[clamav-users] clamav-users Digest, Vol 150, Issue 19
Kris Deugau
kdeugau at vianet.ca
Thu Jun 1 14:08:43 UTC 2017
Outreach at epsilon.com wrote:
> Hi Al,
>
> Could you please confirm exactly what is the issue you see with the links? As far as I can see, they use standard link tracking.
^^^^^^^^^^^^^^^^^^^^^^
In my experience that, in and of itself, is often the problem.
The cases I've whitelisted locally are almost always mismatches between
the visible link text and the actual link target, eg:
<a href="tracker.bigesp/path/to/some/thing/hexstring">example.com/link</a>
All too often, "bigesp" seems to go to great lengths to remain
unidentified, by way of cryptic and ever-multiplying domains which
appear, without time-consuming investigation, to be Just Another Spoof.
I would also suggest that using a complete separate TLD for
click-tracking is a good way to *raise* red flags when a message is
inspected by hand; even worse when the domain looks similar to the main
domain - such as "paypal-communications.com" vs "paypal.com".
Use a subdomain (eg "communication.paypal.com", or
"espname.paypal.com"), which is clearly delegated from the organization
potentially being spoofed, rather than Yet Another Similar But Not
Obviously Associated Domain (because the domain registrars clearly can't
be trusted to prevent *these* from being registered by world+dog, and a
disturbing number don't shut down the real spoofs very quickly either).
In short, stop doing the same things that the scammers do, and do things
that the scammers can't.
-kgd
More information about the clamav-users
mailing list