Anti-phishing -- was Re: OT: Happy New Year

Julian Field MailScanner at ecs.soton.ac.uk
Fri Jan 2 11:19:27 GMT 2009


If you want some recent entries from my additional list, I'll send you 
the bottom hundred or so.

On 1/1/09 23:21, Brent Addis wrote:
> Awesome Julian, I've been looking for something that would catch those.
>
> I'll stick it on our testbed tonight
>
>
>
> On Wed, 2008-12-31 at 23:24 +0000, Julian Field wrote:
>> On 31/12/08 22:54, Kevin Miller wrote:
>> >  Just a quick note to wish everyone a Happy (and spam free) New Year,
>> >  especially Jules.  Your hard work and giving spirit has certainly made
>> >  the past year much nicer for all of us...
>> >
>> Many thanks!
>>
>> You might be interested I've been doing a bit of work with the
>> Google-hosted project "anti-phishing-email-reply" which you can find here:
>> http://code.google.com/p/anti-phishing-email-reply/
>>
>> My aim was to create a trap for all those nasty spear-phishing attacks
>> and those endless "Temporary job offer" spams that some of you will get.
>>
>> I have created a little script (which is pretty obvious, source code is
>> given below) which just generates a list of addresses based on what's in
>> their file. I add that to my own list of known troublesome addresses,
>> which can have "*" wildcards in them, so you can do things like michael
>> loucas * @ gmail . com (extra spaces added to stop my stuff picking up
>> that address and killing this message).
>>
>> I then generate a bunch of SpamAssassin rules from that which detect any
>> of these few thousand addresses appearing anywhere in a message, with
>> lots of safeguards to protect against false alarms. It also compacts
>> them into only a hundred or two rules, instead of having 1 SpamAssassin
>> rule for each address!
>>
>> I then use SpamAssassin Rule Actions to do this:
>> SpamAssassin Rule Actions = ECS_MAIL_ACCESS=>store,not-deliver,forward
>> postmaster at ecs.soton.ac.uk  <mailto:postmaster at ecs.soton.ac.uk>,header "X-ECS-Mail-Access: was to _TO_"
>>
>> This lot fires whenever any of my SpamAssassin rules fires. It
>> 1) Adds a header "X-ECS-Mail-Access:" containing the list of original
>> recipient addresses,
>> 2) Stores a copy of the message
>> 3) Stops delivery to the original recipients
>> 4) Sends a copy to postmaster, where I have a Sieve rule firing on the
>> presence of the "X-ECS-Mail-Access:" header to store it in a folder
>> without cluttering up postmaster's inbox.
>>
>> My script, that builds all the SpamAssassin rules, works from a YP/NIS
>> map called "mail.access" which contains each email address from the
>> google list and my list in the first word of a line, looking like this
>> bad at domain.com  <mailto:bad at domain.com>  REJECT
>> nasty at false.bank.com  <mailto:nasty at false.bank.com>  REJECT
>> I sort it so that the regular expressions created are more optimal for
>> Perl, so it can apply them faster to each message.
>>
>> My script that builds all the SpamAssassin rules is attached.
>>
>> My script that reads the google list and creates the YP/NIS map from it
>> is simply this:
>>
>> #!/bin/sh
>> echo Fetching phishing addresses...
>> rm -f /tmp/$$.blocks
>> /usr/local/bin/wget -O /tmp/$$.blocks
>> http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses
>>   >/dev/null 2>&1
>> echo Read `grep -v '^#' /tmp/$$.blocks | wc -l` addresses
>>
>> if [ -f /tmp/$$.blocks ]; then
>>           sed -e 's/^#.*$//'<  /tmp/$$.blocks | \
>>           cut -d, -f1 | \
>>           sort | \
>>           uniq | \
>>           grep -v '^$' | \
>>           awk '{ printf("%s\tREJECT\n",$1); }'>
>> /opt/yp/etc/mail.access.anti-phishing
>>           rm -f /tmp/$$.blocks
>>           cd /opt/yp;
>>           ./ypmake;
>> fi
>>
>> The "ypcat -k mail.access" command at the start of Build.Phishing.Rules
>> basically reads my list in addition to the contents of the file
>> /opt/yp/etc/mail.access.anti-phishing mentioned in the code above, so
>> you can easily convert it to just use a temporary file and do all of
>> this lot on the same server. If you aren't using YP/NIS then you
>> obviously won't need the "ypmake" command either.
>>
>> I hope this is of some use to some of you. It traps "Temporary job
>> offer" spams and spear-phishing attacks very well indeed.
>>
>> Jules
>>
>> -- 
>> Julian Field MEng CITP CEng
>> www.MailScanner.info  <http://www.MailScanner.info>
>> Buy the MailScanner book atwww.MailScanner.info/store  <http://www.MailScanner.info/store>
>>
>> MailScanner customisation, or any advanced system administration help?
>> Contact me atJules at Jules.FM  <mailto:Jules at Jules.FM>
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> PGP public key:http://www.jules.fm/julesfm.asc
>>
>>
>>      

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list