how to write an anti-phishing ruleset (and test?)

John Wilcock john at TRADOC.FR
Wed Nov 17 17:28:18 GMT 2004


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

On Wed, 17 Nov 2004 11:51:07 -0500, Jeff A. Earickson wrote:
> What would a sample anti-phishing ruleset look like?  Something like:

Julian has answered the specific question. 

However this highlights a big problem in the anti-phishing system - you
can whitelist specific senders using a ruleset, but both the
envelope-sender and the From: header are trivial to forge.

For example I have a user who receives ebay notices containing a
mismatched URL - possible fraud attempt from "click2.ebay.com" claiming
to be www.ebay.fr - but if I set up a ruleset containing
"From: *@reply.ebay.com no" then any ebay phishing attacks can also get
through simply by forging the From: address. 

One solution would be to whitelist based on the first non-trusted (i.e.
not a secondary MX) host in the Received: headers, but I don't think
this is currently possible in MS. In any case it would mean keeping
track of the outgoing mail hosts for the problem domains. My ebay
example is currently delivered by camppool*.emailebay.com - yet another
domain to keep track of.

A better solution IMO would be the ability to whitelist based on the
actual domain in the URL. I don't care in the slightest if
click2.ebay.com claims to be www.ebay.fr, but I really don't want
ebay-phisher.com to get away with the same claim!

John.

-- 
-- Over 2500 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list