Page 1 of 1

Phishing fight with spamassassin and Mailscanner Front End and integration of openphish, phistank, phishstats, mailscane

Posted: 15 Feb 2024, 20:20
by nermin_dadan
Hello,

I would need some advice regarding phishing fight with spamassassin and Mailscanner Front End.
I've found this instruction: https://spamassassin.apache.org/full/4. ... ishing.txt
I've created a bash scripts cronjob to download openphish, phistank, phishstats, and mailscanner phishing feeds.
Some of them are running every 90 minutes, 4 hours, every 12, and some daily.
Cronjobs transfer data from CSV files to txt format only with url (one url one line).
When cronjobs do their job I end up with 4 txt files that consist of urls (one url one line example: http://somelink.com/xyz? or https://somelink.com/xyt?). All of links have http:// or https://.
Also at the end of each cronjob I've added this command: /bin/systemctl reload MailScanner.service

Then I've created this script and added it to =/etc/mail/spamassassin/mailscanner.cf:
loadplugin Mail::SpamAssassin::Plugin::Phishing
ifplugin Mail::SpamAssassin::Plugin::Phishing
phishing_openphish_feed /etc/mail/spamassassin/openphish.txt
body URI_PHISHING_OP eval:check_phishing()
describe URI_PHISHING_OP Url match phishing in feed
score URI_PHISHING_OP 20

phishing_openphish_feed /etc/mail/spamassassin/phishtank.txt
body URI_PHISHING_PT eval:check_phishing()
describe URI_PHISHING_PT Url match phishing in feed
score URI_PHISHING_PT 20

phishing_openphish_feed /etc/mail/spamassassin/phishstats.txt
body URI_PHISHING_PS eval:check_phishing()
describe URI_PHISHING_PS Url match phishing in feed
score URI_PHISHING_PS 20

phishing_openphish_feed /etc/mail/spamassassin/mailscanner.txt
body URI_PHISHING_MS eval:check_phishing()
describe URI_PHISHING_MS Url match phishing in feed
score URI_PHISHING_MS 20

# Ignore URI ?
phishing_uri_noparam 1 # this option is global
endif

For some reason, sometimes it does the job and sometimes it does not.
I've tested it, and some links it does recognize, and some not.

What could be the issue here? Am I doing something wrong? Why is it working sometimes, and sometimes it does not?
I've tested it numerous times. Even when I select entire list, like 400-500 links, and paste it in email, then send it to some email on server it comes in inbox, and main rule that should recognize links does not appear. There are other rules build into MailScanner that block this email, but that is not the point.
These txt files are 6,8MB total, all combined.

Server has 256GB of ram, with 100GB of free memory at all times. There are 120 Wordpress websites with emails.
Maybe 1500 email accounts are used on sever. Server has 40CPU, only 5 are used almost all time.
SSD drives in RAID 1 with plenty of space.
5000 emails are sent/delivered to/from server daily.

Any advice would be appreciated.

Nermin

Re: Phishing fight with spamassassin and Mailscanner Front End and integration of openphish, phistank, phishstats, mails

Posted: 27 Feb 2024, 23:42
by Sergio
This would be a great addition to MailScanner FE.

Please Sarah and Jonathan, Could you please check this and see if this could be added on the next MFE update? It will be a nice tool for fighting against PHISHING.

Regards,
Sergio