phishing sites: local and remote

David Lee t.d.lee at durham.ac.uk
Thu Feb 5 12:47:54 GMT 2009 

On Wed, 4 Feb 2009, Martin Hepworth wrote:

> 2009/2/4 David Lee <t.d.lee at durham.ac.uk>:
>> [...]
>> Is it possible to run such an antiphishing config, comprising both Julian's
>> standard set and a local component?
>>
>> If not, might it be a worthwhile addition?
>
> DAvid
>
> wasn't there something on the list a couple of weeks about anti-spear
> phishing stuff Jules is muling about with?? Or am I dreaming about
> MailScanner again ;-)

There was, indeed, Martin.  (Unless we're both dreaming.)  I suspect you 
mean setting up and installing various bits and pieces to do with 
Sanesecurity phishing signatures into ClamAV.

My suggestion above was complementary to that.  Each covers parts the 
other cannot reach.  So there is a case for examining a both/and rather 
than either/or.  A particular site may prefer one.  Another site might 
prefer the other.  Yet another site might choose both.

ClamAV/Sanesecurity channel:

1. Hooks into ClamAV.  No good if site doesn't/can't have ClamAV.

2. User-presentation: Gets it treated and processed as a virus. (Sites may
    have different preferences, and understandably.)  Good for sites (e.g.
    of vulnerable people) where policy is to guard against anything even
    vaguely suspicous.

3. The data comes from a non-local source.


MS/phishing data: (Julian's daily stuff with local mods):

1. Hooks into MS directly.  (Don't need ClamAV, if site really doesn't
    want it.)

2. User-presentation:  This phishing attack gets treated in MS's standard
    phishing manner: deliver big red warning etc.  Good for sites whose
    policyis strenuous avoidance of false-positives ("if there is any
    chance (even 0.01%) that the email is good, we must deliver").

3. Data can be rapidly and easily hand tailored to suit local oddities
    and peculiarities. (e.g. pattern matching of good/bad URLs based on
    own, peculiar, local set of domains).

Hope that helps think around these two different but overlapping and 
complementary angles.

-- 

:  David Lee                                I.T. Service          :
:  Senior Systems Programmer                Computer Centre       :
:  UNIX Team Leader                         Durham University     :
:                                           South Road            :
:  http://www.dur.ac.uk/t.d.lee/            Durham DH1 3LE        :
:  Phone: +44 191 334 2752                  U.K.                  :

More information about the MailScanner mailing list