Anti-spear-phishing, round 2

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Sun Jan 11 13:13:07 GMT 2009


Guy Story KC5GOI a écrit :
> Kai,  I need to clarify my question then.  I did read over the script and if I understand it, please bear in mind I do not pretend to program, that it downloads the data from Google and turns it into a rule for SA.  The rule itself provides inbound, outbound and content filtering using the email addresses that are provided by the Google list.  Between Jules postings and the comments in the script, if I am understanding it correctly, then that is a huge testimony on Jules commenting in the file.  That is a huge help for non-programmers and I thank him.
>
> I understand that since I do not have the current release of MS that I can not take full advantage of what Jule has done.  I am currently using 7.10 of Ubuntu so I need to make sure that I can satisfy the dependencies to preform the upgrade.  This is a time issue since I am a one man department.
>
> As a temporary solution I downloaded the list and used it to create a list that I added to my spam blacklist rule with FromOrTo so I can filter on two of three points. 
>
> The downside to my current approach is lack of content scanning and a manual updating process instead of using Jules script in cron.hourly.  Not ideal but a start.  It takes me 5 minutes to do this where Jules script probably does in in less than 30 seconds (download, convert, copy and restart MS)  and is more current.  I might do this once a week.  I understand that the address list could update literally on an hourly basis.  The rate of updates is up to Google and I have not read through the project fully yet.
>
> My original and poorly worded question was more along the lines of how much work MS has to do using the list of addresses in the spam blacklist verses a SA rule.  It it more work processing the blacklist than the SA rule?
>
> Guy
>   

Guy,

I'm pretty sure you can use Julian's script in an older version of MS 
but you will have to use it to add to the SA score and then rely on your 
Required SpamAssassin Score or High SpamAssassin Score to 
quarantine/delete the emails.

I you were to assing a score of, let's say, 15 to $SA_score in Julian's 
Spear.Phishing.Rules script, you could bump those emails into high 
scoring spam and then do whatever you want to them without having to use 
SpamAssassin Rule Actions at all.

Denis


More information about the MailScanner mailing list