MCP newbie question

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Mon May 15 22:17:54 IST 2006 

Kai Schaetzl a écrit :
> Denis Beauchemin wrote on Mon, 15 May 2006 15:50:50 -0400:
>
>   
>> I already use Clam + www.sanesecurity.com Clam phishing sigs.  I thought 
>> this would make the emails detected as viruses and thus destroyed.  But 
>> my users are still complaining about phishing attempts (most of them in 
>> French). 
>>     
>
> I see, it's very much possible that French gets mostly thru undetected (as 
> other languages probably as well).
>
>   
>>  
>> My users would like me to delete these emails before they even reach 
>> them.  That's why I inquired about MCP. 
>>     
>
> Maybe I misunderstood your sentence "I would like to receive copies of 
> emails without the end-users even knowing about it." That indicated to me 
> that you want them to receive the mail like normal, but you want a copy (so 
> you can test if your filter rules would work. What you actually want is add 
> extra rules that catch more phishing, especially in French, than now gets 
> caught? Is that correct? Then I wonder why you want to use MCP for this. 
> MCP is an *extra* spamassassin run with a different ruleset. Why not just 
> add your extra rules to your first spamassassin run?
>
>   
>>  
>> What would MailWatch do for me?  I want to be able to look at the emails 
>> to create new SA rules that would make the phishing attempts go to the 
>> bit bucket. I think MW would just give me the same info I already have 
>> in my maillog, which lacks the message body.
>>     
>
> No, it gives you just that what you want if you let MailScanner store all 
> messages in the quarantine. And, frankly, even without the bodies there's 
> quite much more you see/get with Mailwatch than what's in your maillog. Try 
> it. Deleting messages is scary in my eyes, anyway. You *will* get false 
> positives. By using a quarantine you avoid the problem that you may delete 
> false positives.
>
> Kai
>
>   
Kai,

You understood correctly the FIRST time.  I don't have any SA rule right 
now that catches the phishing attempts.  I would like to be able to look 
at emails with strings such as "banque royale", "CIBC", etc which are 
our local bank names.

Of course I could not block all emails with these strings.  But if I can 
get hold of all emails with these strings I will be able to write SA 
rules that will delete the phishing emails targeted to those banks.

And I don't want to archive all emails that come into my servers because 
we process more than 80K messages/day.

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x2252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3226 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060515/e44b472f/smime.bin

More information about the MailScanner mailing list