Anti-Phishing Update -- New data feed

Alex Broens ms-list at alexb.ch
Mon Jun 15 17:26:08 IST 2009


On 6/15/2009 5:55 PM, Julian Field wrote:
> 
> 
> On 15/06/2009 16:42, Alex Broens wrote:
>> On 6/15/2009 5:18 PM, Julian Field wrote:
>>>
>>>
>>> On 15/06/2009 15:47, Alex Broens wrote:
>>>> On 6/15/2009 4:32 PM, Julian Field wrote:
>>>>>
>>>>>
>>>>> On 15/06/2009 15:00, Jonas A. Larsen wrote:
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: mailscanner-bounces at lists.mailscanner.info 
>>>>>>> [mailto:mailscanner-
>>>>>>> bounces at lists.mailscanner.info] On Behalf Of Julian Field
>>>>>>> Sent: 15. juni 2009 13:01
>>>>>>> To: MailScanner discussion
>>>>>>> Subject: Anti-Phishing Update -- New data feed
>>>>>>>
>>>>>>> I have gained a new reliable feed of email addresses known to be 
>>>>>>> used
>>>>>>> in
>>>>>>> phishing attacks.
>>>>>>> I have therefore updated my anti-spear-phishing scripts to catch any
>>>>>>> mail mentioning these email addresses as well. I know quite a few of
>>>>>>> you
>>>>>>> have found this script to be useful.
>>>>>>>
>>>>>>> You can see the new article and download the script at
>>>>>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html
>>>>>>>
>>>>>>> Please do try it out and let me know what you think!
>>>>>>>
>>>>>> Hi Julian.
>>>>>>
>>>>>> Currently testing version 2 of the script, I never got round to 
>>>>>> testing the
>>>>>> old one.
>>>>>>
>>>>>> I was just wondering, do this feed have anything to do with the 
>>>>>> EMAILBL
>>>>>> plugin/project announced on the SA list?
>>>>> Can you send me a URL for it or something to look at please?
>>>>> Until I've read that, I can't tell you whether it is related or 
>>>>> not, they might be getting a data feed from the same place I do. 
>>>>> But mine is commercially generated.
>>>>
>>>> Jules,
>>>> EmailBL is an experimental list which is being run till July 1, as a 
>>>> proof of concept and in its current form will be discontinued.
>>>>
>>>> The data is not from the same feed.
>>>>
>>>> atm, there's no need to invest time in this for MailScanner as 
>>>> nobody knows if it will be continued under another name, who will 
>>>> mirror it, etc, etc
>>> Thanks for that info. My list of phishing email addresses has a very 
>>> good future and will be supported for the forseeable future, as it 
>>> produced by a very large commercial entity, whose internet-based 
>>> services you have almost certainly used at some point.
>>
>> and what entity is this?
> Sorry, that is covered by a very big NDA.
>>
>> the EmailBL targets only freemailer email addr, not only sender, but 
>> also reply-to and in msg body and being it a RBL, deployment is very 
>> fast, 1 min updates so there may be overlap or missed stuff, by one or 
>> the other.
> Mine targets the address appearing anywhere in the headers or body of 
> the message. Or slight variations of the address as well.
>> jkf.anti-spear-phishing.cf look nice...
>> how often is it updated?
> I currently update it about every 11 minutes. Though it doesn't change 
> on every update if it doesn't need to, obviously.

Jules,

Looking at the produced SA rule, using a "full" type of rule are pretty 
slow + the size may make it "hoggy".

As apparently the source provides a key for body/reply-to/etc, imo, it 
may be worth it to try to apply this to the SA rules and create 
optimized header and body rules.
otherwise, the data is real good.

Alex




More information about the MailScanner mailing list