Bug 4147 - Uncaught phish trick using broken OE logic
Summary: Uncaught phish trick using broken OE logic
Status: RESOLVED WONTFIX
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords: triage
Depends on:
Blocks:
 
Reported: 2005-02-22 01:01 UTC by Loren Wilton
Modified: 2005-07-16 03:04 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Phishing email with creatively broken hrefs text/plain None Loren Wilton [NoCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Loren Wilton 2005-02-22 01:01:55 UTC 
There are some that might say that SA isn't a phishhook, but phish are most 
often spam, and this case I'm about the describe is one of the few things in 
the attached mail that can catch it.  It relies on what I suspect is a bug in 
OE for effect.

Briefly, the mail has a valid href to a secure site.  This is followed by an 
empty table to obscure the fact that the table is followed by an href to an 
unsecure phish site.  This href is then followed by the link text and the 
SINGLE </a> in the message.  

OE will display the first link in the status bar, but will take the second link 
when clicked.  This gets around having to use the 'on mouseover' trick to paste 
a fake site name into the status bar to obscure the real link.

The obvious thing to check for here is an href following a previous 
unterminated href.  One could also check for the first link being secure and 
the second link being either unsecure or numeric.  

This case would also be succeptable to a tag balance check (which is not being 
performed), but I would hope to be able to give this specific case more weight 
than a normal tag balance check should give.  Thus it should be a more specific 
test.
Comment 1 Loren Wilton 2005-02-22 01:04:01 UTC 
Created attachment 2661 [details]
Phishing email with creatively broken hrefs
Comment 2 Bob Menschel 2005-04-28 23:20:34 UTC 
Loren, between us we should be able to put together a test rule which would
either do this work, or at least get close enough to give the devs a good
starting point.  Do you have anything already in the works?
Comment 3 Loren Wilton 2005-04-29 01:40:59 UTC 
#nasty little piranha, bad phish!
#	new spammer trick, overlay an unterminated href with a second one, then 
terminate
#	only the second one.  OE shows the text for the first link and goes to 
the second link!

full		LW_PHISH_5		m'<a\s+[\s\w\=\.]*href=\"https://[^>]
{0,300}><table><tr><td><a\s+[\s\w\=\.]*href=\"(?:http:|https://\d)'is
score		LW_PHISH_5		2
describe	LW_PHISH_5		unterminated secure href

In case the rule text wraps badly, there are no spaces in it.
I don't know that I have any results for the above rule, but I'm pretty sure 
that I validated that it worked when I wrote it.
I also haven't noticed if this has hit recently; it may be stale.  Most phish 
score pretty high here these days, so I usually don't look at them.
Comment 4 Loren Wilton 2005-05-01 17:32:22 UTC 
Interesting.  A search on my last month's spam shows no hits either.  Perhaps 
this was a short-lived thing and the spammers have moved on.  At the time I 
wrote it, it was catching 5-8 a day out of a total spam load of a couple 
hundred a day.
Comment 5 Bob Menschel 2005-07-16 11:04:12 UTC 
Below are three rules developed by Loren and Bob. First is in 70_sare_obfu0.cf,
third is in 70_sare_obfu1.cf, and second will be in next release of obfu0. 

Too late, and not enough benefit, to get these into 3.1.0, but anyone who wants
them can copy them from this entry or use the SARE rules files. If the S/O and
counts improve over time, we'll submit them for 3.2.0.

(No objection if anyone else can find ways to improve on these, or even replace
them with something better.) 

rawbody   __SARE_OBFU_SPLIT_HR1A   /href=\"[^"]*\r[^\n]/is
full      __SARE_OBFU_SPLIT_HR1B   /href=\"[^"]*\r[^\n]/is
meta      SARE_OBFU_SPLIT_HR1      __SARE_OBFU_SPLIT_HR1A || __SARE_OBFU_SPLIT_HR1B
score     SARE_OBFU_SPLIT_HR1      1.666
#stype    SARE_OBFU_SPLIT_HR1      obfu 
describe  SARE_OBFU_SPLIT_HR1      unescaped cr in uri
#hist     SARE_OBFU_SPLIT_HR1      Loren Wilton
#counts   SARE_OBFU_SPLIT_HR1      35s/0h of 260791 corpus (115716s/145075h RM)
05/25/05
#max      SARE_OBFU_SPLIT_HR1      49s/0h of 292007 corpus (122219s/169788h RM)
04/27/05
#counts   SARE_OBFU_SPLIT_HR1      0s/0h of 10870 corpus (6385s/4485h CT) 05/15/05
#counts   SARE_OBFU_SPLIT_HR1      7s/0h of 4677 corpus (810s/3867h ft) 05/28/05
#counts   SARE_OBFU_SPLIT_HR1      352s/0h of 47845 corpus (43810s/4035h MY)
05/28/05

full      SARE_OBFU_SPLIT_REDIR    m'/(?:(?!https?://)h.?t.?t.?p.?:.?/.?/)'i
describe  SARE_OBFU_SPLIT_REDIR    gappy redirect
score     SARE_OBFU_SPLIT_REDIR    1.666
#stype    SARE_OBFU_SPLIT_REDIR    obfu
#hist     SARE_OBFU_SPLIT_REDIR    Bob Menschel, June 16 2005 
#counts   SARE_OBFU_SPLIT_REDIR    3s/0h of 267372 corpus (127006s/140366h RM)
06/19/05

rawbody   __SARE_OBFU_SPLIT_HR2A   /href\s{0,5}=\s{0,5}"[^"]{0,15}[\r\n]/is
full      __SARE_OBFU_SPLIT_HR2B   /href\s{0,5}=\s{0,5}"[^"]{0,15}[\r\n]/is
meta      SARE_OBFU_SPLIT_HR2      __SARE_OBFU_SPLIT_HR2A || __SARE_OBFU_SPLIT_HR2B
score     SARE_OBFU_SPLIT_HR2      1.023
describe  SARE_OBFU_SPLIT_HR2      unescaped cr in uri
#counts   SARE_OBFU_SPLIT_HR2      4893s/46h of 261031 corpus (115925s/145106h
RM) 05/29/05
#max      SARE_OBFU_SPLIT_HR2      4930s/59h of 263078 corpus (112438s/150640h
RM) 05/16/05
#counts   SARE_OBFU_SPLIT_HR2      2s/0h of 10870 corpus (6385s/4485h CT) 05/15/05
#counts   SARE_OBFU_SPLIT_HR2      6s/2h of 4677 corpus (810s/3867h ft) 05/28/05
#counts   SARE_OBFU_SPLIT_HR2      328s/15h of 47845 corpus (43810s/4035h MY)
05/28/05