4.35.9: phishing fraud syslogs

Gregg Berkholtz gregg at GBCOMPUTERS.COM
Wed Nov 3 13:41:39 GMT 2004


Don't entries like "Filename Checks: Possible MS-Dos program
shortcut attack" also get flagged by logcheck too? How have you
addressed that issue, do you just remove the word "attack" from the
etc/filename.rules.conf entries?

Gregg

On Tue, Nov 02, 2004 at 09:23:08AM -0500, Jeff A. Earickson wrote:
> Julian,
>
> Also, please remove the word "attack" from this line when you
> tweak it, eg:
>
> Found phishing fraud in iA25FnB7002189 from http://(etc)
>
> My syslog summarizer (logcheck,
> http://www.smittyware.com/contrib/psionic.php/) generates lots
> of compliants when it sees the word "attack" in the syslog.
> Thanks.
>
> Jeff
>
> On Tue, 2 Nov 2004, Jeff A. Earickson wrote:
>
> >Date: Tue, 2 Nov 2004 07:15:34 -0500
> >From: Jeff A. Earickson <jaearick at colby.edu>
> >Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> >To: MAILSCANNER at JISCMAIL.AC.UK
> >Subject: 4.35.9: phishing fraud syslogs
> >
> >Julian,
> >
> >Please tweak the syslog message for phishing fraud to include
> >the message ID, something like:
> >
> >Found phishing fraud attack in iA25FnB7002189 from http://(etc)
> >
> >The message ID is always important when grepping the syslog.
> >Thanks.
> >
> >Jeff Earickson
> >Colby College
> >
> >------------------------ MailScanner list ------------------------
> >To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >'leave mailscanner' in the body of the email.
> >Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>

--
Confidentiality Notice (updated May 8, 2001):  This message is transmitted
across public networks outside the security and control of the sender who
therefore cannot be responsible in any way for delays, loss, damages or
claims resulting from destruction, alteration, theft, misappropriation,
misuse, or discovery of this message, even though it may be confidential
and exempt from disclosure under the law.  If you are neither an intended
reader of this message nor an agent responsible for delivering this message
to an intended reader, you are hereby notified that distribution of any
kind or copying of this communication is strictly prohibited.  If you have
received this message in error, please destroy it immediately.  If you wish
that in the future we did not send you information on public systems,
please notify us immediately.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).




More information about the MailScanner mailing list