looking for suggestions to catch more phising attempts

John Baker johnnyb at marlboro.edu
Mon Nov 8 22:04:29 GMT 2010 

Good point but no for various convoluted reasons we can't yet.

It's actually not quite relevant as they no not use actually use our 
addresses for this. They typically just write the note to make it sound 
like they are our IT dept but the address clearly says it's from 
somebody else. Users not savvy enough to realize that password requests 
are scams are even less likely to notice that neither the from or reply 
to are actually our addresses.

Stephen Swaney wrote:
> On Nov 8, 2010, at 3:33 PM, John Baker wrote:
>
>   
>> Hi all,
>>
>> I'm trying to figure out what the easiest solution with the smallest footprint for this problem might be.
>>
>> Along with a lot of other schools we've had a chronic problem with phishing attempts that pretend to be us and ask for usernames and passwords. Pretty much all of them come from compromised accounts at other colleges and the spammers keep the numbers low enough and slow enough to not register on phising lists like ScamNailer. We always seem to have at least one taker who's account gets compromised by spammers for every major phishing attempt of this type. We have mechanisms like rate limiting in place to keep the damage limited but I'd really rather keep the accounts from getting compromised in the first place.
>>
>> What I need is something like the phishing feature in Mailscanner that looks for mismatches between claimed and actual addresses and warns that it might be phising but looks for things like password requests or pretending to be from "helpdesk" or "webmail" instead. I'd like to pick-out them out and warn users that it might be a phising attempt.
>>
>> I think that either Mailscanner MCP or postfix header/body checks could do this but I'm concerned about the added system load and possible slowdowns that either may add.
>>
>> Is their anything obvious I'm overlooking here like a way to do this in Mailscanner's non mcp configuration?
>>
>> Thanks
>>
>> -- 
>> John Baker
>> Network Systems Administrator
>> Marlboro College
>> Phone: 451-7551 Cell: 451-6748
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website! 
>>     
>
>
> First. Do you publish SPF records to prevent scammers from forging the mail from address?
>
>
> Thanks,
>
> Steve
>   


-- 
John Baker
Network Systems Administrator
Marlboro College
Phone: 451-7551 Cell: 451-6748

More information about the MailScanner mailing list