Anti-phishing -- was Re: OT: Happy New Year

Gottschalk, David dgottsc at emory.edu
Mon Jan 5 15:35:25 GMT 2009


Julian,
  Thanks for posting this! This has been a huge problem over the last 6 months for the University I work at. I spend a lot of my time combating this problem. The feed of email addresses will be great for preventing accounts from being compromised. We've tried several ways to be pro-active in stopping the phishing, but this seems like one of the best ways to stop the problem. How does one go about submitting addresses to the project? I could probably provide a few each week with the rate we receive them at.

Thanks.

David Gottschalk
Emory University
UTS Email Team


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
Sent: Wednesday, December 31, 2008 6:24 PM
To: MailScanner discussion
Subject: Anti-phishing -- was Re: OT: Happy New Year



On 31/12/08 22:54, Kevin Miller wrote:
> Just a quick note to wish everyone a Happy (and spam free) New Year,
> especially Jules.  Your hard work and giving spirit has certainly made
> the past year much nicer for all of us...
>
Many thanks!

You might be interested I've been doing a bit of work with the Google-hosted project "anti-phishing-email-reply" which you can find here:
http://code.google.com/p/anti-phishing-email-reply/

My aim was to create a trap for all those nasty spear-phishing attacks and those endless "Temporary job offer" spams that some of you will get.

I have created a little script (which is pretty obvious, source code is given below) which just generates a list of addresses based on what's in their file. I add that to my own list of known troublesome addresses, which can have "*" wildcards in them, so you can do things like michael loucas * @ gmail . com (extra spaces added to stop my stuff picking up that address and killing this message).

I then generate a bunch of SpamAssassin rules from that which detect any of these few thousand addresses appearing anywhere in a message, with lots of safeguards to protect against false alarms. It also compacts them into only a hundred or two rules, instead of having 1 SpamAssassin rule for each address!

I then use SpamAssassin Rule Actions to do this:
SpamAssassin Rule Actions = ECS_MAIL_ACCESS=>store,not-deliver,forward
postmaster at ecs.soton.ac.uk,header "X-ECS-Mail-Access: was to _TO_"

This lot fires whenever any of my SpamAssassin rules fires. It
1) Adds a header "X-ECS-Mail-Access:" containing the list of original recipient addresses,
2) Stores a copy of the message
3) Stops delivery to the original recipients
4) Sends a copy to postmaster, where I have a Sieve rule firing on the presence of the "X-ECS-Mail-Access:" header to store it in a folder without cluttering up postmaster's inbox.

My script, that builds all the SpamAssassin rules, works from a YP/NIS map called "mail.access" which contains each email address from the google list and my list in the first word of a line, looking like this bad at domain.com REJECT nasty at false.bank.com REJECT I sort it so that the regular expressions created are more optimal for Perl, so it can apply them faster to each message.

My script that builds all the SpamAssassin rules is attached.

My script that reads the google list and creates the YP/NIS map from it is simply this:

#!/bin/sh
echo Fetching phishing addresses...
rm -f /tmp/$$.blocks
/usr/local/bin/wget -O /tmp/$$.blocks
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses
 >/dev/null 2>&1
echo Read `grep -v '^#' /tmp/$$.blocks | wc -l` addresses

if [ -f /tmp/$$.blocks ]; then
         sed -e 's/^#.*$//' < /tmp/$$.blocks | \
         cut -d, -f1 | \
         sort | \
         uniq | \
         grep -v '^$' | \
         awk '{ printf("%s\tREJECT\n",$1); }' > /opt/yp/etc/mail.access.anti-phishing
         rm -f /tmp/$$.blocks
         cd /opt/yp;
         ./ypmake;
fi

The "ypcat -k mail.access" command at the start of Build.Phishing.Rules basically reads my list in addition to the contents of the file /opt/yp/etc/mail.access.anti-phishing mentioned in the code above, so you can easily convert it to just use a temporary file and do all of this lot on the same server. If you aren't using YP/NIS then you obviously won't need the "ypmake" command either.

I hope this is of some use to some of you. It traps "Temporary job offer" spams and spear-phishing attacks very well indeed.

Jules

--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc


--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.


This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information.  If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).


More information about the MailScanner mailing list