Anti-phishing -- was Re: OT: Happy New Year

Brent Addis brent.addis at spit.gen.nz
Thu Jan 1 23:21:42 GMT 2009


Awesome Julian, I've been looking for something that would catch those.

I'll stick it on our testbed tonight



On Wed, 2008-12-31 at 23:24 +0000, Julian Field wrote:

> 
> On 31/12/08 22:54, Kevin Miller wrote:
> > Just a quick note to wish everyone a Happy (and spam free) New Year,
> > especially Jules.  Your hard work and giving spirit has certainly made
> > the past year much nicer for all of us...
> >    
> Many thanks!
> 
> You might be interested I've been doing a bit of work with the 
> Google-hosted project "anti-phishing-email-reply" which you can find here:
> http://code.google.com/p/anti-phishing-email-reply/
> 
> My aim was to create a trap for all those nasty spear-phishing attacks 
> and those endless "Temporary job offer" spams that some of you will get.
> 
> I have created a little script (which is pretty obvious, source code is 
> given below) which just generates a list of addresses based on what's in 
> their file. I add that to my own list of known troublesome addresses, 
> which can have "*" wildcards in them, so you can do things like michael 
> loucas * @ gmail . com (extra spaces added to stop my stuff picking up 
> that address and killing this message).
> 
> I then generate a bunch of SpamAssassin rules from that which detect any 
> of these few thousand addresses appearing anywhere in a message, with 
> lots of safeguards to protect against false alarms. It also compacts 
> them into only a hundred or two rules, instead of having 1 SpamAssassin 
> rule for each address!
> 
> I then use SpamAssassin Rule Actions to do this:
> SpamAssassin Rule Actions = ECS_MAIL_ACCESS=>store,not-deliver,forward 
> postmaster at ecs.soton.ac.uk,header "X-ECS-Mail-Access: was to _TO_"
> 
> This lot fires whenever any of my SpamAssassin rules fires. It
> 1) Adds a header "X-ECS-Mail-Access:" containing the list of original 
> recipient addresses,
> 2) Stores a copy of the message
> 3) Stops delivery to the original recipients
> 4) Sends a copy to postmaster, where I have a Sieve rule firing on the 
> presence of the "X-ECS-Mail-Access:" header to store it in a folder 
> without cluttering up postmaster's inbox.
> 
> My script, that builds all the SpamAssassin rules, works from a YP/NIS 
> map called "mail.access" which contains each email address from the 
> google list and my list in the first word of a line, looking like this
> bad at domain.com REJECT
> nasty at false.bank.com REJECT
> I sort it so that the regular expressions created are more optimal for 
> Perl, so it can apply them faster to each message.
> 
> My script that builds all the SpamAssassin rules is attached.
> 
> My script that reads the google list and creates the YP/NIS map from it 
> is simply this:
> 
> #!/bin/sh
> echo Fetching phishing addresses...
> rm -f /tmp/$$.blocks
> /usr/local/bin/wget -O /tmp/$$.blocks 
> http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses 
>  >/dev/null 2>&1
> echo Read `grep -v '^#' /tmp/$$.blocks | wc -l` addresses
> 
> if [ -f /tmp/$$.blocks ]; then
>          sed -e 's/^#.*$//' < /tmp/$$.blocks | \
>          cut -d, -f1 | \
>          sort | \
>          uniq | \
>          grep -v '^$' | \
>          awk '{ printf("%s\tREJECT\n",$1); }' > 
> /opt/yp/etc/mail.access.anti-phishing
>          rm -f /tmp/$$.blocks
>          cd /opt/yp;
>          ./ypmake;
> fi
> 
> The "ypcat -k mail.access" command at the start of Build.Phishing.Rules 
> basically reads my list in addition to the contents of the file 
> /opt/yp/etc/mail.access.anti-phishing mentioned in the code above, so 
> you can easily convert it to just use a temporary file and do all of 
> this lot on the same server. If you aren't using YP/NIS then you 
> obviously won't need the "ypmake" command either.
> 
> I hope this is of some use to some of you. It traps "Temporary job 
> offer" spams and spear-phishing attacks very well indeed.
> 
> Jules
> 
> -- 
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> PGP public key: http://www.jules.fm/julesfm.asc
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090102/d1b385d0/attachment.html


More information about the MailScanner mailing list