phishing sites: local and remote
t.d.lee at durham.ac.uk
Thu Feb 5 12:47:54 GMT 2009
On Wed, 4 Feb 2009, Martin Hepworth wrote:
> 2009/2/4 David Lee <t.d.lee at durham.ac.uk>:
>> Is it possible to run such an antiphishing config, comprising both Julian's
>> standard set and a local component?
>> If not, might it be a worthwhile addition?
> wasn't there something on the list a couple of weeks about anti-spear
> phishing stuff Jules is muling about with?? Or am I dreaming about
> MailScanner again ;-)
There was, indeed, Martin. (Unless we're both dreaming.) I suspect you
mean setting up and installing various bits and pieces to do with
Sanesecurity phishing signatures into ClamAV.
My suggestion above was complementary to that. Each covers parts the
other cannot reach. So there is a case for examining a both/and rather
than either/or. A particular site may prefer one. Another site might
prefer the other. Yet another site might choose both.
1. Hooks into ClamAV. No good if site doesn't/can't have ClamAV.
2. User-presentation: Gets it treated and processed as a virus. (Sites may
have different preferences, and understandably.) Good for sites (e.g.
of vulnerable people) where policy is to guard against anything even
3. The data comes from a non-local source.
MS/phishing data: (Julian's daily stuff with local mods):
1. Hooks into MS directly. (Don't need ClamAV, if site really doesn't
2. User-presentation: This phishing attack gets treated in MS's standard
phishing manner: deliver big red warning etc. Good for sites whose
policyis strenuous avoidance of false-positives ("if there is any
chance (even 0.01%) that the email is good, we must deliver").
3. Data can be rapidly and easily hand tailored to suit local oddities
and peculiarities. (e.g. pattern matching of good/bad URLs based on
own, peculiar, local set of domains).
Hope that helps think around these two different but overlapping and
: David Lee I.T. Service :
: Senior Systems Programmer Computer Centre :
: UNIX Team Leader Durham University :
: South Road :
: http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE :
: Phone: +44 191 334 2752 U.K. :
More information about the MailScanner