Anti-spear-phishing, round 2

Gottschalk, David dgottsc at
Wed Jan 7 21:00:38 GMT 2009

   Thanks for posting this! This is going to make my life a lot easier. I plan on installing it on all of my machines with mailscanner. I'll let you know how well it works. I've got it installed on one machine right now, I'm just trying to figure out how to get the spam assassin rule actions to work properly right now. For some reason it's not following the rule actions even though it matches it.

David Gottschalk
Emory University
UTS Messaging Team

-----Original Message-----
From: mailscanner-bounces at [mailto:mailscanner-bounces at] On Behalf Of Julian Field
Sent: Tuesday, January 06, 2009 5:20 PM
To: MailScanner discussion
Subject: Anti-spear-phishing, round 2

I have done a load of work on my script that uses the anti-spear-phishing addresses database.

The main thing is now that it is pretty much a finished script, and is directly usable by you guys without you having to do much to it except read the settings at the top and tweak the filenames if you want to change where it puts things.

I have taken a lot of care to ensure that this won't match any false alarms, I don't just dumbly look for the strings in any surrounding text, which certain commercial AV vendors have been caught doing in the past!

I make a suggestion in the comments at the top of the script about how I use the rule within MailScanner, you probably want to do something similar, and not just delete anything that matches, just in case you do get any false alarms.

It also looks for numbers at the end of the username bit of the address, and assumes that these are numbers which the scammers may change; so if it finds them, it replaces them with a pattern that will match any number instead. There's starting to be a lot of this about, as it's the easiest way for the scammers to try to defeat simple address lists targeted against them, while still being able to remember what addresses they have to check for replies from your dumb users. :-) I thought I would make it a tiny bit harder for them...

You can also add addresses of your own (which can include "*" as a wildcard character to mean "any series of valid characters" in the email address), one address per line, in an optional extra file. Again, read the top of the script and you'll see it mentioned there. That file is optional, it doesn't matter if it doesn't exist. As a starter, you might want to put m i c h a e l l o u c a s * @ g m a i l . c o m (without the extra spaces) in that file, as it will nicely catch a lot of "Job opportunity" spams.

It looks for any of these addresses appearing **anywhere** in the message, not just in the headers. So if you start talking to people about these addresses, don't be surprised when the messages get caught by the trap.

It does a "wget", so make sure you have that binary installed, or else change the script to fetch the file by some other means.

The very end of the script does a "service MailScanner restart", so if you need some other command to restart MailScanner, then edit it for your system. It needs to be a "restart" and not a "reload" as I have to force it to re-build the database of SpamAssassin rules.

My aim was that, on a RedHat system running MailScanner, you could just copy the script into /etc/cron.hourly and make it executable, and it will just get on with the job for you. I do advise you read the bit in the script about "SpamAssassin Rule Actions" though.

Please do let me know how you would like me to improve it, and tell me what you think of it in general (be polite, now! :-)



Julian Field MEng CITP CEng
Buy the MailScanner book at

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key:

This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information.  If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

More information about the MailScanner mailing list