4.35.9: phishing fraud syslogs

Jeff A. Earickson jaearick at COLBY.EDU
Wed Nov 3 21:24:08 GMT 2004


Yes, these complaints get flagged too.  I just went and edited
filename.rules.conf and globally changed "attack" to "hack" to
shut up logcheck.  I've been meaning to do this...  Thanks.

Jeff

On Wed, 3 Nov 2004, Gregg Berkholtz wrote:

> Date: Wed, 3 Nov 2004 05:41:39 -0800
> From: Gregg Berkholtz <gregg at GBCOMPUTERS.COM>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: 4.35.9: phishing fraud syslogs
>
> Don't entries like "Filename Checks: Possible MS-Dos program
> shortcut attack" also get flagged by logcheck too? How have you
> addressed that issue, do you just remove the word "attack" from the
> etc/filename.rules.conf entries?
>
> Gregg
>
> On Tue, Nov 02, 2004 at 09:23:08AM -0500, Jeff A. Earickson wrote:
>> Julian,
>>
>> Also, please remove the word "attack" from this line when you
>> tweak it, eg:
>>
>> Found phishing fraud in iA25FnB7002189 from http://(etc)
>>
>> My syslog summarizer (logcheck,
>> http://www.smittyware.com/contrib/psionic.php/) generates lots
>> of compliants when it sees the word "attack" in the syslog.
>> Thanks.
>>
>> Jeff
>>
>> On Tue, 2 Nov 2004, Jeff A. Earickson wrote:
>>
>>> Date: Tue, 2 Nov 2004 07:15:34 -0500
>>> From: Jeff A. Earickson <jaearick at colby.edu>
>>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>> Subject: 4.35.9: phishing fraud syslogs
>>>
>>> Julian,
>>>
>>> Please tweak the syslog message for phishing fraud to include
>>> the message ID, something like:
>>>
>>> Found phishing fraud attack in iA25FnB7002189 from http://(etc)
>>>
>>> The message ID is always important when grepping the syslog.
>>> Thanks.
>>>
>>> Jeff Earickson
>>> Colby College
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>
> --
> Confidentiality Notice (updated May 8, 2001):  This message is transmitted
> across public networks outside the security and control of the sender who
> therefore cannot be responsible in any way for delays, loss, damages or
> claims resulting from destruction, alteration, theft, misappropriation,
> misuse, or discovery of this message, even though it may be confidential
> and exempt from disclosure under the law.  If you are neither an intended
> reader of this message nor an agent responsible for delivering this message
> to an intended reader, you are hereby notified that distribution of any
> kind or copying of this communication is strictly prohibited.  If you have
> received this message in error, please destroy it immediately.  If you wish
> that in the future we did not send you information on public systems,
> please notify us immediately.
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).




More information about the MailScanner mailing list