New phishing strategy

Quentin Campbell Q.G.Campbell at newcastle.ac.uk
Tue Feb 6 15:47:28 CET 2007


Drew

The most effective way to deal with bogus URIs is to reject mail, during the SMTP  exchange, that contains such URIs. You do this using SURBLs (Spam URI Real Time Block Lists), which detect bad URIs in the message body, in much the same way that you reject mail if the sending IP is listed in a DNSBL. For more info on SURLs see http://www.surbl.org/.

Your MTA needs to be able to access one or more SURBLs and act on their results. In the case of Sendmail you can do this easily with an appropriate milter. We use the excellent "milter-link" milter from SnertSoft (see http://www.milter.info/).

Quentin 

>-----Original Message-----
>From: mailscanner-bounces at lists.mailscanner.info 
>[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ian
>Sent: 06 February 2007 13:50
>To: MailScanner discussion
>Subject: Re: New phishing strategy
>
>On 6 Feb 2007 at 7:31, Drew Burchett wrote:
>
>> The attached email is an example of a number of recent 
>phishing attempts that my users and I 
>> have been receiving over the past several days. As you can 
>see, it isn´t like your normal phishing 
>> attempt because the link that it´s sending you to isn´t 
>masked by another link in any way. This 
>> allows it to slip right through MailScanner´s phishing 
>filter. The site seems to have been already 
>> taken down, and I´ve fed these into my spam filter to 
>identify them as spam, but I´m wondering if 
>> there´s anything else that can be done within mailscanner or 
>spamassassin to stop them?
>
>Hi,
>
>Not really as this would rely on MailScanner knowing that the 
>Heritage Bank's website is 
>'bankwithheritage.com' and not bankwith-heritage.com. 
>MailScanner can only detect that the 
>title of the link doesn't match the target.
>
>Your best course of action is to educate users not to trust 
>anything sent in an email, no 
>matter what it is.  If in any doubt they should pick up a 
>printed phone book, look up the 
>number for their financial institution, call and ask.
>
>Regards
>
>Ian
>-- 
>
>-- 
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website! 
>


More information about the MailScanner mailing list