it's at least worth discussion
- I think there's some real value to the ASSP community being how often
we're getting name spoofing messages.
On Sat, Nov 2, 2019 at 3:34 AM Thomas Eckardt <[email protected]>
wrote:
simple company rules are the solution:
- every mail from outside the company is subject to be malicious - open
attachments or following links in such mails, requires a full manually
verification of the email before any action is done - on any doubt the
mail has to be quarantained
- qurantined mails are untouchable as long as they are not released by an
authorisized person or system
- every mail from outside the company passed an assp system
- every mail from/to inside the company will never reach any assp system
(except assp reporting)
- every mail from outside contains a X-ASSP header but at least the ASSP
received header - this header has to be used by the mail client and/or
server to classify the mail
>can I insert something into the bodies of selected messages as it is sent
to the real mail server
there is no such code in assp.pl - only ASSP_AFC is able to manipulate the
mail body (replace attachments , SMIME)
>without having that warning message saved in the corpus
assp stores the incoming mail + assp headers - never the content sent to
the server
Thomas
Von: "K Post" <[email protected]>
An: "ASSP development mailing list" <
[email protected]>
Datum: 01.11.2019 18:02
Betreff: [Assp-test] Message body modification
Thomas, quick question: can I insert something into the bodies of selected
messages as it is sent to the real mail server without having that warning
message saved in the corpus?
Early last month, I sent "An idea: Visual warnings in message body" but
received no replies.
We're seeing SO many of these, that I might try to figure this out on my
own if there isn't broad appeal.
Thanks
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
