school targeted phishing getting past MailScanner and ScamNailer
Robert Lopez
rlopezcnm at gmail.com
Fri Oct 23 21:06:09 IST 2009
Mark,
On Fri, Oct 23, 2009 at 10:28 AM, Mark Sapiro <mark at msapiro.net> wrote:
> On Thu, Oct 22, 2009 at 12:50:00PM -0600, Robert Lopez wrote:
>> >From what I see in the logs MailScanner and ScamNailer are stopping a
>> LOT of email like these examples:
>>
>> Found phishing fraud from
>> http://email.eharmony.com/t/3245264/61666596/125002/0/ claiming to be
>> www.eharmony.com in F1AB6660637.1911E
>> Found phishing fraud from
>> http://echo4.bluehornet.com/ct/5756277:6696375060:m:1:398960397:0FE61091879EEBBC9425626D5DFDF9C1
>> claiming to be www.playforfreewith500%%bonuscoupon"gwgma"atwww.mightyslots.com
>> in DB66D29B5.F13D9
>>
>> I am not sure if those are phishing or not. They are at least probably spam.
>
>
> The above do not result in blocked mail by themselves. They result in
> mail being 'disarmed'. They come from HTML mail that has a link whose
> 'text' looks like a URL or host name but has a different host from that
> in the target URL.
Are you certain? I thought those looked more like this log sample:
Oct 23 13:10:48 mg04 MailScanner[27356]: Content Checks: Detected and
have disarmed web bug tags in HTML message in 9C604660910.58CBE from
newsletters at techrepublic.online.com
> Some of these are fairly innocent such as
>
> Found phishing fraud from http://www.ucsusa.org/action/ensure-you-receive-ucs-email.html claiming to be www.ucsusa.orgtoyouraddressbook
>
> (missing a space in the text), or
>
> Found phishing fraud from http://promo-link.jetblue.com/r/XTG1ARG/JIF8J/RNPOW5/IIEBJQ/OJMFT/ID/h claiming to be www.limos.jetblue.com
>
> Others are simply non-malevolent use of response tracking such as
>
> Found phishing fraud from http://campaign.constantcontact.com/render?v=001X1sTFlSjd3ZpYo12lWRZMy5_drStFoiWI6c4SLgajX6FCI3FCRjsi0VCNMeHp--0m8kBFmbwn2es2ijq-uwr9_BHXJYMsQBPQbv5Qw-Ge709dy28ut_GshKmrTEHpfuPuBEepJnd1XubMK4Zb9CbRw%%3D%%3D claiming to be www.millvalleylibrary.org
>
>
>> Using : grep "Found phishing fraud" maillog | grep -v "claiming to be"
>> finds only 12 log entries whereas the "claiming to be" type are 20842
>> since Monday morning.
>>
>> What is not being stopping is the email that threatens to remove the
>> target's email account unless they send account name, birth date,
>> student id, password, etc. to an email address.
>>
>> I am wondering if I should attempt to write Spamassassin rules to stop
>> that kind of phishing. Everything I think of would stop _this_ email
>> if I assigned weight to the critical words used in that type of email.
>>
>> What other ways can MailScanner and ScamNailer be used to stop this
>> kind of school targeted phishing which all too often is successful and
>> leads to account compromises?
>
>
> This is exactly the mail that ScamNailer is intended to stop. If it
> is installed and properly configured and is not stopping these, you
> can add the reply addresses in the mail to the
>
> /etc/MailScanner/ScamNailer.local.addresses
>
> file (or whatever you may have changed it to in the ScamNailer script).
Yes. I have been doing this.
>
> Perhaps you should also send copies of the mail to Jules so he can
> get them in his database.
Via sending to this list, directly to this list, or did he set up an
address for such use?
>
> --
> Mark Sapiro mark at msapiro net The highway is for gamblers,
> San Francisco Bay Area, California better use your sense - B. Dylan
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
Thank you.
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
More information about the MailScanner
mailing list