QR code threat links

Y

yanfei

Active Member
Mar 7, 2019
17
3
43
37
Hi,In recent years, there have been more and more spam/phishing emails that send pictures/documents with QR code links. Do we have a protection plan for this type of email? Image content can already be identified through spamassassin 4.0. Can you add the function of identifying and converting QR codes into threat connections and achieving final analysis?
 
I also recently started wondering the same thing. No luck finding any info on this forum, but did manage to find the following SpamAssassin plugin to decode QR codes and filter based on the results.

https://github.com/mxguardian/Mail-SpamAssassin-Plugin-QRCode

I've never added a new plugin to SpamAssassin, so I'm off to break things! If anyone as a basic/generic walkthrough for installing new plugins to SpamAssassin in PMG, I'd love to see them!
 
Hello,

Finally, has anyone been able to install this plugin successfully?
I'm working on it unsuccessfully, and I'm quite new to PMG and not sure how to install a plugin.

Below, what I did to install Mail-SpamAssassin-Plugin-QRCode

  1. Installation of prerequired
    1. cpan Barcode::ZBar
    2. cpan Image::Magick
  2. Copy the QRCode.pm under /usr/share/perl5/Mail/SpamAssassin/Plugin/
  3. Create the configuration file with nano nano /usr/share/spamassassin/40_QRcode.cf with the content:
    Code: 
    loadplugin Mail::SpamAssassin::Plugin::QRCode

ifplugin Mail::SpamAssassin::Plugin::QRCode
  qr_code_min_width     100
  qr_code_max_width     0
  qr_code_min_height    100
  qr_code_max_height    0
  qr_code_scan_pdf      0
endif

uri_detail      HAS_QRCODE_URI   type =~ /^qrcode$/
describe        HAS_QRCODE_URI   Message contains a URI embedded in a QR code
  4. On the PMG GUI under "spam detector => Custom Scores" I create the rules
    Code: 
    # qrcode
score HAS_QRCODE_URI 30.000
My issue is that I'm not sure the plugin is loading well and if I'm using the correct way to create a rule to announce like spam an email with a QR code.

Any idea or suggestion is welcome.
Thanks a lot
 
Finally, I was able to deploye the Qrcode plugin successfully.

Below, how I did:

  1. Install prerequire
    apt install cpanminus
    apt install libzbar0 libzbar-dev
    cpanm Barcode::ZBar
    apt install imagemagick libimage-magick-perl libmagick++-dev
    cpanm Image::Magick
  2. copy "QRCode.pm" file with wget -O /usr/share/perl5/Mail/SpamAssassin/Plugin/QRCode.pm https://raw.githubusercontent.com/mxguardian/Mail-SpamAssassin-Plugin-QRCode/main/lib/Mail/SpamAssassin/Plugin/QRCode.pm
  3. Active the plugin with nano /etc/mail/spamassassin/init.pre and add:
    Code: 
    # QRCode additional custom plugin
loadplugin Mail::SpamAssassin::Plugin::QRCode
  4. add the plugin configuration with nano /etc/mail/spamassassin/local.cf and add :
    Code: 
    #Custome -  check plugin and option.
ifplugin Mail::SpamAssassin::Plugin::QRCode
  qr_code_min_width     100
  qr_code_max_width     0
  qr_code_min_height    100
  qr_code_max_height    0
  qr_code_scan_pdf      0
endif

#Custome - Rules definitions for QRCodes plugin
uri_detail      HAS_QRCODE_URI   type =~ /^qrcode$/
describe        HAS_QRCODE_URI   Message contains a URI embedded in a QR code

#Custome - score attribution
score          HAS_QRCODE_URI    30.0

Now the plugin must be functional.
If I try to send myself an email with a QR code inside an email, the spamscore explodes:
Code: 
X-SPAM-LEVEL: Spam detection results:  30
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    DMARC_PASS               -0.1 DMARC pass policy
    HAS_QRCODE_URI             30 Message contains a URI embedded in a QR code
    HTML_IMAGE_ONLY_08          1 HTML: images with 400-800 bytes of words
    HTML_MESSAGE            0.001 HTML included in message
    KAM_INFOUSMEBIZ          0.75 Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
    RCVD_IN_MSPIKE_H5          -1 Excellent reputation (+5)
    RCVD_IN_MSPIKE_WL       -0.01 Mailspike good senders
    RCVD_IN_VALIDITY_CERTIFIED_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked.  See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
    RCVD_IN_VALIDITY_RPBL_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked.  See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
    RCVD_IN_VALIDITY_SAFE_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked.  See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
    RCVD_IN_ZEN_BLOCKED_OPENDNS  0.001 ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/
    SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [virus.com,ik.me]
    URIBL_DBL_BLOCKED_OPENDNS  0.001 ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [virus.com,ik.me]

I hope this step will help you to add the QrCode plugin to PMG
 
You must log in or register to reply here.
Top Bottom