package Mail::SpamAssassin::Plugin::Phisher; use strict; # # Phisher.pm # # Version .05 (may explode without warning) # # SpamAssassin plug-in to detect Phishing attacks # # (c) 2005, Faisal N. Jawdat # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are # met: # # Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. Redistributions in # binary form must reproduce the above copyright notice, this list of # conditions and the following disclaimer in the documentation and/or # other materials provided with the distribution. Neither the name of # Faisal N. Jawdat nor the names of its contributors may be used to # endorse or promote products derived from this software without specific # prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT # HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL # THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF # USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON # ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # To use, add the following lines to local.cf (without the comments), edit # the path, and change the score appropriately: # # loadplugin Mail::SpamAssassin::Plugin::Phisher PATH/TO/Phisher.pm # rawbody HREF_NEQ_ANCHOR eval:href_neq_anchor() # describe HREF_NEQ_ANCHOR URL in anchor does not match its HREF # score HREF_NEQ_ANCHOR .1 # use Mail::SpamAssassin::Plugin; our @ISA = qw(Mail::SpamAssassin::Plugin); sub new { my ($class, $mailsa) = @_; # the usual perlobj boilerplate to create a subclass object $class = ref($class) || $class; my $self = $class->SUPER::new($mailsa); bless ($self, $class); # then register an eval rule, if desired... $self->register_eval_rule ("href_neq_anchor"); # and return the new plugin object return $self; } sub href_neq_anchor { my ($self, $permsgstatus) = @_; my $failed_test = 0; my $rawbody_aref = $permsgstatus->get_decoded_body_text_array(); my $rawbody = join(' ', @$rawbody_aref); $rawbody =~ s/\s+/ /gs; while ($rawbody =~ /(\S*\.\S*)<\/a[\s|>]/migc) { my $href = $1; my $linktext = $2; # normalize both link types # strip beginning and end quotes for href $href =~ s/^\"//s; $href =~ s/^\'//s; $href =~ s/\'$//s; $href =~ s/\"$//s; # drop http, www., and any path after the domain $href =~ s/^http:\/\///is; $href =~ s/^https:\/\///is; $href =~ s/^www\.//is; $href =~ s/\/.*$//s; # drop http, www., and any path after the domain $linktext =~ s/^http:\/\///is; $linktext =~ s/^https:\/\///is; $linktext =~ s/^www\.//is; $linktext =~ s/\/.*$//s; if (!($linktext eq $href)) { $failed_test = 1; } } return $failed_test; } 1;