Anti-phishing -- was Re: OT: Happy New Year

Wed Dec 31 23:24:07 GMT 2008

On 31/12/08 22:54, Kevin Miller wrote:
> Just a quick note to wish everyone a Happy (and spam free) New Year,
> especially Jules.  Your hard work and giving spirit has certainly made
> the past year much nicer for all of us...
>    
Many thanks!

You might be interested I've been doing a bit of work with the 
Google-hosted project "anti-phishing-email-reply" which you can find here:
http://code.google.com/p/anti-phishing-email-reply/

My aim was to create a trap for all those nasty spear-phishing attacks 
and those endless "Temporary job offer" spams that some of you will get.

I have created a little script (which is pretty obvious, source code is 
given below) which just generates a list of addresses based on what's in 
their file. I add that to my own list of known troublesome addresses, 
which can have "*" wildcards in them, so you can do things like michael 
loucas * @ gmail . com (extra spaces added to stop my stuff picking up 
that address and killing this message).

I then generate a bunch of SpamAssassin rules from that which detect any 
of these few thousand addresses appearing anywhere in a message, with 
lots of safeguards to protect against false alarms. It also compacts 
them into only a hundred or two rules, instead of having 1 SpamAssassin 
rule for each address!

I then use SpamAssassin Rule Actions to do this:
SpamAssassin Rule Actions = ECS_MAIL_ACCESS=>store,not-deliver,forward 
postmaster at ecs.soton.ac.uk,header "X-ECS-Mail-Access: was to _TO_"

This lot fires whenever any of my SpamAssassin rules fires. It
1) Adds a header "X-ECS-Mail-Access:" containing the list of original 
recipient addresses,
2) Stores a copy of the message
3) Stops delivery to the original recipients
4) Sends a copy to postmaster, where I have a Sieve rule firing on the 
presence of the "X-ECS-Mail-Access:" header to store it in a folder 
without cluttering up postmaster's inbox.

My script, that builds all the SpamAssassin rules, works from a YP/NIS 
map called "mail.access" which contains each email address from the 
google list and my list in the first word of a line, looking like this
bad at domain.com REJECT
nasty at false.bank.com REJECT
I sort it so that the regular expressions created are more optimal for 
Perl, so it can apply them faster to each message.

My script that builds all the SpamAssassin rules is attached.

My script that reads the google list and creates the YP/NIS map from it 
is simply this:

#!/bin/sh
echo Fetching phishing addresses...
rm -f /tmp/$$.blocks
/usr/local/bin/wget -O /tmp/$$.blocks 
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses 
 >/dev/null 2>&1
echo Read `grep -v '^#' /tmp/$$.blocks | wc -l` addresses

if [ -f /tmp/$$.blocks ]; then
         sed -e 's/^#.*$//' < /tmp/$$.blocks | \
         cut -d, -f1 | \
         sort | \
         uniq | \
         grep -v '^$' | \
         awk '{ printf("%s\tREJECT\n",$1); }' > 
/opt/yp/etc/mail.access.anti-phishing
         rm -f /tmp/$$.blocks
         cd /opt/yp;
         ./ypmake;
fi

The "ypcat -k mail.access" command at the start of Build.Phishing.Rules 
basically reads my list in addition to the contents of the file 
/opt/yp/etc/mail.access.anti-phishing mentioned in the code above, so 
you can easily convert it to just use a temporary file and do all of 
this lot on the same server. If you aren't using YP/NIS then you 
obviously won't need the "ypmake" command either.

I hope this is of some use to some of you. It traps "Temporary job 
offer" spams and spear-phishing attacks very well indeed.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Build.Phishing.Rules.gz
Type: application/gzip
Size: 974 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081231/134e436d/Build.Phishing.Rules.bin