Protect users who get spammy phishing links in emails

Maybe this is out of place and with people working from home, everyone’s policy is different (not speaking regarding home ipfire), I rather like the approach of something much like SpamAssassin/Mimecast/Tessian to filter in line to remove, alert, or sandbox the link.

Vs DNS as these server ip can change very often or come out of multiple ips and usually on shared hosting or shared ips that can cause legitimate businesses block cases.

And continue to provide the proper training and raising awareness to end users regarding spam and phishing and how to identify them. Technology alone, no matter how expensive or how advance, at al it takes is a user to click.

Teach people to identify and look twice before responding or clicking, it it takes a few seconds. Just like crossing the street or changing lanes.

2 Likes

Hi,

to sum this discussion up a little bit, these are the treats @anon45931963 has to fight against
(as probably most of us do as well):

  1. Malicious sites (including, but not limited to phishing) hosted on dedicated IP addresses.
  2. Malicious sites hosted on CDNs or popular shared IP addresses, where blacklisting the entire IP address cannot be done as it causes too many False Positives.
  3. Malicious content hosted on legitimate FQDNs, such as Dropbox, Google Drive, or similar.

All of them have to slip through OP’s mail infrastructure, thus not being identified as malicious
in the first place.

I think we all agree on fighting against (1) is not a problem in case there is a reasonably
accurate and up to date blacklist (or several of them) available. It might need some tricks and
scripting to get that working in IPFire at the time of writing, but ultimately, it is not a problem.

In case of (2), we disagree on how to handle this (DNS filtering vs. URL filter), primarily due
to the fact that distributing proxy settings can be tricky, depending on your environment.

Case (3) is neither addressed by DNS nor URL filtering. (In theory, TLS interception could help
to see the full URL at the proxy, however, this causes other issues and I am unaware of any URL
blacklist to be accurate enough. In fact, some services for user-generated content evade URL
filtering by randomising links and putting in tokens. Worse, AV detection rates are terrible in
this scenario - partly because it is very easy to obfuscate malicious content on the web.)

Just two remarks on this not very jolly situation from my point of view:

  1. In several environments, I built something like a mail buffer: Every mail that passes the spam filter and AV scanners is duplicated and stored on a dedicated machine, where it will be deleted automatically after 24 (in some cases 48) hours. As soon as new AV signatures or blacklist updates arrive, the current mail buffer will be scanned again. In case of a detection, a message will be sent out to both the user (“please do not open message XYZ, and in case you have opened it, call ABC immediately”) and the internal monitoring system. While this is not a very elegant solution, it at least allows to detect malicious messages slipped through - which happens several times a day -, which is better than nothing. Perhaps such a setup might help OP (and others) as well.

  2. In my humble opinion, BYOD is the sore thumb of this discussion. Yes, I am aware not every company (or sometimes even agencies) is willing or can afford to provide dedicated notebooks/PCs to their employees, however, I would strongly recommend to try changing that first. Enforcing policies is much easier if the company has more or less full control over the employees device, and enables defense mechanisms on a completely different level (such as HIPS or USB port monitoring). Pushing proxy settings to clients is usually much easier as well.

Perhaps this might be helpful as food for thoughts. :slight_smile:

Thanks, and best regards,
Peter Müller

3 Likes

Hi all -

As a side note I just wanted to say thank you to all participants for this very interesting discussion that really adds a lot of valuable points to my consideration of how I want to use IPFire in my environment to protect grown-ups, and kids – all people with special data protection needs that have to be addressed appropriately. This is the reason why I read (an write) in the forum on an almost daily base. Thanks again and take care!

Datamorgana

4 Likes

Don’t get me wrong, I’ve got Barracuda ESS in my stack. DNS for the ones that get through, just don’t like relying on one thing alone. And also when you get links from google search. No mail filter got you covered in that case.

@ummeegge looks good, I’ll have to do some testing with sending proxy over DHCP and URL-Filter (mostly to ensure it’s not sticky and breaks internet when they go home). I’m defs not going down the path of IPSets in iptables tho.

Do you have a cron job set to run the script periodically or something like that? As the list gets updated every 6 hours. Actually looking at the script, I imagine you’d only be wanting to run the script out of hours as it downs squid lol.

Hi @anon45931963

yes /etc/fcron.* might be useful for that or you can also use fcrontab -e if it should be more specific. According to the update sequence, if you not sure how often/when the list is updated you can make a check via e.g.:

curl -Ls https://phishing.army/download/phishing_army_blocklist_extended.txt | sha1sum
...
if [ "${ACTVERSION}" != "${INSTALLEDVER}" ]; then
...

and compare via a checksum (sha1 in that case) if something has happened and if, update it. The downtime is not that long, you can see it above.

Some more infos for you.

Best,

Erik

1 Like

@ummeegge that’s good info thanks.