Anti-spear-phishing, round 2

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jan 8 18:30:09 GMT 2009


Do you have "Log Spam = yes" in your MailScanner.conf?
If so, you should see logging of the actions that are produced by this 
setting.
I assume you're running a recent version of MailScanner.
Also, remove the space before the word "header", just in case that 
matters. That line is very hard to parse.

On 8/1/09 15:17, Gottschalk, David wrote:
> Well, I messed around with it some more this AM, but still no luck.
>
> SpamAssassin is seeing the new rule, and filtering properly (I can see it score the message in the logs when I send a test message to one of the filter addressed); however, for some reason it's not following my rule in MailScanner.conf. Here is what I have:
>
> SpamAssassin Rule Actions = JKF_ANTI_PHISH=>not-deliver,store,forward dgottsc at emory.edu, header "X-Anti-Phish: Was to _TO_"
>
> Any ideas?
>
> David Gottschalk
> Emory University
> UTS Messaging Team
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
> Sent: Wednesday, January 07, 2009 5:14 PM
> To: MailScanner discussion
> Subject: Re: Anti-spear-phishing, round 2
>
>
>
> On 7/1/09 21:00, Gottschalk, David wrote:
>    
>> Julian,
>>      Thanks for posting this! This is going to make my life a lot easier. I plan on installing it on all of my machines with mailscanner. I'll let you know how well it works. I've got it installed on one machine right now, I'm just trying to figure out how to get the spam assassin rule actions to work properly right now. For some reason it's not following the rule actions even though it matches it.
>>
>>      
> Check your maillog, that will show if anything is wrong. Don't put a
> comma in the text of the header for starters, it breaks my parser :-(
>
> If you get really stuck, feel free to ask for help :)
>
> Jules.
>    
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
>> Sent: Tuesday, January 06, 2009 5:20 PM
>> To: MailScanner discussion
>> Subject: Anti-spear-phishing, round 2
>>
>> I have done a load of work on my script that uses the anti-spear-phishing addresses database.
>>
>> The main thing is now that it is pretty much a finished script, and is directly usable by you guys without you having to do much to it except read the settings at the top and tweak the filenames if you want to change where it puts things.
>>
>> I have taken a lot of care to ensure that this won't match any false alarms, I don't just dumbly look for the strings in any surrounding text, which certain commercial AV vendors have been caught doing in the past!
>>
>> I make a suggestion in the comments at the top of the script about how I use the rule within MailScanner, you probably want to do something similar, and not just delete anything that matches, just in case you do get any false alarms.
>>
>> It also looks for numbers at the end of the username bit of the address, and assumes that these are numbers which the scammers may change; so if it finds them, it replaces them with a pattern that will match any number instead. There's starting to be a lot of this about, as it's the easiest way for the scammers to try to defeat simple address lists targeted against them, while still being able to remember what addresses they have to check for replies from your dumb users. :-) I thought I would make it a tiny bit harder for them...
>>
>> You can also add addresses of your own (which can include "*" as a wildcard character to mean "any series of valid characters" in the email address), one address per line, in an optional extra file. Again, read the top of the script and you'll see it mentioned there. That file is optional, it doesn't matter if it doesn't exist. As a starter, you might want to put m i c h a e l l o u c a s * @ g m a i l . c o m (without the extra spaces) in that file, as it will nicely catch a lot of "Job opportunity" spams.
>>
>> It looks for any of these addresses appearing **anywhere** in the message, not just in the headers. So if you start talking to people about these addresses, don't be surprised when the messages get caught by the trap.
>>
>> It does a "wget", so make sure you have that binary installed, or else change the script to fetch the file by some other means.
>>
>> The very end of the script does a "service MailScanner restart", so if you need some other command to restart MailScanner, then edit it for your system. It needs to be a "restart" and not a "reload" as I have to force it to re-build the database of SpamAssassin rules.
>>
>> My aim was that, on a RedHat system running MailScanner, you could just copy the script into /etc/cron.hourly and make it executable, and it will just get on with the job for you. I do advise you read the bit in the script about "SpamAssassin Rule Actions" though.
>>
>> Please do let me know how you would like me to improve it, and tell me what you think of it in general (be polite, now! :-)
>>
>> Cheers,
>>
>> Jules
>>
>> --
>> Julian Field MEng CITP CEng
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> MailScanner customisation, or any advanced system administration help?
>> Contact me at Jules at Jules.FM
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc
>>
>>
>> --
>> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
>>
>>
>> This e-mail message (including any attachments) is for the sole use of
>> the intended recipient(s) and may contain confidential and privileged
>> information.  If the reader of this message is not the intended
>> recipient, you are hereby notified that any dissemination, distribution
>> or copying of this message (including any attachments) is strictly
>> prohibited.
>>
>> If you have received this message in error, please contact
>> the sender by reply e-mail message and destroy all copies of the
>> original message (including attachments).
>>
>>      
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> PGP public key: http://www.jules.fm/julesfm.asc
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information.  If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
>
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list