how to write an anti-phishing ruleset (and test?)

Julian Field mailscanner at ecs.soton.ac.uk
Wed Nov 17 17:53:15 GMT 2004


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

John Wilcock wrote:

>On Wed, 17 Nov 2004 11:51:07 -0500, Jeff A. Earickson wrote:
>
>
>>What would a sample anti-phishing ruleset look like?  Something like:
>>
>>
>
>Julian has answered the specific question.
>
>However this highlights a big problem in the anti-phishing system - you
>can whitelist specific senders using a ruleset, but both the
>envelope-sender and the From: header are trivial to forge.
>
>For example I have a user who receives ebay notices containing a
>mismatched URL - possible fraud attempt from "click2.ebay.com" claiming
>to be www.ebay.fr - but if I set up a ruleset containing
>"From: *@reply.ebay.com no" then any ebay phishing attacks can also get
>through simply by forging the From: address.
>
>One solution would be to whitelist based on the first non-trusted (i.e.
>not a secondary MX) host in the Received: headers, but I don't think
>this is currently possible in MS. In any case it would mean keeping
>track of the outgoing mail hosts for the problem domains. My ebay
>example is currently delivered by camppool*.emailebay.com - yet another
>domain to keep track of.
>
>A better solution IMO would be the ability to whitelist based on the
>actual domain in the URL. I don't care in the slightest if
>click2.ebay.com claims to be www.ebay.fr, but I really don't want
>ebay-phisher.com to get away with the same claim!
>
>John.
>
Does the file need to be any more than a list of hostnames? Do I need to
allow *.domain.com as well? What syntax would you like for this file?
Should it just look like any other ruleset file? It would be interpreted
differently as the "direction" in the rule would be ignored, or it would
only allowed to be "From". The address pattern would be used to match
the hostname of the real destination of the link, only the hostname bit
of the address pattern would be used.

It's purpose is similar to a normal ruleset, but not quite the same. I
don't want to end up confusing users.

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list