Educause Security Discussion mailing list archives
More details for Google Apps Phishing warning
From: Josef Fortier <fortier () AUGSBURG EDU>
Date: Thu, 20 Feb 2014 11:21:15 -0600
I just got a request for more info regarding how we set up GAE Content Compliance to tag free hosts. The starting list is here: https://it.usu.edu/computer-security/be-an-internet-skeptic/form-services/ When I put this in place, we had the older GAE admin interface (and my memory is hazy enough I can't do a detailed walk-thru). Looking at the new admin interface, I'm pretty sure this is the sequence: 1) Dashboard->Settings for Gmail->Advanced settings (last item) 2) Scroll down to "Content compliance" and go to the right hover menu to add a new rule. 3) Apply to Inbound, Outbound, Internal-sending (the precise combination is a tradeoff). The goal here is to: a) Protect other domains (good netizen) woth Outbound (read "external") b) Catch external inbound with Inbound c) Catch internal sending, but not internal receiving, to avoid multiple tagging. This won't catch all of it, but does deal with a good deal of it. 4) Add regexes of the form: http[s]://www.formpl.us/ The precise details are up to you, but this is relatively clear and specific enough to minimize false positives. Here the intent is a) catch actual URLs and not just web sites, and b) catch the SSL forms as well as the non-secure. I do have some more complex regexes: http[s]*://www[.]form2go[.]com/publish/publish_form/\S* Here the goal is a) to account for form2go's DNS style user mapping b) catch only the forms URL. I've added all these to one rule, so that the behavior will be uniform and easily altered. This is a fairly tedious task (reason to keep the regex simple). Google uses a variant of PCRE (a subset for speed) but this will not effect simple regexes.o use "Advanced content match" with "Location" as "Raw Message" (i.e. search MIME and plain-text). Add initial action of copying to a mailbox to make sure the rules are acting as expected (we had 3 minutes of tag everything....). When everything appears OK (I'd wait a few days) Add a target rule "Modify message"->Subject->Prepend custom subject -- __________________________________________________________________________ Josef Forformstier Systems Administrator fortier () augsburg edu Phone: 612-330-1479 __________________________________________________________________________
Current thread:
- Re: Recent Phishing Uptick, (continued)
- Re: Recent Phishing Uptick David Curry (Feb 20)
- Re: Recent Phishing Uptick Ejike, Emechete C. (Feb 20)
- Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
- Re: Recent Phishing Uptick David Curry (Feb 20)
- Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
- Re: Recent Phishing Uptick Frank Barton (Feb 21)
- Re: Recent Phishing Uptick Mike Iglesias (Feb 21)
- Re: Recent Phishing Uptick Tim Doty (Feb 21)
- Re: Recent Phishing Uptick Mally Mclane (Feb 20)
- More details for Google Apps Phishing warning Josef Fortier (Feb 20)