Obfuscated Links - ORF Forums

Obfuscated Links RSS Back to forum

1

We receive a lot of SPAM that contains links, often obfuscated.
eg.
http://internaldomainname/files/LRJZ-931-YSC5699/
which actually points to
http://feryalalbastaki.com/kukuvno/i34ji-wrdmk-uthuz/

The SUBRL test doesn't report back any concerns, so the end result is this email finds its way to the users mailbox.

I cannot think of any reason why a legitimate sender would obfuscate links in this manner, so I'd like to block any and all emails that contain obfuscated links.
Is this possible in ORF?

by gavpop111 5 years ago
2

@gavpop111: Yes, absolutely. You could try to use the Keyword Blacklist test and a regular expression to filter out such emails. Just follow the steps below:

1. Start the ORF Administration Tool and connect to the local or a remote instance.
2. Navigate to the 'Blacklists / Keyword Blacklist' page
3. Click 'New'
4. In the 'Keyword Filter Properties' dialog, set the 'Search Scope' to 'Email body' and mark the 'Body raw HTML source' checkbox enabled
5. Add a Comment text (e.g., "Obfuscated URL Blocker")
6. On the 'Filter Expression' tab, add the following expression:

.*&lta[^>]*href=['"]([^>]*)['"]>(?=http[s]?)(?!\1)

7. Set the expression type to 'Regular expression (Perl-compatible)'
8. Use the Test field to check whether the expression works as you intended
9. Click 'OK'
10. Save the configuration to apply the news settings (Ctrl + S)

The expression above will block any email in which an anchor text starts with http or https but differs from the value of the "href=" attribute of the anchor tag - see example below:
&lta href=”https://www.domain-A.com”>https://www.domain-B.com &lt/a>

I hope this helps.

by Daniel Novak (Vamsoft) 5 years ago
(in reply to this post)

3

I've implemented this, but it doesn't work.
By the looks of it, it's because it's look for a HREF link, like you'd find on a webpage.
Outlooks works differently and doesn't have HREF.

eg - in Outlook the raw text is like this for obfuscated links...
http://something.co.uk/GB/UG-630-Y4219/ <http://eiamheng.com/EES/LLC/q4uSkM44/>

This could be because the email is TEXT or RTF as opposed to HTML, so maybe I need a separate obfuscated link regex checker for TEXT and RTF emails?

by gavpop111 5 years ago
4

@gavpop111: your forum overwritten my example link
Not sure how I can write the link without the forum rewriting it??

by gavpop111 5 years ago
(in reply to this post)

5

@gavpop111: Does the example link contain any left angle brackets "&lt;"? They must be replaced with "&amplt;" otherwise the forum engine will remove it and any text that follows it.

by Daniel Novak (Vamsoft) 5 years ago
(in reply to this post)

7

See above - you get the idea.
This is how the obfuscated links appear in the emails.

Can a regex be created to search for these kind of obfuscated links?

by gavpop111 5 years ago
8

Perhaps; but it would be best if you could send us (to ) a few sample emails that contain such links so we could analyze those and see if we can come up with a solution. Make sure, though, that you send us the original emails saved in a .msg or .eml format. Forwarded emails will not suffice.

by Daniel Novak (Vamsoft) 5 years ago
9

I've emailed in through.
Subject is "Example of obfuscated link in email"

by gavpop111 5 years ago
10

I have tested the sample email in our lab and it was successfully rejected by the Keyword Blacklist - using the suggested regex pattern. The email you sent me is a multi-part message in MIME format, so the anchor element with the URL is stored in the 'text/html' part of the message - that is probably why you did not see it.

I recommend that you go through the instructions above one more time and check the parameters of the Keyword Blacklist entry that you created (in the ORF Administration Tool). Perhaps you missed a checkbox or a typo.

Let me know if this has helped.

by Daniel Novak (Vamsoft) 5 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2