2019-07-16 09:15:34 +00:00
<!DOCTYPE html>
2021-04-10 12:03:10 +00:00
< html class = "theme-next muse use-motion" lang = "zh-Hans" >
2019-07-16 09:15:34 +00:00
< head > < meta name = "generator" content = "Hexo 3.8.0" >
< meta charset = "UTF-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1, maximum-scale=1" >
< meta name = "theme-color" content = "#222" >
< meta http-equiv = "Cache-Control" content = "no-transform" >
< meta http-equiv = "Cache-Control" content = "no-siteapp" >
< link href = "/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel = "stylesheet" type = "text/css" >
< link href = "/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel = "stylesheet" type = "text/css" >
< link href = "/css/main.css?v=5.1.4" rel = "stylesheet" type = "text/css" >
< link rel = "apple-touch-icon" sizes = "180x180" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "32x32" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "16x16" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "mask-icon" href = "/images/logo.svg?v=5.1.4" color = "#222" >
2020-10-21 10:25:01 +00:00
< meta name = "keywords" content = "钓鱼邮件,phishing email," >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< meta name = "description" content = "研一的时候参加了第一届datacon, 可惜因为课程任务太重了, 最后连答案都没提交。今年和研一两位师弟师妹组队参加, 本以为又要躺过去了, 最后被两位的热情感染, 完成了比赛还取得不错的成绩, 也算是完成了研究生阶段的一个小遗憾。我之前没做过数据分析也没接触过邮件安全, 借这次赛题好好的补了一课, 第一题是识别发件人伪造, 第二题是垃圾邮件分类, 第三题是识别威胁邮件, 全部是真实数据, 难度层层递进。 赛题理解目标" >
< meta name = "keywords" content = "钓鱼邮件,phishing email" >
< meta property = "og:type" content = "article" >
< meta property = "og:title" content = "DataCon Coremail邮件安全第三题 Writeup" >
< meta property = "og:url" content = "https://cool-y.github.io/2020/10/16/coremail/index.html" >
2019-07-16 09:15:34 +00:00
< meta property = "og:site_name" content = "混元霹雳手" >
2020-10-21 10:25:01 +00:00
< meta property = "og:description" content = "研一的时候参加了第一届datacon, 可惜因为课程任务太重了, 最后连答案都没提交。今年和研一两位师弟师妹组队参加, 本以为又要躺过去了, 最后被两位的热情感染, 完成了比赛还取得不错的成绩, 也算是完成了研究生阶段的一个小遗憾。我之前没做过数据分析也没接触过邮件安全, 借这次赛题好好的补了一课, 第一题是识别发件人伪造, 第二题是垃圾邮件分类, 第三题是识别威胁邮件, 全部是真实数据, 难度层层递进。 赛题理解目标" >
2019-07-16 09:15:34 +00:00
< meta property = "og:locale" content = "zh-Hans" >
2020-10-21 10:25:01 +00:00
< meta property = "og:updated_time" content = "2020-10-20T13:59:55.666Z" >
2019-07-16 09:15:34 +00:00
< meta name = "twitter:card" content = "summary" >
2020-10-21 10:25:01 +00:00
< meta name = "twitter:title" content = "DataCon Coremail邮件安全第三题 Writeup" >
< meta name = "twitter:description" content = "研一的时候参加了第一届datacon, 可惜因为课程任务太重了, 最后连答案都没提交。今年和研一两位师弟师妹组队参加, 本以为又要躺过去了, 最后被两位的热情感染, 完成了比赛还取得不错的成绩, 也算是完成了研究生阶段的一个小遗憾。我之前没做过数据分析也没接触过邮件安全, 借这次赛题好好的补了一课, 第一题是识别发件人伪造, 第二题是垃圾邮件分类, 第三题是识别威胁邮件, 全部是真实数据, 难度层层递进。 赛题理解目标" >
2019-07-16 09:15:34 +00:00
< script type = "text/javascript" id = "hexo.configurations" >
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
2021-04-10 12:03:10 +00:00
scheme: 'Muse',
2019-07-16 09:15:34 +00:00
version: '5.1.4',
2021-04-10 12:03:10 +00:00
sidebar: {"position":"left","display":"always","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
2019-07-16 09:15:34 +00:00
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
< / script >
2020-10-21 10:25:01 +00:00
< link rel = "canonical" href = "https://cool-y.github.io/2020/10/16/coremail/" >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< title > DataCon Coremail邮件安全第三题 Writeup | 混元霹雳手< / title >
2019-07-16 09:15:34 +00:00
< / head >
< body itemscope itemtype = "http://schema.org/WebPage" lang = "zh-Hans" >
2020-10-21 10:25:01 +00:00
< div class = "container sidebar-position-left page-post-detail" >
2019-07-16 09:15:34 +00:00
< div class = "headband" > < / div >
< header id = "header" class = "header" itemscope itemtype = "http://schema.org/WPHeader" >
< div class = "header-inner" > < div class = "site-brand-wrapper" >
< div class = "site-meta " >
< div class = "custom-logo-site-title" >
< a href = "/" class = "brand" rel = "start" >
< span class = "logo-line-before" > < i > < / i > < / span >
< span class = "site-title" > 混元霹雳手< / span >
< span class = "logo-line-after" > < i > < / i > < / span >
< / a >
< / div >
2019-07-24 03:51:42 +00:00
< p class = "site-subtitle" > < / p >
2019-07-16 09:15:34 +00:00
< / div >
< div class = "site-nav-toggle" >
< button >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< / button >
< / div >
< / div >
< nav class = "site-nav" >
< ul id = "menu" class = "menu" >
< li class = "menu-item menu-item-home" >
< a href = "/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-home" > < / i > < br >
首页
< / a >
< / li >
< li class = "menu-item menu-item-about" >
< a href = "/about/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-user" > < / i > < br >
关于
< / a >
< / li >
< li class = "menu-item menu-item-tags" >
< a href = "/tags/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-tags" > < / i > < br >
标签
< / a >
< / li >
< li class = "menu-item menu-item-categories" >
< a href = "/categories/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-th" > < / i > < br >
分类
< / a >
< / li >
< li class = "menu-item menu-item-archives" >
< a href = "/archives/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-archive" > < / i > < br >
归档
< / a >
< / li >
< li class = "menu-item menu-item-bookmarks" >
< a href = "/bookmarks/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-map" > < / i > < br >
书签
< / a >
< / li >
2019-08-08 12:42:56 +00:00
2019-08-08 12:47:43 +00:00
< li class = "menu-item menu-item-hack之外" >
2019-08-08 12:42:56 +00:00
< a href = "/hack之外/" rel = "section" >
2019-08-08 12:52:19 +00:00
< i class = "menu-item-icon fa fa-fw fa-heartbeat" > < / i > < br >
2019-08-08 12:42:56 +00:00
2019-08-08 12:52:19 +00:00
HACK之外
2019-08-08 12:42:56 +00:00
< / a >
< / li >
2019-07-16 09:15:34 +00:00
< / ul >
< / nav >
< / div >
< / header >
< main id = "main" class = "main" >
< div class = "main-inner" >
< div class = "content-wrap" >
< div id = "content" class = "content" >
2020-10-21 10:25:01 +00:00
< div id = "posts" class = "posts-expand" >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2020/10/16/coremail/" >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.png" >
< / span >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< h1 class = "post-title" itemprop = "name headline" > DataCon Coremail邮件安全第三题 Writeup< / h1 >
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< span class = "post-meta-item-text" > 发表于< / span >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2020-10-16T11:07:33+08:00" >
2020-10-16
< / time >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< / span >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< span class = "post-category" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-folder-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 分类于< / span >
< span itemprop = "about" itemscope itemtype = "http://schema.org/Thing" >
< a href = "/categories/杂七杂八/" itemprop = "url" rel = "index" >
< span itemprop = "name" > 杂七杂八< / span >
< / a >
< / span >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< / span >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< span id = "/2020/10/16/coremail/" class = "leancloud_visitors" data-flag-title = "DataCon Coremail邮件安全第三题 Writeup" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-eye" > < / i >
< / span >
< span class = "post-meta-item-text" > 阅读次数: < / span >
< span class = "leancloud-visitors-count" > < / span >
< / span >
< div class = "post-wordcount" >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< span class = "post-meta-item-icon" >
< i class = "fa fa-file-word-o" > < / i >
< / span >
< span title = "字数统计" >
2.4k 字
< / span >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< span class = "post-meta-divider" > |< / span >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< span class = "post-meta-item-icon" >
< i class = "fa fa-clock-o" > < / i >
< / span >
< span title = "阅读时长" >
8 分钟
< / span >
< / div >
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< p > 研一的时候参加了第一届datacon, 可惜因为课程任务太重了, 最后连答案都没提交。今年和研一两位师弟师妹组队参加, 本以为又要躺过去了, 最后被两位的热情感染, 完成了比赛还取得不错的成绩, 也算是完成了研究生阶段的一个小遗憾。< br > 我之前没做过数据分析也没接触过邮件安全,借这次赛题好好的补了一课,第一题是识别发件人伪造,第二题是垃圾邮件分类,第三题是识别威胁邮件,全部是真实数据,难度层层递进。< / p >
< h2 id = "赛题理解" > < a href = "#赛题理解" class = "headerlink" title = "赛题理解" > < / a > 赛题理解< / h2 > < h3 id = "目标" > < a href = "#目标" class = "headerlink" title = "目标" > < / a > 目标< / h3 > < blockquote >
< p > 在真实的企业网络环境中,一些攻击者总能想方设法绕过邮件检测引擎,使攻击邮件抵达员工的收件箱,最终达到窃取用户登录凭证等目的。与此同时,企业网络安全管理团队的精力十分有限,不可能实现对企业的全部邮件进行逐一审查。< / p >
< / blockquote >
< blockquote >
< p > 如果你是一家企业的邮件安全负责人,能否基于数据分析,利用长达三个月的企业邮件服务器日志摘要信息,设计检测模型,输出一批威胁程度较高的邮件,以便于后续的人工审查。请注意:检测模型不允许使用第三方威胁情报,检测系统必须能够离线运行。< / p >
< / blockquote >
< p > 从赛题说明中,我们可以提取出几个关键词:邮件、窃取用户凭证、威胁程度、离线运行,最终目的是从邮件通信日志中筛选出钓鱼邮件(窃取用户登录凭证)。< / p >
< h3 id = "数据" > < a href = "#数据" class = "headerlink" title = "数据" > < / a > 数据< / h3 > < blockquote >
< p > 约80万封邮件通信日志, 赛事主办方已经对数据进行了脱敏和匿名化处理。< / p >
< / blockquote >
< blockquote >
< p > 提示: 根据既往经验知识, 威胁程度较高的邮件规模约在2千至2万左右。< / p >
< / blockquote >
< p > 主办方给了威胁邮件的大致数量范围, 邮件通信日志与第一题真实的邮件格式不同, 每一封邮件都是json格式的数据, 只保留了8个字段, 而且做了匿名化处理。< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > * rcpt: 收信人邮箱地址 ---> [salt+hash]@[salt+hash替换掉敏感域名, 其它保留].[真实TLD]< / span > < br > < span class = "line" > * sender: 发件人邮箱地址 ---> 同上< / span > < br > < span class = "line" > * ip: 企业邮箱用户登录ip ---> 经过映射处理, 不是真实的ip地址, 但保留子网关系< / span > < br > < span class = "line" > * fromname: 发信人名称 ---> 对于白名单关键词( 比如admin, hr, 管理员, 经理等) 进行保留。除了白名单的其它部分salt+hash< / span > < br > < span class = "line" > * url: 直接从邮件正文、subject、附件、fromname中提取出来的url ---> [真实协议]://hash+salt替换掉敏感域名.真实TLD/真实参数< / span > < br > < span class = "line" > * @timestamp: 时间戳< / span > < br > < span class = "line" > * region: 企业邮箱用户登录ip所在地区< / span > < br > < span class = "line" > * authuser: 收信时False, 发信时True, 注意企业邮箱域内互发的话是只有一条发信记录< / span > < br > < span class = "line" > * tag: 邮件编号, 提交答案需要用到< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< h3 id = "提交规则" > < a href = "#提交规则" class = "headerlink" title = "提交规则" > < / a > 提交规则< / h3 > < p > 主办方给的方法很简单, 每一封邮件均有字段tag, 结果只需要每行一个威胁邮件的tag, 换行使用< code > \n< / code > < / p >
< h3 id = "评分" > < a href = "#评分" class = "headerlink" title = "评分" > < / a > 评分< / h3 > < blockquote >
< p > 比赛过程中排行榜展示每位选手的F1-score, 未提交答案F1-score视为0, 比赛结束后, 每位选手的得分由< code > min-max归一化*100< / code > 计算得出, 保留1位小数( 四舍五入) < / p >
< / blockquote >
< p > 最终得分不仅取决于自己的F1-score, 还取决于所有选手的整体成绩。另外利用F1-score, 我们还能推测出这80万封邮件中大致的威胁邮件数量, 后续再说。< / p >
< h2 id = "解题思路" > < a href = "#解题思路" class = "headerlink" title = "解题思路" > < / a > 解题思路< / h2 > < p > 在初步浏览了一些邮件日志内容后,我们将目标锁定为寻找钓鱼邮件的数量。首先需要知道钓鱼邮件是什么,具备哪些特征。< / p >
< h3 id = "1-使用短链接" > < a href = "#1-使用短链接" class = "headerlink" title = "1. 使用短链接" > < / a > 1. 使用短链接< / h3 > < p > 短链接就是将较长的网址,通过特定的算法转换为简短的网址字符串。用户无法通过短链接地址直接看出点击这个短链接地址后究竟会打开什么样的网站。< br > 常见的有:< code > t.cn< / code > 、 < code > bit.ly< / code > 、 < code > bit.do< / code > 、 < code > u.to< / code > 、 < code > url.cn< / code > < / p >
< h3 id = "2-使用十六进制IP地址编码格式进行混淆" > < a href = "#2-使用十六进制IP地址编码格式进行混淆" class = "headerlink" title = "2. 使用十六进制IP地址编码格式进行混淆" > < / a > 2. 使用十六进制IP地址编码格式进行混淆< / h3 > < p > 网络攻击者正在不断发展其工具、策略和技术,以逃避垃圾邮件检测系统。 一些垃圾邮件活动非常依赖电子邮件信息中的混淆URL。其中就有使用了URL主机名部分中使用的十六进制IP地址编码格式来逃避检测。< br > 从技术上讲, IP地址可以用多种格式表示, 因此可以在URL中使用, 如下所示: < / p >
< ul >
< li > < strong > < a href = "https://216.58.199.78" target = "_blank" rel = "noopener" > https://216.58.199.78< / a > < / strong > < br > 点分十进制IP地址, 此示例使用Google.com的IP< / li >
< li > < strong > < a href = "https://0330.0072.0307.0116" target = "_blank" rel = "noopener" > https://0330.0072.0307.0116< / a > < / strong > < br > 八进制IP地址, 将每个十进制数字转换为八进制< / li >
< li > < strong > < a href = "https://0xD83AC74E" target = "_blank" rel = "noopener" > https://0xD83AC74E< / a > < / strong > < br > 十六进制IP地址, 将每个十进制数字转换为十六进制< / li >
< li > < strong > < a href = "https://3627730766" target = "_blank" rel = "noopener" > https://3627730766< / a > < / strong > < br > 整数或DWORD IP地址, 将十六进制IP转换为整数< / li >
< / ul >
< p > 浏览器将自动将十六进制或其他IP格式转换为十进制的IP地址。< / p >
< h3 id = "3-邮件钓鱼测试工具固有特征" > < a href = "#3-邮件钓鱼测试工具固有特征" class = "headerlink" title = "3. 邮件钓鱼测试工具固有特征" > < / a > 3. 邮件钓鱼测试工具固有特征< / h3 > < p > PhEmail是基于python编写的一款网络钓鱼邮件测试工具。PhEmail可以同时向多个用户发送钓鱼邮件, 并记录点击的用户的邮箱和IP等信息。PhEmail可以通过Google收集邮箱, 完成邮箱收集工作。< br > 收集邮箱后钓鱼邮件发送常用参数:< code > -w 钓鱼网站url地址, 发送后会自动添加index.php?email=等内容< / code > < br > 钓鱼邮件中的url链接伪造时添加email地址并进行编码, 通过钓鱼网站中php文件代码来识别email并记录log文件中。php可以进行重定向到其他网站。< / p >
< h3 id = "4-冒充管理员等身份" > < a href = "#4-冒充管理员等身份" class = "headerlink" title = "4. 冒充管理员等身份" > < / a > 4. 冒充管理员等身份< / h3 > < p > 对于企业用户来说, OA钓鱼邮件是最具危险性的钓鱼邮件。攻击者冒充系统管理员发送邮件, 以邮箱升级、邮箱停用等理由诱骗企业用户登录钓鱼网站, 并进而骗取企业员工的帐号、密码、姓名、职务等信息。< br > 钓鱼邮件经常伪装的发件人身份有以下几个主要类型:< / p >
< ul >
< li > 冒充系统管理员,以系统升级、身份验证等为由,通过钓鱼网站等方式骗取企业员工的内网帐号密码或邮箱帐号密码。< / li >
< li > 冒充特定组织,如协会、机构、会议组织者或政府主管部门等身份发送邮件,骗取帐号密码或钱财。< / li >
< li > 冒充客户或冒充自己,即攻击者会冒充企业客户或合作方对企业实施诈骗,或者是攻击者冒充某企业员工对该企业的客户或合作方实施诈骗。当然也有可能 是冒充某个企业的管理者对企业员工实施诈骗。< / li >
< / ul >
< p > 从fromname( 发信人名称) 中获得的常见名称有: admin、support、安全、service、管理员等。< / p >
< h3 id = "5-同形异义词攻击" > < a href = "#5-同形异义词攻击" class = "headerlink" title = "5. 同形异义词攻击" > < / a > 5. 同形异义词攻击< / h3 > < p > 同形异义字是利用IDN中一些非拉丁字符语种的字母与拉丁字符非常相似, 字面看很难区分的特性, 找到对应的字符来实现钓鱼攻击。例如16ვ.com(U+10D5)、16ဒ.com (U+1012)、16ҙ.com (U+0499) 都在一定程度上和163.com有相似性, 基于一些开放的https证书服务这些域名还能取得相应的证书, 进一步增加钓鱼成功的可能性。< br > Punycode是RFC 3492标准设计的编码系统, 用于把Unicode转换为可用的DNS系统的编码, 比如16ҙ.com就会被转成< strong > xn– 16-8tc.com< / strong > , 这在一定程度上可以防止IDN欺骗。< / p >
< h3 id = "6-URL跳转" > < a href = "#6-URL跳转" class = "headerlink" title = "6. URL跳转" > < / a > 6. URL跳转< / h3 > < p > 使用URL跳转可以突破钓鱼软件检测系统。这类钓鱼软件检测系统在检测是否是钓鱼网站或者恶意系统的时候, 检测的是URL, 而并非网站的内容。比如, 从qq邮箱打开一个URL的时候, 会弹出一个网页提示。但并不是所以的网站都会提示, 一些知名网站是不可能做钓鱼网站的, 所以邮箱就不会拦截, 也就是说, 当邮箱碰到不认识的网站的时候才会进行提示。< br > 这样攻击者就可以利用URLt跳转来躲过恶意检测。比如: < strong > < a href = "http://www.baidu.com/page?url=http://www.evil.com" target = "_blank" rel = "noopener" > http://www.baidu.com/page?url=http://www.evil.com< / a > < / strong > < / p >
< h2 id = "参考" > < a href = "#参考" class = "headerlink" title = "参考" > < / a > 参考< / h2 > < p > 2016中国企业邮箱安全性研究报告 < a href = "https://www.anquanke.com/post/id/85416" target = "_blank" rel = "noopener" > https://www.anquanke.com/post/id/85416< / a > < br > PhEmail < a href = "https://github.com/Dionach/PhEmail" target = "_blank" rel = "noopener" > https://github.com/Dionach/PhEmail< / a > < br > 微软: 最新钓鱼技术2019总结 < a href = "https://www.4hou.com/posts/A9oz" target = "_blank" rel = "noopener" > https://www.4hou.com/posts/A9oz< / a > < br > [译] APT分析报告: 02.钓鱼邮件网址混淆URL逃避检测 < a href = "https://blog.csdn.net/Eastmount/article/details/108728139" target = "_blank" rel = "noopener" > https://blog.csdn.net/Eastmount/article/details/108728139< / a > < br > 2017中国企业邮箱安全性 研究报告 < a href = "http://zt.360.cn/1101061855.php?dtid=1101062514&did=491163339" target = "_blank" rel = "noopener" > http://zt.360.cn/1101061855.php?dtid=1101062514& did=491163339< / a > < br > 基于URL跳转与XSS组合利用的钓鱼分析 < a href = "https://xz.aliyun.com/t/6303" target = "_blank" rel = "noopener" > https://xz.aliyun.com/t/6303< / a > < br > IDN Spoof漏洞自动化挖掘 < a href = "https://blog.lyle.ac.cn/2018/12/08/idnfuzz/" target = "_blank" rel = "noopener" > https://blog.lyle.ac.cn/2018/12/08/idnfuzz/< / a > < br > APT杂项篇一种老旧, 但却防不胜防的钓鱼攻击( Punycode 钓鱼攻击)< a href = "https://www.codenong.com/cs106406317/" target = "_blank" rel = "noopener" > https://www.codenong.com/cs106406317/< / a > < br > 钓鱼网站也在使用https加密, 如何识别钓鱼网站? < a href = "https://www.freebuf.com/company-information/208790.html" target = "_blank" rel = "noopener" > https://www.freebuf.com/company-information/208790.html< / a > < br > 恶意邮件智能监测与溯源技术研究 < a href = "https://www.anquanke.com/post/id/172046#h2-0" target = "_blank" rel = "noopener" > https://www.anquanke.com/post/id/172046#h2-0< / a > < br > 钓鱼邮件的投递和伪造 < a href = "https://xz.aliyun.com/t/6325#toc-0、" target = "_blank" rel = "noopener" > https://xz.aliyun.com/t/6325#toc-0、< / a > < br > 用机器学习检测钓鱼网站 < a href = "http://blog.hubwiz.com/2019/09/17/detect-phishing-url/" target = "_blank" rel = "noopener" > http://blog.hubwiz.com/2019/09/17/detect-phishing-url/< / a > < / p >
2019-07-16 09:15:34 +00:00
< / div >
2020-10-21 10:25:01 +00:00
< div >
< div style = "padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;" >
< div > 您的支持将鼓励我继续创作!< / div >
< button id = "rewardButton" disable = "enable" onclick = "var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}" >
< span > 打赏< / span >
< / button >
< div id = "QR" style = "display: none;" >
< div id = "wechat" style = "display: inline-block" >
< img id = "wechat_qr" src = "/images/Wechatpay.png" alt = "Cool-Y 微信支付" >
< p > 微信支付< / p >
< / div >
< div id = "alipay" style = "display: inline-block" >
< img id = "alipay_qr" src = "/images/Alipay.png" alt = "Cool-Y 支付宝" >
< p > 支付宝< / p >
< / div >
2019-07-16 09:15:34 +00:00
< / div >
2020-10-21 10:25:01 +00:00
< / div >
< / div >
2021-04-10 12:03:10 +00:00
< div >
< ul class = "post-copyright" >
< li class = "post-copyright-author" >
< strong > 本文作者:< / strong >
Cool-Y
< / li >
< li class = "post-copyright-link" >
< strong > 本文链接:< / strong >
< a href = "https://cool-y.github.io/2020/10/16/coremail/" title = "DataCon Coremail邮件安全第三题 Writeup" > https://cool-y.github.io/2020/10/16/coremail/< / a >
< / li >
< li class = "post-copyright-license" >
< strong > 版权声明: < / strong >
本博客所有文章除特别声明外,均采用 < a href = "https://creativecommons.org/licenses/by-nc-sa/3.0/" rel = "external nofollow" target = "_blank" > CC BY-NC-SA 3.0< / a > 许可协议。转载请注明出处!
< / li >
< / ul >
< / div >
2020-10-21 10:25:01 +00:00
< footer class = "post-footer" >
< div class = "post-tags" >
< a href = "/tags/钓鱼邮件/" rel = "tag" > # 钓鱼邮件< / a >
< a href = "/tags/phishing-email/" rel = "tag" > # phishing email< / a >
< / div >
< div class = "post-nav" >
< div class = "post-nav-next post-nav-item" >
< a href = "/2019/11/12/web-information-collect/" rel = "next" title = "【web】信息收集" >
< i class = "fa fa-chevron-left" > < / i > 【web】信息收集
< / a >
< / div >
< span class = "post-nav-divider" > < / span >
< div class = "post-nav-prev post-nav-item" >
2021-01-08 04:26:24 +00:00
< a href = "/2021/01/08/Dolphin-Attack/" rel = "prev" title = "Dolphin Attack 论文翻译" >
Dolphin Attack 论文翻译 < i class = "fa fa-chevron-right" > < / i >
< / a >
2020-10-21 10:25:01 +00:00
< / div >
< / div >
< / footer >
< / div >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< / article >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< div class = "post-spread" >
< / div >
< / div >
2019-07-16 09:15:34 +00:00
< / div >
2020-10-21 10:25:01 +00:00
2021-04-10 12:37:40 +00:00
< div class = "comments" id = "comments" >
< div id = "gitalk-container" > < / div >
< / div >
2020-10-21 10:25:01 +00:00
2019-07-16 09:15:34 +00:00
< / div >
< div class = "sidebar-toggle" >
< div class = "sidebar-toggle-line-wrap" >
< span class = "sidebar-toggle-line sidebar-toggle-line-first" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-middle" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-last" > < / span >
< / div >
< / div >
< aside id = "sidebar" class = "sidebar" >
< div class = "sidebar-inner" >
2020-10-21 10:25:01 +00:00
< ul class = "sidebar-nav motion-element" >
< li class = "sidebar-nav-toc sidebar-nav-active" data-target = "post-toc-wrap" >
文章目录
< / li >
< li class = "sidebar-nav-overview" data-target = "site-overview-wrap" >
站点概览
< / li >
< / ul >
2019-07-16 09:15:34 +00:00
2020-10-21 10:25:01 +00:00
< section class = "site-overview-wrap sidebar-panel" >
2019-07-16 09:15:34 +00:00
< div class = "site-overview" >
< div class = "site-author motion-element" itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< img class = "site-author-image" itemprop = "image" src = "/images/avatar.png" alt = "Cool-Y" >
< p class = "site-author-name" itemprop = "name" > Cool-Y< / p >
2019-07-24 03:51:42 +00:00
< p class = "site-description motion-element" itemprop = "description" > 没人比我更懂中医#MAGA< / p >
2019-07-16 09:15:34 +00:00
< / div >
< nav class = "site-state motion-element" >
< div class = "site-state-item site-state-posts" >
< a href = "/archives/" >
2021-04-10 10:53:27 +00:00
< span class = "site-state-item-count" > 30< / span >
2019-07-16 09:15:34 +00:00
< span class = "site-state-item-name" > 日志< / span >
< / a >
< / div >
< div class = "site-state-item site-state-categories" >
< a href = "/categories/index.html" >
2019-10-15 11:24:26 +00:00
< span class = "site-state-item-count" > 7< / span >
2019-07-16 09:15:34 +00:00
< span class = "site-state-item-name" > 分类< / span >
< / a >
< / div >
< div class = "site-state-item site-state-tags" >
< a href = "/tags/index.html" >
2021-04-10 10:53:27 +00:00
< span class = "site-state-item-count" > 55< / span >
2019-07-16 09:15:34 +00:00
< span class = "site-state-item-name" > 标签< / span >
< / a >
< / div >
< / nav >
< div class = "links-of-author motion-element" >
< span class = "links-of-author-item" >
< a href = "https://github.com/Cool-Y" target = "_blank" title = "GitHub" >
< i class = "fa fa-fw fa-github" > < / i > GitHub< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "mailto:cool.yim@whu.edu.cn" target = "_blank" title = "E-Mail" >
< i class = "fa fa-fw fa-envelope" > < / i > E-Mail< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "https://www.instagram.com/yan__han/" target = "_blank" title = "Instagram" >
< i class = "fa fa-fw fa-instagram" > < / i > Instagram< / a >
< / span >
< / div >
2019-10-01 12:45:37 +00:00
< div id = "music163player" >
2021-04-10 12:03:10 +00:00
< iframe frameborder = "no" border = "0" marginwidth = "0" marginheight = "0" width = "330" height = "110" src = "//music.163.com/outchain/player?type=4&id=334277093&auto=1&height=90" > < / iframe >
2019-10-01 12:45:37 +00:00
< / div >
2019-07-16 09:15:34 +00:00
< / div >
< / section >
2020-10-21 10:25:01 +00:00
<!-- noindex -->
< section class = "post-toc-wrap motion-element sidebar-panel sidebar-panel-active" >
< div class = "post-toc" >
< div class = "post-toc-content" > < ol class = "nav" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#赛题理解" > < span class = "nav-text" > 赛题理解< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#目标" > < span class = "nav-text" > 目标< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#数据" > < span class = "nav-text" > 数据< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#提交规则" > < span class = "nav-text" > 提交规则< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#评分" > < span class = "nav-text" > 评分< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#解题思路" > < span class = "nav-text" > 解题思路< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#1-使用短链接" > < span class = "nav-text" > 1. 使用短链接< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#2-使用十六进制IP地址编码格式进行混淆" > < span class = "nav-text" > 2. 使用十六进制IP地址编码格式进行混淆< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#3-邮件钓鱼测试工具固有特征" > < span class = "nav-text" > 3. 邮件钓鱼测试工具固有特征< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#4-冒充管理员等身份" > < span class = "nav-text" > 4. 冒充管理员等身份< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#5-同形异义词攻击" > < span class = "nav-text" > 5. 同形异义词攻击< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#6-URL跳转" > < span class = "nav-text" > 6. URL跳转< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#参考" > < span class = "nav-text" > 参考< / span > < / a > < / li > < / ol > < / div >
< / div >
< / section >
<!-- /noindex -->
2019-07-16 09:15:34 +00:00
< / div >
< / aside >
< / div >
< / main >
< footer id = "footer" class = "footer" >
< div class = "footer-inner" >
2021-01-08 04:26:24 +00:00
< div class = "copyright" > © 2019 — < span itemprop = "copyrightYear" > 2021< / span >
2019-07-16 09:15:34 +00:00
< span class = "with-love" >
< i class = "fa fa-user" > < / i >
< / span >
< span class = "author" itemprop = "copyrightHolder" > Cool-Y< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-area-chart" > < / i >
< / span >
2021-04-10 10:53:27 +00:00
< span title = "Site words total count" > 105.4k< / span >
2019-07-16 09:15:34 +00:00
< / div >
< div class = "powered-by" > 由 < a class = "theme-link" target = "_blank" href = "https://hexo.io" > Hexo< / a > 强力驱动< / div >
< div class = "busuanzi-count" >
< script async src = "//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" > < / script >
< span class = "site-uv" >
< i class = "fa fa-user" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_uv" > < / span >
< / span >
< span class = "site-pv" >
< i class = "fa fa-eye" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_pv" > < / span >
< / span >
< / div >
< / div >
< / footer >
< div class = "back-to-top" >
< i class = "fa fa-arrow-up" > < / i >
< / div >
< / div >
< script type = "text/javascript" >
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
< / script >
< script type = "text/javascript" src = "/lib/jquery/index.js?v=2.1.3" > < / script >
< script type = "text/javascript" src = "/lib/fastclick/lib/fastclick.min.js?v=1.0.6" > < / script >
< script type = "text/javascript" src = "/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.ui.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5" > < / script >
< script type = "text/javascript" src = "/js/src/utils.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/motion.js?v=5.1.4" > < / script >
2020-10-21 10:25:01 +00:00
< script type = "text/javascript" src = "/js/src/scrollspy.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/post-details.js?v=5.1.4" > < / script >
2019-07-16 09:15:34 +00:00
< script type = "text/javascript" src = "/js/src/bootstrap.js?v=5.1.4" > < / script >
2021-04-10 12:37:40 +00:00
2021-04-10 12:40:26 +00:00
<!-- LOCAL: You can save these files to your site and update links -->
< link rel = "stylesheet" href = "https://unpkg.com/gitalk/dist/gitalk.css" >
< script src = "https://unpkg.com/gitalk/dist/gitalk.min.js" > < / script >
<!-- END LOCAL -->
< script type = "text/javascript" >
function renderGitalk(){
var gitalk = new Gitalk({
owner: 'Cool-Y',
repo: 'gitment-comments',
clientID: '180955a2c3ae3d966d9a',
clientSecret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
admin: 'Cool-Y',
distractionFreeMode: 'true'
});
gitalk.render('gitalk-container');
}
renderGitalk();
< / script >
2019-07-16 09:15:34 +00:00
< script src = "https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js" > < / script >
< script > AV . initialize ( "EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz" , "x8FxDrYG79C8YFrTww9ljo8K" ) ; < / script >
< script >
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length ; i + + ) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length ; i + + ) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
< / script >
< script >
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
< / script >
< / body >
< / html >