Anti-spear-phishing, round 2

Thu Jan 8 00:49:16 GMT 2009

Sorry I missed this, and I did try to go back in the mailing list and try to
download it, but it just came back as a .bin file here in firefox to
download.  Can someone provide a link?

Thanks in advance

Rob

On Wed, Jan 7, 2009 at 4:14 PM, Julian Field <MailScanner at ecs.soton.ac.uk>wrote:

>
>
> On 7/1/09 21:00, Gottschalk, David wrote:
>
>> Julian,
>>    Thanks for posting this! This is going to make my life a lot easier. I
>> plan on installing it on all of my machines with mailscanner. I'll let you
>> know how well it works. I've got it installed on one machine right now, I'm
>> just trying to figure out how to get the spam assassin rule actions to work
>> properly right now. For some reason it's not following the rule actions even
>> though it matches it.
>>
>>
> Check your maillog, that will show if anything is wrong. Don't put a comma
> in the text of the header for starters, it breaks my parser :-(
>
> If you get really stuck, feel free to ask for help :)
>
> Jules.
>
>  -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info [mailto:
>> mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
>> Sent: Tuesday, January 06, 2009 5:20 PM
>> To: MailScanner discussion
>> Subject: Anti-spear-phishing, round 2
>>
>> I have done a load of work on my script that uses the anti-spear-phishing
>> addresses database.
>>
>> The main thing is now that it is pretty much a finished script, and is
>> directly usable by you guys without you having to do much to it except read
>> the settings at the top and tweak the filenames if you want to change where
>> it puts things.
>>
>> I have taken a lot of care to ensure that this won't match any false
>> alarms, I don't just dumbly look for the strings in any surrounding text,
>> which certain commercial AV vendors have been caught doing in the past!
>>
>> I make a suggestion in the comments at the top of the script about how I
>> use the rule within MailScanner, you probably want to do something similar,
>> and not just delete anything that matches, just in case you do get any false
>> alarms.
>>
>> It also looks for numbers at the end of the username bit of the address,
>> and assumes that these are numbers which the scammers may change; so if it
>> finds them, it replaces them with a pattern that will match any number
>> instead. There's starting to be a lot of this about, as it's the easiest way
>> for the scammers to try to defeat simple address lists targeted against
>> them, while still being able to remember what addresses they have to check
>> for replies from your dumb users. :-) I thought I would make it a tiny bit
>> harder for them...
>>
>> You can also add addresses of your own (which can include "*" as a
>> wildcard character to mean "any series of valid characters" in the email
>> address), one address per line, in an optional extra file. Again, read the
>> top of the script and you'll see it mentioned there. That file is optional,
>> it doesn't matter if it doesn't exist. As a starter, you might want to put m
>> i c h a e l l o u c a s * @ g m a i l . c o m (without the extra spaces) in
>> that file, as it will nicely catch a lot of "Job opportunity" spams.
>>
>> It looks for any of these addresses appearing **anywhere** in the message,
>> not just in the headers. So if you start talking to people about these
>> addresses, don't be surprised when the messages get caught by the trap.
>>
>> It does a "wget", so make sure you have that binary installed, or else
>> change the script to fetch the file by some other means.
>>
>> The very end of the script does a "service MailScanner restart", so if you
>> need some other command to restart MailScanner, then edit it for your
>> system. It needs to be a "restart" and not a "reload" as I have to force it
>> to re-build the database of SpamAssassin rules.
>>
>> My aim was that, on a RedHat system running MailScanner, you could just
>> copy the script into /etc/cron.hourly and make it executable, and it will
>> just get on with the job for you. I do advise you read the bit in the script
>> about "SpamAssassin Rule Actions" though.
>>
>> Please do let me know how you would like me to improve it, and tell me
>> what you think of it in general (be polite, now! :-)
>>
>> Cheers,
>>
>> Jules
>>
>> --
>> Julian Field MEng CITP CEng
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> MailScanner customisation, or any advanced system administration help?
>> Contact me at Jules at Jules.FM
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP
>> public key: http://www.jules.fm/julesfm.asc
>>
>>
>> --
>> This message has been scanned for viruses and dangerous content by
>> MailScanner, and is believed to be clean.
>>
>>
>> This e-mail message (including any attachments) is for the sole use of
>> the intended recipient(s) and may contain confidential and privileged
>> information.  If the reader of this message is not the intended
>> recipient, you are hereby notified that any dissemination, distribution
>> or copying of this message (including any attachments) is strictly
>> prohibited.
>>
>> If you have received this message in error, please contact
>> the sender by reply e-mail message and destroy all copies of the
>> original message (including attachments).
>>
>>
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> PGP public key: http://www.jules.fm/julesfm.asc
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090107/2fae3068/attachment.html