looking for suggestions to catch more phising attempts

[John Baker]

Hi all,

I'm trying to figure out what the easiest solution with the smallest 
footprint for this problem might be.

Along with a lot of other schools we've had a chronic problem with 
phishing attempts that pretend to be us and ask for usernames and 
passwords. Pretty much all of them come from compromised accounts at 
other colleges and the spammers keep the numbers low enough and slow 
enough to not register on phising lists like ScamNailer. We always seem 
to have at least one taker who's account gets compromised by spammers 
for every major phishing attempt of this type. We have mechanisms like 
rate limiting in place to keep the damage limited but I'd really rather 
keep the accounts from getting compromised in the first place.

What I need is something like the phishing feature in Mailscanner that 
looks for mismatches between claimed and actual addresses and warns that 
it might be phising but looks for things like password requests or 
pretending to be from "helpdesk" or "webmail" instead. I'd like to 
pick-out them out and warn users that it might be a phising attempt.

I think that either Mailscanner MCP or postfix header/body checks could 
do this but I'm concerned about the added system load and possible 
slowdowns that either may add.

Is their anything obvious I'm overlooking here like a way to do this in 
Mailscanner's non mcp configuration?

Thanks

-- 
John Baker
Network Systems Administrator
Marlboro College
Phone: 451-7551 Cell: 451-6748