Anti-Phishing Update -- New data feed

Julian Field MailScanner at ecs.soton.ac.uk
Mon Jun 15 18:14:13 IST 2009 


On 15/06/2009 17:26, Alex Broens wrote:
> On 6/15/2009 5:55 PM, Julian Field wrote:
>>
>>
>> On 15/06/2009 16:42, Alex Broens wrote:
>>> On 6/15/2009 5:18 PM, Julian Field wrote:
>>>>
>>>>
>>>> On 15/06/2009 15:47, Alex Broens wrote:
>>>>> On 6/15/2009 4:32 PM, Julian Field wrote:
>>>>>>
>>>>>>
>>>>>> On 15/06/2009 15:00, Jonas A. Larsen wrote:
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: mailscanner-bounces at lists.mailscanner.info 
>>>>>>>> [mailto:mailscanner-
>>>>>>>> bounces at lists.mailscanner.info] On Behalf Of Julian Field
>>>>>>>> Sent: 15. juni 2009 13:01
>>>>>>>> To: MailScanner discussion
>>>>>>>> Subject: Anti-Phishing Update -- New data feed
>>>>>>>>
>>>>>>>> I have gained a new reliable feed of email addresses known to 
>>>>>>>> be used
>>>>>>>> in
>>>>>>>> phishing attacks.
>>>>>>>> I have therefore updated my anti-spear-phishing scripts to 
>>>>>>>> catch any
>>>>>>>> mail mentioning these email addresses as well. I know quite a 
>>>>>>>> few of
>>>>>>>> you
>>>>>>>> have found this script to be useful.
>>>>>>>>
>>>>>>>> You can see the new article and download the script at
>>>>>>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html
>>>>>>>>
>>>>>>>> Please do try it out and let me know what you think!
>>>>>>>>
>>>>>>> Hi Julian.
>>>>>>>
>>>>>>> Currently testing version 2 of the script, I never got round to 
>>>>>>> testing the
>>>>>>> old one.
>>>>>>>
>>>>>>> I was just wondering, do this feed have anything to do with the 
>>>>>>> EMAILBL
>>>>>>> plugin/project announced on the SA list?
>>>>>> Can you send me a URL for it or something to look at please?
>>>>>> Until I've read that, I can't tell you whether it is related or 
>>>>>> not, they might be getting a data feed from the same place I do. 
>>>>>> But mine is commercially generated.
>>>>>
>>>>> Jules,
>>>>> EmailBL is an experimental list which is being run till July 1, as 
>>>>> a proof of concept and in its current form will be discontinued.
>>>>>
>>>>> The data is not from the same feed.
>>>>>
>>>>> atm, there's no need to invest time in this for MailScanner as 
>>>>> nobody knows if it will be continued under another name, who will 
>>>>> mirror it, etc, etc
>>>> Thanks for that info. My list of phishing email addresses has a 
>>>> very good future and will be supported for the forseeable future, 
>>>> as it produced by a very large commercial entity, whose 
>>>> internet-based services you have almost certainly used at some point.
>>>
>>> and what entity is this?
>> Sorry, that is covered by a very big NDA.
>>>
>>> the EmailBL targets only freemailer email addr, not only sender, but 
>>> also reply-to and in msg body and being it a RBL, deployment is very 
>>> fast, 1 min updates so there may be overlap or missed stuff, by one 
>>> or the other.
>> Mine targets the address appearing anywhere in the headers or body of 
>> the message. Or slight variations of the address as well.
>>> jkf.anti-spear-phishing.cf look nice...
>>> how often is it updated?
>> I currently update it about every 11 minutes. Though it doesn't 
>> change on every update if it doesn't need to, obviously.
>
> Jules,
>
> Looking at the produced SA rule, using a "full" type of rule are 
> pretty slow + the size may make it "hoggy".
>
> As apparently the source provides a key for body/reply-to/etc, imo, it 
> may be worth it to try to apply this to the SA rules and create 
> optimized header and body rules.
> otherwise, the data is real good.
I need to apply the rules to the entire message body and headers, as 
they frequently put the email address just in the body of the message 
inside some link or other. So how would creating separate header and 
body rules be any better?

I do at least sort the data alphabetically (pretty much) so that the 
regexp compiler in Perl can produce optimised FSMs that can knock out 
many of the regexps just by looking at the first character, without 
having to test any further.

I also protect the regexp by designing it to minimise false positives, 
in that it must be preceded and followed by things that aren't part of 
an email address, which many of my competitors don't take the effort to 
do. There's nothing worse than a protection system which causes loads of 
false alarms.

>
> Alex
>
>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Follow me at twitter.com/JulesFM

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list