Closed xpunkt closed 1 year ago
Hi,
I would believe that was possible. Many of those URL's would be located/situated in the "BODY" so it should be straight forward also to add a "PHISTANK" score in the spam header etc.
So that you would know what added that score and so forth.
PS. I don't use Spamassassin anymore on my mail server, but let me create/generate the rules. I think it should be doable !
First trail on PhishTank rule.
I'm going to use the "URI" spamassassin match syntax as that will match text body and or HTML tags with urls. So you dont have to search full body etc. But "uri" can be changed to "body" if needed be.
Also paring url from phishtank and only matching on FQDN + Path if there.
I have no idea if the "eval:
But it would be cool to not only score on uri match but also add extra if it's validated and still online!!
# ./update-phishtank-rules
[15:09:20 17-02-2023] ==[ UPDATE-PHISHTANK-RULES ]===============================
[15:09:20 17-02-2023] > Checking for phishtank DB locally
[15:09:20 17-02-2023] > Found DB locallay
[15:09:20 17-02-2023] - Loading
[15:09:21 17-02-2023] - Done
[15:09:21 17-02-2023] > Found 25430 PhishTank entries in DB
[15:09:21 17-02-2023] >> Building rule: PHISHTANK_0008040126
## ____ _ _ _ _____ _ ____ _
## | _ \| |__ (_)___| |_|_ _|_ _ _ __ | | __ | _ \ _ _| | ___
## | |_) | '_ \| / __| '_ \| |/ _` | '_ \| |/ / | |_) | | | | |/ _ \
## | __/| | | | \__ \ | | | | (_| | | | | < | _ <| |_| | | __/
## |_| |_| |_|_|___/_| |_|_|\__,_|_| |_|_|\_\ |_| \_\\__,_|_|\___|
##
## Rule ID.......: PHISHTANK_0008040126
## PhishTank URL.: http://www.phishtank.com/phish_detail.php?phish_id=8040126
## Submitted.....: 2023-02-17T13:02:48+00:00
##
## DEFAULT MATCH RULE
uri PHISHTANK_0008040126_MATCH /dapps\-connects\.herokuapp\.com/
score PHISHTANK_0008040126_MATCH 5
describe PHISHTANK_0008040126_MATCH Phishtank ID 8040126
## VALIDATED RULE
meta PHISHTANK_0008040126_VALIDATED eval:true
score PHISHTANK_0008040126_VALIDATED 2
describe PHISHTANK_0008040126_VALIDATED Validated phishing url
## ACTIVE/ONLINE RULE
meta PHISHTANK_0008040126_ONLINE eval:true
score PHISHTANK_0008040126_ONLINE 2
describe PHISHTANK_0008040126_ONLINE Phishing url still online
Previous would not work, i have now fixed it and it looks good. I have tested with booloean false and true for etc "ONLINE" and it will add up extra score now. And URI match is working fine.
# ./update-phishtank-rules
[15:54:07 17-02-2023] ==[ UPDATE-PHISHTANK-RULES ]===============================
[15:54:07 17-02-2023] > Checking for phishtank DB locally
[15:54:07 17-02-2023] > Found DB locallay
[15:54:07 17-02-2023] - Loading
[15:54:09 17-02-2023] - Done
[15:54:09 17-02-2023] > Found 25430 PhishTank entries in DB
[15:54:09 17-02-2023] >> Building rule: PHISHTANK_0008040126
## ____ _ _ _ _____ _ ____ _
## | _ \| |__ (_)___| |_|_ _|_ _ _ __ | | __ | _ \ _ _| | ___
## | |_) | '_ \| / __| '_ \| |/ _` | '_ \| |/ / | |_) | | | | |/ _ \
## | __/| | | | \__ \ | | | | (_| | | | | < | _ <| |_| | | __/
## |_| |_| |_|_|___/_| |_|_|\__,_|_| |_|_|\_\ |_| \_\\__,_|_|\___|
##
## Rule ID.......: PHISHTANK_0008040126
## PhishTank URL.: http://www.phishtank.com/phish_detail.php?phish_id=8040126
## Submitted.....: 2023-02-17T13:02:48+00:00
##
## DEFAULT MATCH RULE
uri PHISHTANK_0008040126_MATCH /dapps\-connects\.herokuapp\.com/
score PHISHTANK_0008040126_MATCH 5.0
describe PHISHTANK_0008040126_MATCH Phishtank ID 8040126 (Other)
## VALIDATED RULE
meta __PHISHTANK_0008040126_VALCHECK (1*1) > 0
meta PHISHTANK_0008040126_VALIDATED PHISHTANK_0008040126_MATCH && __PHISHTANK_0008040126_VALCHECK
score PHISHTANK_0008040126_VALIDATED 2.0
describe PHISHTANK_0008040126_VALIDATED Validated phishing url
## ACTIVE/ONLINE RULE
meta __PHISHTANK_0008040126_ONCHECK (1*1) > 0
meta PHISHTANK_0008040126_ONLINE PHISHTANK_0008040126_MATCH && __PHISHTANK_0008040126_ONCHECK
score PHISHTANK_0008040126_ONLINE 2.0
describe PHISHTANK_0008040126_ONLINE Phishing URL still online
I will now begind to build rules and figure out how and what to include (and how many) Perhaps only 7 or 30 days back. Or all ...
DONE!
Now with PhishTank Spamassassin rules ready to go! Please note that ONLINE/VALIDATED is always active, this is due to Phishtank only includes online and validated URL's in their public DB you can download.
Also please note that there are a lot - 25000+ rules !! So i have also made to extra folders, one with only rules that are 7 days old and one with 30 days old.
Rules now commited https://github.com/kawaiipantsu/spamassassin-rules/commit/884f0a406d21c4e2d46d6109a861c6b07506d98d
The new update script so you can keep them updated yourself if you like https://github.com/kawaiipantsu/spamassassin-rules/commit/11ec8346f46e4ed2b8b46eaf54539ae5bcd0dec2
would it be possible to have spamassassin rule set based on phishtank.com data ?
yes i know phishtank have api, but i dont know if its possible to generate spamassassin rules with it as source