school targeted phishing getting past MailScanner and ScamNailer

Robert Lopez rlopezcnm at gmail.com
Thu Oct 22 19:50:00 IST 2009


>From what I see in the logs MailScanner and ScamNailer are stopping a
LOT of email like these examples:

Found phishing fraud from
http://email.eharmony.com/t/3245264/61666596/125002/0/ claiming to be
www.eharmony.com in F1AB6660637.1911E
Found phishing fraud from
http://echo4.bluehornet.com/ct/5756277:6696375060:m:1:398960397:0FE61091879EEBBC9425626D5DFDF9C1
claiming to be www.playforfreewith500%%bonuscoupon"gwgma"atwww.mightyslots.com
in DB66D29B5.F13D9

I am not sure if those are phishing or not. They are at least probably spam.

Using :  grep "Found phishing fraud" maillog | grep -v "claiming to be"
finds only 12 log entries whereas the "claiming to be" type are 20842
since Monday morning.

What is not being stopping is the email that threatens to remove the
target's email account unless they send account name, birth date,
student id, password, etc. to an email address.

I am wondering if I should attempt to write Spamassassin rules to stop
that kind of phishing.  Everything I think of would stop _this_ email
if I assigned weight to the critical words used in that type of email.

What other ways can MailScanner and ScamNailer be used to stop this
kind of school targeted phishing which all too often is successful and
leads to account compromises?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106


More information about the MailScanner mailing list