school targeted phishing getting past MailScanner and ScamNailer

Mark Sapiro mark at msapiro.net
Fri Oct 23 17:28:10 IST 2009


On Thu, Oct 22, 2009 at 12:50:00PM -0600, Robert Lopez wrote:
> >From what I see in the logs MailScanner and ScamNailer are stopping a
> LOT of email like these examples:
> 
> Found phishing fraud from
> http://email.eharmony.com/t/3245264/61666596/125002/0/ claiming to be
> www.eharmony.com in F1AB6660637.1911E
> Found phishing fraud from
> http://echo4.bluehornet.com/ct/5756277:6696375060:m:1:398960397:0FE61091879EEBBC9425626D5DFDF9C1
> claiming to be www.playforfreewith500%%bonuscoupon"gwgma"atwww.mightyslots.com
> in DB66D29B5.F13D9
> 
> I am not sure if those are phishing or not. They are at least probably spam.


The above do not result in blocked mail by themselves. They result in
mail being 'disarmed'. They  come from HTML mail that has a link whose
'text' looks like a URL or host name but has a different host from that
in the target URL. Some of these are fairly innocent such as

Found phishing fraud from http://www.ucsusa.org/action/ensure-you-receive-ucs-email.html claiming to be www.ucsusa.orgtoyouraddressbook

(missing a space in the text), or

Found phishing fraud from http://promo-link.jetblue.com/r/XTG1ARG/JIF8J/RNPOW5/IIEBJQ/OJMFT/ID/h claiming to be www.limos.jetblue.com

Others are simply non-malevolent use of response tracking such as

Found phishing fraud from http://campaign.constantcontact.com/render?v=001X1sTFlSjd3ZpYo12lWRZMy5_drStFoiWI6c4SLgajX6FCI3FCRjsi0VCNMeHp--0m8kBFmbwn2es2ijq-uwr9_BHXJYMsQBPQbv5Qw-Ge709dy28ut_GshKmrTEHpfuPuBEepJnd1XubMK4Zb9CbRw%%3D%%3D claiming to be www.millvalleylibrary.org


> Using :  grep "Found phishing fraud" maillog | grep -v "claiming to be"
> finds only 12 log entries whereas the "claiming to be" type are 20842
> since Monday morning.
> 
> What is not being stopping is the email that threatens to remove the
> target's email account unless they send account name, birth date,
> student id, password, etc. to an email address.
>
> I am wondering if I should attempt to write Spamassassin rules to stop
> that kind of phishing.  Everything I think of would stop _this_ email
> if I assigned weight to the critical words used in that type of email.
> 
> What other ways can MailScanner and ScamNailer be used to stop this
> kind of school targeted phishing which all too often is successful and
> leads to account compromises?


This is exactly the mail that ScamNailer is intended to stop. If it
is installed and properly configured and is not stopping these, you
can add the reply addresses in the mail to the

/etc/MailScanner/ScamNailer.local.addresses

file (or whatever you may have changed it to in the ScamNailer script).

Perhaps you should also send copies of the mail to Jules so he can
get them in his database.

-- 
Mark Sapiro mark at msapiro net       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the MailScanner mailing list