Anti-phishing -- was Re: OT: Happy New Year

Brent Addis brent.addis at
Thu Jan 1 23:21:42 GMT 2009

Awesome Julian, I've been looking for something that would catch those.

I'll stick it on our testbed tonight

On Wed, 2008-12-31 at 23:24 +0000, Julian Field wrote:

> On 31/12/08 22:54, Kevin Miller wrote:
> > Just a quick note to wish everyone a Happy (and spam free) New Year,
> > especially Jules.  Your hard work and giving spirit has certainly made
> > the past year much nicer for all of us...
> >    
> Many thanks!
> You might be interested I've been doing a bit of work with the 
> Google-hosted project "anti-phishing-email-reply" which you can find here:
> My aim was to create a trap for all those nasty spear-phishing attacks 
> and those endless "Temporary job offer" spams that some of you will get.
> I have created a little script (which is pretty obvious, source code is 
> given below) which just generates a list of addresses based on what's in 
> their file. I add that to my own list of known troublesome addresses, 
> which can have "*" wildcards in them, so you can do things like michael 
> loucas * @ gmail . com (extra spaces added to stop my stuff picking up 
> that address and killing this message).
> I then generate a bunch of SpamAssassin rules from that which detect any 
> of these few thousand addresses appearing anywhere in a message, with 
> lots of safeguards to protect against false alarms. It also compacts 
> them into only a hundred or two rules, instead of having 1 SpamAssassin 
> rule for each address!
> I then use SpamAssassin Rule Actions to do this:
> SpamAssassin Rule Actions = ECS_MAIL_ACCESS=>store,not-deliver,forward 
> postmaster at,header "X-ECS-Mail-Access: was to _TO_"
> This lot fires whenever any of my SpamAssassin rules fires. It
> 1) Adds a header "X-ECS-Mail-Access:" containing the list of original 
> recipient addresses,
> 2) Stores a copy of the message
> 3) Stops delivery to the original recipients
> 4) Sends a copy to postmaster, where I have a Sieve rule firing on the 
> presence of the "X-ECS-Mail-Access:" header to store it in a folder 
> without cluttering up postmaster's inbox.
> My script, that builds all the SpamAssassin rules, works from a YP/NIS 
> map called "mail.access" which contains each email address from the 
> google list and my list in the first word of a line, looking like this
> bad at REJECT
> nasty at REJECT
> I sort it so that the regular expressions created are more optimal for 
> Perl, so it can apply them faster to each message.
> My script that builds all the SpamAssassin rules is attached.
> My script that reads the google list and creates the YP/NIS map from it 
> is simply this:
> #!/bin/sh
> echo Fetching phishing addresses...
> rm -f /tmp/$$.blocks
> /usr/local/bin/wget -O /tmp/$$.blocks 
>  >/dev/null 2>&1
> echo Read `grep -v '^#' /tmp/$$.blocks | wc -l` addresses
> if [ -f /tmp/$$.blocks ]; then
>          sed -e 's/^#.*$//' < /tmp/$$.blocks | \
>          cut -d, -f1 | \
>          sort | \
>          uniq | \
>          grep -v '^$' | \
>          awk '{ printf("%s\tREJECT\n",$1); }' > 
> /opt/yp/etc/mail.access.anti-phishing
>          rm -f /tmp/$$.blocks
>          cd /opt/yp;
>          ./ypmake;
> fi
> The "ypcat -k mail.access" command at the start of Build.Phishing.Rules 
> basically reads my list in addition to the contents of the file 
> /opt/yp/etc/mail.access.anti-phishing mentioned in the code above, so 
> you can easily convert it to just use a temporary file and do all of 
> this lot on the same server. If you aren't using YP/NIS then you 
> obviously won't need the "ypmake" command either.
> I hope this is of some use to some of you. It traps "Temporary job 
> offer" spams and spear-phishing attacks very well indeed.
> Jules
> -- 
> Julian Field MEng CITP CEng
> Buy the MailScanner book at
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> PGP public key:
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the MailScanner mailing list