LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2018

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2018

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: SPAM: proofpoint.com URLs in sl-users messages
From:	Ron Tapia <[log in to unmask]>
Reply To:	Ron Tapia <[log in to unmask]>
Date:	Wed, 25 Jul 2018 09:24:53 -0400
Content-Type:	multipart/mixed
Parts/Attachments:	text/plain (2737 bytes)

Hi,

Proofpoint has a small Python script:

 	https://help.proofpoint.com/Threat_Insight_Dashboard/Concepts/How_do_I_decode_a_rewritten_URL%3F

that can be used to decode URLs that they mangle.

It could be adapted to filter incoming messages so that you'd never have 
to see proofpoint mangled links. I use a "display-filter" in alpine 
(Thunderbird also supports filters) to unmangle Microsoft safelinks
mangled URLs.

It doesn't take a lot of imagination to see that training users to click 
on complicated-looking URLs without thought (because they're safe!) can 
only end badly. Eventually, some organization is going to lose a lot of 
money becuase of a phishing attack made possible by the use of these URL 
manglers.

Cheers,

Ron

-- 
If you are not part of the solution, you are part of the precipitate.
<begin pgp signed message to disable safelinks/>
On Wed, 25 Jul 2018, Maarten wrote:

> Date: Wed, 25 Jul 2018 12:55:43 +0000
> From: Maarten <[log in to unmask]>
> To: scientific-linux-users <[log in to unmask]>
> Cc: [log in to unmask]
> Subject: Re: Re: SPAM:  proofpoint.com URLs in sl-users messages
> 
> Ended up in my spam box as well
> 
> 
> 
> On Tue, Jul 24, 2018 at 19:40, Denice <[log in to unmask]> wrote:
>       On Tue, 24 Jul 2018, Glenn Cooper wrote:
>
>             Dear Scientific Linux users,
>
>             You may have noticed recently that URLs in messages to the
>             [log in to unmask] mailing list are often converted to a longer
>             version where the original URL is routed through "urldefense.proofpoint.com",
>             e.g.,
> 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.mozilla.org_show-5Fbug.cgi-3Fid-3D1278282&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=Z
>             Sgt1f7kW9G8-9f6VpdMqA&m=GNVwbRVdMb0OHea3YcT932r9X96HOwQvQqu1TZ4KG5k&s=YJv_zN6hJ20hObNHTC9szZwF56XooQ5-FHJCgYt00cg&e=
>
>             This is an anti-phishing measure adopted by Fermilab.  URLs in mail messages
>             are automatically rewritten to go through a service that checks against known
>             malicious sites, then either blocks the attempt or routes to the original
>             address.  Although these links look odd, they are legitimate, and you will
>             get to the intended sites if you follow them.
> 
> 
>
>       This message showed up in my inbox tagged as SPAM ..  so I am not
>       sure how this is an improvement.
>
>       cheers, etc.
>       --
>       Denice Deatrich, TRIUMF/Science/ATLAS      Ph: +1 604 222 7665
>       <*> This moment's fortune cookie:
>       Ban the bomb.  Save the world for conventional warfare.
> 
> 
>

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV