Anti-Phishing Update -- New data feed

Alex Broens ms-list at alexb.ch
Mon Jun 15 18:34:09 IST 2009 

On 6/15/2009 7:14 PM, Julian Field wrote:
> 
> 
> On 15/06/2009 17:26, Alex Broens wrote:
>> On 6/15/2009 5:55 PM, Julian Field wrote:
>>>
>>>
>>> On 15/06/2009 16:42, Alex Broens wrote:
>>>> On 6/15/2009 5:18 PM, Julian Field wrote:
>>>>>
>>>>>
>>>>> On 15/06/2009 15:47, Alex Broens wrote:
>>>>>> On 6/15/2009 4:32 PM, Julian Field wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 15/06/2009 15:00, Jonas A. Larsen wrote:
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: mailscanner-bounces at lists.mailscanner.info 
>>>>>>>>> [mailto:mailscanner-
>>>>>>>>> bounces at lists.mailscanner.info] On Behalf Of Julian Field
>>>>>>>>> Sent: 15. juni 2009 13:01
>>>>>>>>> To: MailScanner discussion
>>>>>>>>> Subject: Anti-Phishing Update -- New data feed
>>>>>>>>>
>>>>>>>>> I have gained a new reliable feed of email addresses known to 
>>>>>>>>> be used
>>>>>>>>> in
>>>>>>>>> phishing attacks.
>>>>>>>>> I have therefore updated my anti-spear-phishing scripts to 
>>>>>>>>> catch any
>>>>>>>>> mail mentioning these email addresses as well. I know quite a 
>>>>>>>>> few of
>>>>>>>>> you
>>>>>>>>> have found this script to be useful.
>>>>>>>>>
>>>>>>>>> You can see the new article and download the script at
>>>>>>>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html
>>>>>>>>>
>>>>>>>>> Please do try it out and let me know what you think!
>>>>>>>>>
>>>>>>>> Hi Julian.
>>>>>>>>
>>>>>>>> Currently testing version 2 of the script, I never got round to 
>>>>>>>> testing the
>>>>>>>> old one.
>>>>>>>>
>>>>>>>> I was just wondering, do this feed have anything to do with the 
>>>>>>>> EMAILBL
>>>>>>>> plugin/project announced on the SA list?
>>>>>>> Can you send me a URL for it or something to look at please?
>>>>>>> Until I've read that, I can't tell you whether it is related or 
>>>>>>> not, they might be getting a data feed from the same place I do. 
>>>>>>> But mine is commercially generated.
>>>>>>
>>>>>> Jules,
>>>>>> EmailBL is an experimental list which is being run till July 1, as 
>>>>>> a proof of concept and in its current form will be discontinued.
>>>>>>
>>>>>> The data is not from the same feed.
>>>>>>
>>>>>> atm, there's no need to invest time in this for MailScanner as 
>>>>>> nobody knows if it will be continued under another name, who will 
>>>>>> mirror it, etc, etc
>>>>> Thanks for that info. My list of phishing email addresses has a 
>>>>> very good future and will be supported for the forseeable future, 
>>>>> as it produced by a very large commercial entity, whose 
>>>>> internet-based services you have almost certainly used at some point.
>>>>
>>>> and what entity is this?
>>> Sorry, that is covered by a very big NDA.
>>>>
>>>> the EmailBL targets only freemailer email addr, not only sender, but 
>>>> also reply-to and in msg body and being it a RBL, deployment is very 
>>>> fast, 1 min updates so there may be overlap or missed stuff, by one 
>>>> or the other.
>>> Mine targets the address appearing anywhere in the headers or body of 
>>> the message. Or slight variations of the address as well.
>>>> jkf.anti-spear-phishing.cf look nice...
>>>> how often is it updated?
>>> I currently update it about every 11 minutes. Though it doesn't 
>>> change on every update if it doesn't need to, obviously.
>>
>> Jules,
>>
>> Looking at the produced SA rule, using a "full" type of rule are 
>> pretty slow + the size may make it "hoggy".
>>
>> As apparently the source provides a key for body/reply-to/etc, imo, it 
>> may be worth it to try to apply this to the SA rules and create 
>> optimized header and body rules.
>> otherwise, the data is real good.
> I need to apply the rules to the entire message body and headers, as 
> they frequently put the email address just in the body of the message 
> inside some link or other. So how would creating separate header and 
> body rules be any better?

I'm not savvy enough in Perl & SA to give you the scientific reason, but 
its been common practive to avoid full rules if possible.

You'd have to ask one of the core SA devs...  maybe Matt Kettler can 
jump in and tell me I'm totally off and that my understanding is wrong.


Alex

More information about the MailScanner mailing list