Anti-spear-phishing, round 2

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jan 8 18:32:32 GMT 2009



On 8/1/09 17:54, Mark Sapiro wrote:
> Julian Field wrote:
>    
>> It also looks for numbers at the end of the username bit of the address,
>> and assumes that these are numbers which the scammers may change; so if
>> it finds them, it replaces them with a pattern that will match any
>> number instead.
>>      
>
>
> I don't know how significant this is, but in some cases this generates
> duplicate regexps. For example, there are two addresses (spaces
> inserted here so I don't trigger the rule) zenithbkloan03 @
> comcast.net and
> zenithbkloan05 @ comcast.net in the google list. This generates the
> regexp (zenithbkloan\d+\@comcast\.net) twice in the generated rules.
>    
Yes, fair enough, the resulting rules aren't 100% optimal. But it's 
pretty close, so I wouldn't worry about it. As they are sorted into 
alphabetical order, the duplicate rules will be in the same rule, so in 
the same regexp, with the result that Perl will optimise out the 
duplicate one anyway.

So I really wouldn't worry about that. It's not worth fixing. But I will 
anyway :-)
> Also, I've been running this for a few days, and other than testing,
> I've gotten no hits on this rule. Just lucky I guess.
>    
Some site get hit by spear-phishing more than others. Particularly 
educational institutions.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list