school targeted phishing getting past MailScanner and ScamNailer

Alex Broens ms-list at alexb.ch
Fri Oct 23 09:19:36 IST 2009


On 10/23/2009 9:48 AM, --[ UxBoD ]-- wrote:
> ----- "Robert Lopez" <rlopezcnm at gmail.com> wrote:
> 
> | >From what I see in the logs MailScanner and ScamNailer are stopping
> | a
> | LOT of email like these examples:
> | 
> | Found phishing fraud from
> | http://email.eharmony.com/t/3245264/61666596/125002/0/ claiming to be
> | www.eharmony.com in F1AB6660637.1911E
> | Found phishing fraud from
> | http://echo4.bluehornet.com/ct/5756277:6696375060:m:1:398960397:0FE61091879EEBBC9425626D5DFDF9C1
> | claiming to be
> | www.playforfreewith500%%bonuscoupon&quot;gwgma&quot;atwww.mightyslots.com
> | in DB66D29B5.F13D9
> | 
> | I am not sure if those are phishing or not. They are at least probably
> | spam.
> | 
> | Using :  grep "Found phishing fraud" maillog | grep -v "claiming to
> | be"
> | finds only 12 log entries whereas the "claiming to be" type are 20842
> | since Monday morning.
> | 
> | What is not being stopping is the email that threatens to remove the
> | target's email account unless they send account name, birth date,
> | student id, password, etc. to an email address.
> | 
> | I am wondering if I should attempt to write Spamassassin rules to
> | stop
> | that kind of phishing.  Everything I think of would stop _this_ email
> | if I assigned weight to the critical words used in that type of
> | email.
> | 
> | What other ways can MailScanner and ScamNailer be used to stop this
> | kind of school targeted phishing which all too often is successful
> | and
> | leads to account compromises?
> | 
> You could try this from John Hardin on the SpamAssassin list :-
> 
> http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf?revision=828291&view=markup
> 
> It may require a few tweaks for your own setup.

iirc, these rules *may* require some changes in the ReplaceTags plugin 
which will be released in SA 3.3.0, some rules *may* fail or do weird 
things.

be attentive...

Alex


More information about the MailScanner mailing list