Educause Security Discussion mailing list archives

More details for Google Apps Phishing warning

From: Josef Fortier <fortier () AUGSBURG EDU>
Date: Thu, 20 Feb 2014 11:21:15 -0600

I just got a request for more info regarding how we set up GAE Content
Compliance to tag free hosts.

The starting list is here:

    https://it.usu.edu/computer-security/be-an-internet-skeptic/form-services/

When I put this in place, we had the older GAE admin interface (and my
memory is hazy enough I can't do a detailed walk-thru). Looking at the
new admin interface, I'm pretty sure this is the sequence:

    1) Dashboard->Settings for Gmail->Advanced settings (last item)

    2) Scroll down to "Content compliance" and go to the right hover
       menu to add a new rule.

    3) Apply to Inbound, Outbound, Internal-sending (the precise
       combination is a tradeoff). The goal here is to:

        a) Protect other domains (good netizen) woth Outbound (read
           "external")

        b) Catch external inbound with Inbound

        c) Catch internal sending, but not internal receiving, to avoid
           multiple tagging. This won't catch all of it, but does deal
           with a good deal of it.

    4) Add regexes of the form:

            http[s]://www.formpl.us/

       The precise details are up to you, but this is relatively clear
       and specific enough to minimize false positives. Here the intent
       is a) catch actual URLs and not just web sites, and b) catch the
       SSL forms as well as the non-secure.

       I do have some more complex regexes:

            http[s]*://www[.]form2go[.]com/publish/publish_form/\S*
       
       Here the goal is a) to account for form2go's DNS style user
       mapping b) catch only the forms URL.

       I've added all these to one rule, so that the behavior will be
       uniform and easily altered. This is a fairly tedious task (reason
       to keep the regex simple). Google uses a variant of PCRE (a
       subset for speed) but this will not effect simple regexes.o

       use "Advanced content match" with "Location" as "Raw Message"
       (i.e. search MIME and plain-text).

       Add initial action of copying to a mailbox to make sure the rules
       are acting as expected (we had 3 minutes of tag everything....).
       When everything appears OK (I'd wait a few days) Add a target
       rule "Modify message"->Subject->Prepend custom subject




-- 
__________________________________________________________________________
Josef Forformstier
Systems Administrator
fortier () augsburg edu
Phone: 612-330-1479
__________________________________________________________________________

Current thread:

Re: Recent Phishing Uptick, (continued)
- - - Re: Recent Phishing Uptick David Curry (Feb 20)
    - Re: Recent Phishing Uptick Ejike, Emechete C. (Feb 20)
    - Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
    - Re: Recent Phishing Uptick David Curry (Feb 20)
    - Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
    - Re: Recent Phishing Uptick Frank Barton (Feb 21)
    - Re: Recent Phishing Uptick Mike Iglesias (Feb 21)
    - Re: Recent Phishing Uptick Tim Doty (Feb 21)
- Re: Recent Phishing Uptick Josef Fortier (Feb 20)
  - Re: Recent Phishing Uptick Mally Mclane (Feb 20)
  - More details for Google Apps Phishing warning Josef Fortier (Feb 20)