Grepular

Defending Against Spear Phishing with Exim

Written 6 years ago by Mike Cardwell

Have you ever received a forged email asking for you to reply with your email login details? I work at an institution where this happens a lot. People are constantly receiving highly targetted phishing emails, pretending to be from our I.T department, with all sorts of excuses for why they would need you to reply with your password. No matter how much we tweak our filters, some always get through. No matter how much user education we apply, people continue to occasionally reply to them.

If you are running Exim as an MSA, with either the PLAIN or LOGIN authenticators, then I have just released a “plugin” which you will find useful.

The plugin is called “EximPhishReplyBuster” and can be downloaded from my gitlab repository. It utilises Exim’s Embedded Perl functionality, and it works as follows:

  1. The user receives a phishing email asking for their password
  2. They reply to the email with their password
  3. Their email client connects to Exim and logs in, using their username/password
  4. EximPhishReplyBuster hooks into the authentication stage and “remembers” the password
  5. Their email client sends the message down the connection
  6. EximPhishReplyBuster scans the message body to see if the same password can be seen
  7. Exim rejects the message if the password was there

It transparently handles multipart emails, quoted-printable/base64 transfer encoding, and HTML entity encoding.

I released a much more complicated solution to this problem a couple of years ago, called Kochi. I blogged about it here. It works with any mail server that can talk to ClamAV, and it works completely differently. It extracts all of the possible username/password combinations from an email, and attempts to authenticate using those details via any method you choose. This only works if you have a set username format, and a strict password policy which prevents passwords looking like other normal words that would appear in an email. Kochi can work in many more scenarios, but it is much more difficult to set up as it needs to be highly customised for each system, by someone who can program Perl.

On the other hand, EximPhishReplyBuster is plug and play, and because it already knows the password it is looking for, it is considerably more efficient.

Looking to hire somebody like me? I'm open to offers of full time employment and small contract jobs. Check out my hiring page. You can follow this Blog using RSS or . To read more, visit my blog index.

Feeling generous?BitcoinMoneroZcashPaypal