Anti-spear-phishing, round 2
MailScanner at ecs.soton.ac.uk
Tue Jan 6 22:20:10 GMT 2009
I have done a load of work on my script that uses the
anti-spear-phishing addresses database.
The main thing is now that it is pretty much a finished script, and is
directly usable by you guys without you having to do much to it except
read the settings at the top and tweak the filenames if you want to
change where it puts things.
I have taken a lot of care to ensure that this won't match any false
alarms, I don't just dumbly look for the strings in any surrounding
text, which certain commercial AV vendors have been caught doing in the
I make a suggestion in the comments at the top of the script about how I
use the rule within MailScanner, you probably want to do something
similar, and not just delete anything that matches, just in case you do
get any false alarms.
It also looks for numbers at the end of the username bit of the address,
and assumes that these are numbers which the scammers may change; so if
it finds them, it replaces them with a pattern that will match any
number instead. There's starting to be a lot of this about, as it's the
easiest way for the scammers to try to defeat simple address lists
targeted against them, while still being able to remember what addresses
they have to check for replies from your dumb users. :-) I thought I
would make it a tiny bit harder for them...
You can also add addresses of your own (which can include "*" as a
wildcard character to mean "any series of valid characters" in the email
address), one address per line, in an optional extra file. Again, read
the top of the script and you'll see it mentioned there. That file is
optional, it doesn't matter if it doesn't exist. As a starter, you might
want to put
m i c h a e l l o u c a s * @ g m a i l . c o m
(without the extra spaces) in that file, as it will nicely catch a lot
of "Job opportunity" spams.
It looks for any of these addresses appearing **anywhere** in the
message, not just in the headers. So if you start talking to people
about these addresses, don't be surprised when the messages get caught
by the trap.
It does a "wget", so make sure you have that binary installed, or else
change the script to fetch the file by some other means.
The very end of the script does a "service MailScanner restart", so if
you need some other command to restart MailScanner, then edit it for
your system. It needs to be a "restart" and not a "reload" as I have to
force it to re-build the database of SpamAssassin rules.
My aim was that, on a RedHat system running MailScanner, you could just
copy the script into /etc/cron.hourly and make it executable, and it
will just get on with the job for you. I do advise you read the bit in
the script about "SpamAssassin Rule Actions" though.
Please do let me know how you would like me to improve it, and tell me
what you think of it in general (be polite, now! :-)
Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1710 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090106/3a7da8b0/Spear.Phishing.Rules.gz
More information about the MailScanner