32Guards sends warning for affected URLs
In recent months we have been able to achieve good success with 32Guards in terms of “Hello-Spams”. However, previous phishing attacks have used unknown URL-shortening services or machine-generated blogspot pages that are easily recognized as malicious. In the case of the bit.ly-URLs used here, this is not so easy, since they are also found in legitimate Email communication. Due to the particular threat situation, the 32Guards service is currently sending an alert for these URLs. All customers who already participate in the 32Guards beta version will be awarded 2 SCLs. Due to the few other suspicious characteristics of these e-mails, this unfortunately does not always lead to a rejection.
How can you fend off spam mails with bit.ly links?
For a stricter handling of this spam e-mail we recommend the following temporary local modification:
Under NoSpamProxy Management Console > Configuration > preferences > word matches > “Add” a word group can be created as shown in the example. The corresponding pattern can then be defined here.
Danach kann in den Inbound-Regeln (NoSpamProxy Management Konsole > Konfiguration > Regeln) unter „Filter“ der Filter „Wortübereinstimmungen“ ergänzt werden (falls dieser noch nicht verwendet wird) und die neu erstellte Wortgruppe „Gesperrte Links“ ausgewählt werden.
With this procedure all Emails with bit.ly-URLs are rejected. In our current data it is to be recognized at present that the attacks are dispatched mainly from “outlook.com” or “hotmail.com” addresses. This finding allows for a more selective approach to reduce the false positive rate.
First a new custom rule is created, e.g. by duplicating the existing “All other inbound mails” rule. The word group “Blocked Links” created above can then only be used in this new rule. The new rule can be restricted to the relevant MAIL FROM domains under “Message Flow“:
Use 32Guards now
The 32Guards action in NoSpamProxy collects and analyzes metadata about emails and attachments. The goal: to build an even more powerful anti-malware intelligence that can detect and fend off attacks by spam and malware even faster and more purposefully. If you are interested in using the beta version of Project 32Guards, send an e-mail with the subject “32Guards activation” to NoSpamProxy support and attach a screenshot of your license details.
The Security Insider picked up our blog article and published a post about it.