phishtank.com rule sets - Githubissues

kawaiipantsu / spamassassin-rules

Custom SpamAssassin rules I and others have made and contributed with - To mitigate spam mails and phishing mails now also with cool Phishtank rules

MIT License

34 stars 13 forks source link

phishtank.com rule sets #1

Closed xpunkt closed 1 year ago

xpunkt commented 1 year ago

would it be possible to have spamassassin rule set based on phishtank.com data ?

yes i know phishtank have api, but i dont know if its possible to generate spamassassin rules with it as source

kawaiipantsu commented 1 year ago

Hi,

I would believe that was possible. Many of those URL's would be located/situated in the "BODY" so it should be straight forward also to add a "PHISTANK" score in the spam header etc.

So that you would know what added that score and so forth.

PS. I don't use Spamassassin anymore on my mail server, but let me create/generate the rules. I think it should be doable !

kawaiipantsu commented 1 year ago

First trail on PhishTank rule.

I'm going to use the "URI" spamassassin match syntax as that will match text body and or HTML tags with urls. So you dont have to search full body etc. But "uri" can be changed to "body" if needed be.

Also paring url from phishtank and only matching on FQDN + Path if there. I have no idea if the "eval:" will work, it's a hack :)

But it would be cool to not only score on uri match but also add extra if it's validated and still online!!

# ./update-phishtank-rules
[15:09:20 17-02-2023] ==[ UPDATE-PHISHTANK-RULES ]===============================
[15:09:20 17-02-2023] > Checking for phishtank DB locally
[15:09:20 17-02-2023] > Found DB locallay
[15:09:20 17-02-2023]   - Loading
[15:09:21 17-02-2023]   - Done
[15:09:21 17-02-2023] > Found 25430 PhishTank entries in DB
[15:09:21 17-02-2023] >> Building rule: PHISHTANK_0008040126
##  ____  _     _     _   _____           _      ____        _
## |  _ \| |__ (_)___| |_|_   _|_ _ _ __ | | __ |  _ \ _   _| | ___
## | |_) | '_ \| / __| '_ \| |/ _` | '_ \| |/ / | |_) | | | | |/ _ \
## |  __/| | | | \__ \ | | | | (_| | | | |   <  |  _ <| |_| | |  __/
## |_|   |_| |_|_|___/_| |_|_|\__,_|_| |_|_|\_\ |_| \_\\__,_|_|\___|
##
## Rule ID.......: PHISHTANK_0008040126
## PhishTank URL.: http://www.phishtank.com/phish_detail.php?phish_id=8040126
## Submitted.....: 2023-02-17T13:02:48+00:00
##
## DEFAULT MATCH RULE
uri             PHISHTANK_0008040126_MATCH      /dapps\-connects\.herokuapp\.com/
score           PHISHTANK_0008040126_MATCH      5
describe        PHISHTANK_0008040126_MATCH      Phishtank ID 8040126

## VALIDATED RULE
meta            PHISHTANK_0008040126_VALIDATED  eval:true
score           PHISHTANK_0008040126_VALIDATED  2
describe        PHISHTANK_0008040126_VALIDATED  Validated phishing url

## ACTIVE/ONLINE RULE
meta            PHISHTANK_0008040126_ONLINE     eval:true
score           PHISHTANK_0008040126_ONLINE     2
describe        PHISHTANK_0008040126_ONLINE     Phishing url still online

kawaiipantsu commented 1 year ago

Previous would not work, i have now fixed it and it looks good. I have tested with booloean false and true for etc "ONLINE" and it will add up extra score now. And URI match is working fine.

# ./update-phishtank-rules
[15:54:07 17-02-2023] ==[ UPDATE-PHISHTANK-RULES ]===============================
[15:54:07 17-02-2023] > Checking for phishtank DB locally
[15:54:07 17-02-2023] > Found DB locallay
[15:54:07 17-02-2023]   - Loading
[15:54:09 17-02-2023]   - Done
[15:54:09 17-02-2023] > Found 25430 PhishTank entries in DB
[15:54:09 17-02-2023] >> Building rule: PHISHTANK_0008040126
##  ____  _     _     _   _____           _      ____        _
## |  _ \| |__ (_)___| |_|_   _|_ _ _ __ | | __ |  _ \ _   _| | ___
## | |_) | '_ \| / __| '_ \| |/ _` | '_ \| |/ / | |_) | | | | |/ _ \
## |  __/| | | | \__ \ | | | | (_| | | | |   <  |  _ <| |_| | |  __/
## |_|   |_| |_|_|___/_| |_|_|\__,_|_| |_|_|\_\ |_| \_\\__,_|_|\___|
##
## Rule ID.......: PHISHTANK_0008040126
## PhishTank URL.: http://www.phishtank.com/phish_detail.php?phish_id=8040126
## Submitted.....: 2023-02-17T13:02:48+00:00
##
## DEFAULT MATCH RULE
uri             PHISHTANK_0008040126_MATCH      /dapps\-connects\.herokuapp\.com/
score           PHISHTANK_0008040126_MATCH      5.0
describe        PHISHTANK_0008040126_MATCH      Phishtank ID 8040126 (Other)

## VALIDATED RULE
meta            __PHISHTANK_0008040126_VALCHECK (1*1) > 0
meta            PHISHTANK_0008040126_VALIDATED  PHISHTANK_0008040126_MATCH && __PHISHTANK_0008040126_VALCHECK
score           PHISHTANK_0008040126_VALIDATED  2.0
describe        PHISHTANK_0008040126_VALIDATED  Validated phishing url

## ACTIVE/ONLINE RULE
meta            __PHISHTANK_0008040126_ONCHECK  (1*1) > 0
meta            PHISHTANK_0008040126_ONLINE     PHISHTANK_0008040126_MATCH && __PHISHTANK_0008040126_ONCHECK
score           PHISHTANK_0008040126_ONLINE     2.0
describe        PHISHTANK_0008040126_ONLINE     Phishing URL still online

kawaiipantsu commented 1 year ago

I will now begind to build rules and figure out how and what to include (and how many) Perhaps only 7 or 30 days back. Or all ...

kawaiipantsu commented 1 year ago

DONE!

Now with PhishTank Spamassassin rules ready to go! Please note that ONLINE/VALIDATED is always active, this is due to Phishtank only includes online and validated URL's in their public DB you can download.

Also please note that there are a lot - 25000+ rules !! So i have also made to extra folders, one with only rules that are 7 days old and one with 30 days old.

Rules now commited https://github.com/kawaiipantsu/spamassassin-rules/commit/884f0a406d21c4e2d46d6109a861c6b07506d98d

The new update script so you can keep them updated yourself if you like https://github.com/kawaiipantsu/spamassassin-rules/commit/11ec8346f46e4ed2b8b46eaf54539ae5bcd0dec2