Anti-phishing -- was Re: OT: Happy New Year

Julian Field MailScanner at ecs.soton.ac.uk
Mon Jan 5 16:27:40 GMT 2009 

No problem. I don't know how you submit addresses to them, you'll have 
to find out who runs the project. I just use their results at the 
moment, together with my own list (which contains things like 
michaelloucas*@gmail.com which stops lots of "job opportunity" spams).

On 5/1/09 15:35, Gottschalk, David wrote:
> Julian,
>    Thanks for posting this! This has been a huge problem over the last 6 months for the University I work at. I spend a lot of my time combating this problem. The feed of email addresses will be great for preventing accounts from being compromised. We've tried several ways to be pro-active in stopping the phishing, but this seems like one of the best ways to stop the problem. How does one go about submitting addresses to the project? I could probably provide a few each week with the rate we receive them at.
>
> Thanks.
>
> David Gottschalk
> Emory University
> UTS Email Team
>
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
> Sent: Wednesday, December 31, 2008 6:24 PM
> To: MailScanner discussion
> Subject: Anti-phishing -- was Re: OT: Happy New Year
>
>
>
> On 31/12/08 22:54, Kevin Miller wrote:
>    
>> Just a quick note to wish everyone a Happy (and spam free) New Year,
>> especially Jules.  Your hard work and giving spirit has certainly made
>> the past year much nicer for all of us...
>>
>>      
> Many thanks!
>
> You might be interested I've been doing a bit of work with the Google-hosted project "anti-phishing-email-reply" which you can find here:
> http://code.google.com/p/anti-phishing-email-reply/
>
> My aim was to create a trap for all those nasty spear-phishing attacks and those endless "Temporary job offer" spams that some of you will get.
>
> I have created a little script (which is pretty obvious, source code is given below) which just generates a list of addresses based on what's in their file. I add that to my own list of known troublesome addresses, which can have "*" wildcards in them, so you can do things like michael loucas * @ gmail . com (extra spaces added to stop my stuff picking up that address and killing this message).
>
> I then generate a bunch of SpamAssassin rules from that which detect any of these few thousand addresses appearing anywhere in a message, with lots of safeguards to protect against false alarms. It also compacts them into only a hundred or two rules, instead of having 1 SpamAssassin rule for each address!
>
> I then use SpamAssassin Rule Actions to do this:
> SpamAssassin Rule Actions = ECS_MAIL_ACCESS=>store,not-deliver,forward
> postmaster at ecs.soton.ac.uk,header "X-ECS-Mail-Access: was to _TO_"
>
> This lot fires whenever any of my SpamAssassin rules fires. It
> 1) Adds a header "X-ECS-Mail-Access:" containing the list of original recipient addresses,
> 2) Stores a copy of the message
> 3) Stops delivery to the original recipients
> 4) Sends a copy to postmaster, where I have a Sieve rule firing on the presence of the "X-ECS-Mail-Access:" header to store it in a folder without cluttering up postmaster's inbox.
>
> My script, that builds all the SpamAssassin rules, works from a YP/NIS map called "mail.access" which contains each email address from the google list and my list in the first word of a line, looking like this bad at domain.com REJECT nasty at false.bank.com REJECT I sort it so that the regular expressions created are more optimal for Perl, so it can apply them faster to each message.
>
> My script that builds all the SpamAssassin rules is attached.
>
> My script that reads the google list and creates the YP/NIS map from it is simply this:
>
> #!/bin/sh
> echo Fetching phishing addresses...
> rm -f /tmp/$$.blocks
> /usr/local/bin/wget -O /tmp/$$.blocks
> http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses
>   >/dev/null 2>&1
> echo Read `grep -v '^#' /tmp/$$.blocks | wc -l` addresses
>
> if [ -f /tmp/$$.blocks ]; then
>           sed -e 's/^#.*$//'<  /tmp/$$.blocks | \
>           cut -d, -f1 | \
>           sort | \
>           uniq | \
>           grep -v '^$' | \
>           awk '{ printf("%s\tREJECT\n",$1); }'>  /opt/yp/etc/mail.access.anti-phishing
>           rm -f /tmp/$$.blocks
>           cd /opt/yp;
>           ./ypmake;
> fi
>
> The "ypcat -k mail.access" command at the start of Build.Phishing.Rules basically reads my list in addition to the contents of the file /opt/yp/etc/mail.access.anti-phishing mentioned in the code above, so you can easily convert it to just use a temporary file and do all of this lot on the same server. If you aren't using YP/NIS then you obviously won't need the "ypmake" command either.
>
> I hope this is of some use to some of you. It traps "Temporary job offer" spams and spear-phishing attacks very well indeed.
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc
>
>
> --
> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
>
>
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information.  If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
>
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list