Anti-Phishing Update -- New data feed

Mon Jun 15 17:26:08 IST 2009

On 6/15/2009 5:55 PM, Julian Field wrote:
> 
> 
> On 15/06/2009 16:42, Alex Broens wrote:
>> On 6/15/2009 5:18 PM, Julian Field wrote:
>>>
>>>
>>> On 15/06/2009 15:47, Alex Broens wrote:
>>>> On 6/15/2009 4:32 PM, Julian Field wrote:
>>>>>
>>>>>
>>>>> On 15/06/2009 15:00, Jonas A. Larsen wrote:
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: mailscanner-bounces at lists.mailscanner.info 
>>>>>>> [mailto:mailscanner-
>>>>>>> bounces at lists.mailscanner.info] On Behalf Of Julian Field
>>>>>>> Sent: 15. juni 2009 13:01
>>>>>>> To: MailScanner discussion
>>>>>>> Subject: Anti-Phishing Update -- New data feed
>>>>>>>
>>>>>>> I have gained a new reliable feed of email addresses known to be 
>>>>>>> used
>>>>>>> in
>>>>>>> phishing attacks.
>>>>>>> I have therefore updated my anti-spear-phishing scripts to catch any
>>>>>>> mail mentioning these email addresses as well. I know quite a few of
>>>>>>> you
>>>>>>> have found this script to be useful.
>>>>>>>
>>>>>>> You can see the new article and download the script at
>>>>>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html
>>>>>>>
>>>>>>> Please do try it out and let me know what you think!
>>>>>>>
>>>>>> Hi Julian.
>>>>>>
>>>>>> Currently testing version 2 of the script, I never got round to 
>>>>>> testing the
>>>>>> old one.
>>>>>>
>>>>>> I was just wondering, do this feed have anything to do with the 
>>>>>> EMAILBL
>>>>>> plugin/project announced on the SA list?
>>>>> Can you send me a URL for it or something to look at please?
>>>>> Until I've read that, I can't tell you whether it is related or 
>>>>> not, they might be getting a data feed from the same place I do. 
>>>>> But mine is commercially generated.
>>>>
>>>> Jules,
>>>> EmailBL is an experimental list which is being run till July 1, as a 
>>>> proof of concept and in its current form will be discontinued.
>>>>
>>>> The data is not from the same feed.
>>>>
>>>> atm, there's no need to invest time in this for MailScanner as 
>>>> nobody knows if it will be continued under another name, who will 
>>>> mirror it, etc, etc
>>> Thanks for that info. My list of phishing email addresses has a very 
>>> good future and will be supported for the forseeable future, as it 
>>> produced by a very large commercial entity, whose internet-based 
>>> services you have almost certainly used at some point.
>>
>> and what entity is this?
> Sorry, that is covered by a very big NDA.
>>
>> the EmailBL targets only freemailer email addr, not only sender, but 
>> also reply-to and in msg body and being it a RBL, deployment is very 
>> fast, 1 min updates so there may be overlap or missed stuff, by one or 
>> the other.
> Mine targets the address appearing anywhere in the headers or body of 
> the message. Or slight variations of the address as well.
>> jkf.anti-spear-phishing.cf look nice...
>> how often is it updated?
> I currently update it about every 11 minutes. Though it doesn't change 
> on every update if it doesn't need to, obviously.

Jules,

Looking at the produced SA rule, using a "full" type of rule are pretty 
slow + the size may make it "hoggy".

As apparently the source provides a key for body/reply-to/etc, imo, it 
may be worth it to try to apply this to the SA rules and create 
optimized header and body rules.
otherwise, the data is real good.

Alex