Anti-spear-phishing, round 2

Denis Beauchemin Denis.Beauchemin at
Mon Jan 12 14:12:23 GMT 2009

Julian Field a écrit :
> I have done a load of work on my script that uses the 
> anti-spear-phishing addresses database.
> The main thing is now that it is pretty much a finished script, and is 
> directly usable by you guys without you having to do much to it except 
> read the settings at the top and tweak the filenames if you want to 
> change where it puts things.
> I have taken a lot of care to ensure that this won't match any false 
> alarms, I don't just dumbly look for the strings in any surrounding 
> text, which certain commercial AV vendors have been caught doing in 
> the past!
> I make a suggestion in the comments at the top of the script about how 
> I use the rule within MailScanner, you probably want to do something 
> similar, and not just delete anything that matches, just in case you 
> do get any false alarms.
> It also looks for numbers at the end of the username bit of the 
> address, and assumes that these are numbers which the scammers may 
> change; so if it finds them, it replaces them with a pattern that will 
> match any number instead. There's starting to be a lot of this about, 
> as it's the easiest way for the scammers to try to defeat simple 
> address lists targeted against them, while still being able to 
> remember what addresses they have to check for replies from your dumb 
> users. :-) I thought I would make it a tiny bit harder for them...
> You can also add addresses of your own (which can include "*" as a 
> wildcard character to mean "any series of valid characters" in the 
> email address), one address per line, in an optional extra file. 
> Again, read the top of the script and you'll see it mentioned there. 
> That file is optional, it doesn't matter if it doesn't exist. As a 
> starter, you might want to put
> m i c h a e l l o u c a s * @ g m a i l . c o m
> (without the extra spaces) in that file, as it will nicely catch a lot 
> of "Job opportunity" spams.
> It looks for any of these addresses appearing **anywhere** in the 
> message, not just in the headers. So if you start talking to people 
> about these addresses, don't be surprised when the messages get caught 
> by the trap.
> It does a "wget", so make sure you have that binary installed, or else 
> change the script to fetch the file by some other means.
> The very end of the script does a "service MailScanner restart", so if 
> you need some other command to restart MailScanner, then edit it for 
> your system. It needs to be a "restart" and not a "reload" as I have 
> to force it to re-build the database of SpamAssassin rules.
> My aim was that, on a RedHat system running MailScanner, you could 
> just copy the script into /etc/cron.hourly and make it executable, and 
> it will just get on with the job for you. I do advise you read the bit 
> in the script about "SpamAssassin Rule Actions" though.
> Please do let me know how you would like me to improve it, and tell me 
> what you think of it in general (be polite, now! :-)
> Cheers,
> Jules


I got what really looks like a FP with one of the email addresses from 
your script... what would be the best way to correct this ?  Write an SA 
rule with a negative score for that address ? Or is there some 
whitelisting mechanism built in ?


PS: the address is jmcelhaney @ uchc . edu (without the spaces).
PPS: so far the script seems to have catched about a dozen malicious emails.

  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045

More information about the MailScanner mailing list