Reporting Phishing sites

[Glenn Steen]

On 15/01/07, Peter Bates <Peter.Bates at lshtm.ac.uk> wrote:
>
> Hello all...
>
> This isn't solely a technical question
> but I thought I'd ask it on multiple lists to see what people think.
>
> I'm running MailScanner, with Postfix as the MTA
> and a couple of AV scanners and SpamAssassin.
>
> I've been happy with the results from the Sanesecurity
> additional definitions for ClamAV in detecting phishing and 'scam' sites,
> above and beyond the MS phishing filter.
>
> The emails end up quarantined as Postfix queue files,
> so I do at least have the option of sending them on their way.

Why should you report them if the Sanesecurity people are on it
already? Might be me not seeing something obvious here:-).

> However, what I'd like to do is send on these phishing emails
> to somewhere that might actually do something about the sites in question.
>
> There are sites like 'www.millersmiles.co.uk' or 'www.antiphishing.org'
> which I could potentially forward the messages to.
>
> I'd just be interested to know
>
> - does anyone report phishing sites this way (in the 'war against spam' it seems an easier target)

Rarely, and only such that I "detect" by manual means (meaning it got
past the usual anti-phish checks, or got detected by
MailScanner/reported by a user). Most phishes don't fall into this
category though:-).

> - how would they direct the Postfix queue files to the reporting destination
Short answer: Probably not at all, or (if you send it over to them as
an attachment) with a lot of swearing:-).
You could of course extract the message (and envelope info) via postcat.

Why don't you avoid the whole queue file issue and store them as
RFC822 message files instead? If you happen to combine that with
MailWatch, you don't lose the envelope information... And can still
release it from quarantine in a very simple manner.

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se