Phishing fraud undetected
Randal, Phil
prandal at herefordshire.gov.uk
Thu Mar 16 16:01:38 GMT 2006
Steve Basford has a ClamAV phishing database over at
http://www.sanesecurity.com/clamav/
Dennis Davis at the University of Bath wrote a script to fetch it -
here's my version:
------------------
#!/bin/sh
# Shell script to fetch and update Steve Basford's anti-phishing
# database. Note this is fetched via HTTP. So we'll need to set a
# proxy on machines that don't have direct web access.
#
# DHD March 2006
set -a # probably not needed.
curl=/usr/bin/curl
mv=/bin/mv
rm=/bin/rm
#http_proxy='wwwcache.bath.ac.uk:3128' # Proxy set.
#DHD#http_proxy= # No proxy.
tmpbase=/tmp
tmpdir=$tmpbase/anti-phishing.$$
clamdir=/usr/local/share/clamav
phish_db=phish.ndb
phish_reference=$clamdir/$phish_db
phish_file=http://www.sanesecurity.com/clamav/$phish_db
mkdir $tmpdir || exit 1
trap "$rm -rf $tmpdir; trap 0" 0 1 2 15
cd $tmpdir || exit 1
$curl --compressed -x "$http_proxy" -O -R -s \
-z $phish_reference $phish_file
if [ -s $tmpdir/$phish_db ]
then
$mv -f $tmpdir/$phish_db $clamdir
service MailScanner reload
fi
exit 0
------------------
Cheers,
Phil
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
> Of dnsadmin 1bigthink.com
> Sent: 16 March 2006 15:34
> To: MailScanner discussion
> Subject: Re: Phishing fraud undetected
>
> At 09:07 AM 3/16/2006, you wrote:
>
> >Hello all,
> >
> >This morning I came across the following HTML code that was
> not picked
> >up by MS:
> >
> >>To ensure that your service is not interrupted,
> >>
> >>please update
> >>your account information today<font
> >>
> >>color="#000099"><a
> >>
> >>href=" https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">
> >></a> </font>
> >></font><b><font face="Arial, Helvetica, sans-serif"> <a
> >>
> >>href="http://lasvegasy.web.lowfathost.com/PayPal-Update/PayP
al/update.
> >>htm"></u></font> <font style="FONT-SIZE: 9pt" color="#ff4040"><u>by
> >>clicking here.</a></font>
> >
> >I find it strange that there are 2 <A HREF=...> in a row but
> the second
> >one is clearly a phishing attempt. Is it because the URL does not
> >start with www?
> >
> >I'm using MS 4.50.10-1.
> >
> >Thanks!
> >
> >Denis
> Hello Denis,
>
> Report to http://cgi.clamav.net/sendvirus.cgi
>
> They've accepted and incorporated my phishing reports in the past.
>
> Cheers,
> Glenn
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
More information about the MailScanner
mailing list