Anti-spear-phishing, round 2

Julian Field MailScanner at ecs.soton.ac.uk
Tue Jan 6 22:20:10 GMT 2009


I have done a load of work on my script that uses the 
anti-spear-phishing addresses database.

The main thing is now that it is pretty much a finished script, and is 
directly usable by you guys without you having to do much to it except 
read the settings at the top and tweak the filenames if you want to 
change where it puts things.

I have taken a lot of care to ensure that this won't match any false 
alarms, I don't just dumbly look for the strings in any surrounding 
text, which certain commercial AV vendors have been caught doing in the 
past!

I make a suggestion in the comments at the top of the script about how I 
use the rule within MailScanner, you probably want to do something 
similar, and not just delete anything that matches, just in case you do 
get any false alarms.

It also looks for numbers at the end of the username bit of the address, 
and assumes that these are numbers which the scammers may change; so if 
it finds them, it replaces them with a pattern that will match any 
number instead. There's starting to be a lot of this about, as it's the 
easiest way for the scammers to try to defeat simple address lists 
targeted against them, while still being able to remember what addresses 
they have to check for replies from your dumb users. :-) I thought I 
would make it a tiny bit harder for them...

You can also add addresses of your own (which can include "*" as a 
wildcard character to mean "any series of valid characters" in the email 
address), one address per line, in an optional extra file. Again, read 
the top of the script and you'll see it mentioned there. That file is 
optional, it doesn't matter if it doesn't exist. As a starter, you might 
want to put
m i c h a e l l o u c a s * @ g m a i l . c o m
(without the extra spaces) in that file, as it will nicely catch a lot 
of "Job opportunity" spams.

It looks for any of these addresses appearing **anywhere** in the 
message, not just in the headers. So if you start talking to people 
about these addresses, don't be surprised when the messages get caught 
by the trap.

It does a "wget", so make sure you have that binary installed, or else 
change the script to fetch the file by some other means.

The very end of the script does a "service MailScanner restart", so if 
you need some other command to restart MailScanner, then edit it for 
your system. It needs to be a "restart" and not a "reload" as I have to 
force it to re-build the database of SpamAssassin rules.

My aim was that, on a RedHat system running MailScanner, you could just 
copy the script into /etc/cron.hourly and make it executable, and it 
will just get on with the job for you. I do advise you read the bit in 
the script about "SpamAssassin Rule Actions" though.

Please do let me know how you would like me to improve it, and tell me 
what you think of it in general (be polite, now! :-)

Cheers,

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Spear.Phishing.Rules.gz
Type: application/x-gzip
Size: 1710 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090106/3a7da8b0/Spear.Phishing.Rules.gz


More information about the MailScanner mailing list