looking for suggestions to catch more phising attempts

Glenn Steen glenn.steen at gmail.com
Tue Nov 9 01:02:43 GMT 2010 

So the envelope sender isn't forged, but a lot of the rest?
Then this is a job for SA, write your own rules, and use SA rule hit actions
in MS (this superseeds MCP, and is way more efficient than that).

Cheers
-- 
-- Glenn

Den 8 nov 2010 20.41, "John Baker" <johnnyb at marlboro.edu> skrev:

Hi all,

I'm trying to figure out what the easiest solution with the smallest
footprint for this problem might be.

Along with a lot of other schools we've had a chronic problem with phishing
attempts that pretend to be us and ask for usernames and passwords. Pretty
much all of them come from compromised accounts at other colleges and the
spammers keep the numbers low enough and slow enough to not register on
phising lists like ScamNailer. We always seem to have at least one taker
who's account gets compromised by spammers for every major phishing attempt
of this type. We have mechanisms like rate limiting in place to keep the
damage limited but I'd really rather keep the accounts from getting
compromised in the first place.

What I need is something like the phishing feature in Mailscanner that looks
for mismatches between claimed and actual addresses and warns that it might
be phising but looks for things like password requests or pretending to be
from "helpdesk" or "webmail" instead. I'd like to pick-out them out and warn
users that it might be a phising attempt.

I think that either Mailscanner MCP or postfix header/body checks could do
this but I'm concerned about the added system load and possible slowdowns
that either may add.

Is their anything obvious I'm overlooking here like a way to do this in
Mailscanner's non mcp configuration?

Thanks

-- 
John Baker
Network Systems Administrator
Marlboro College
Phone: 451-7551 Cell: 451-6748

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101109/2bf454cd/attachment.html

More information about the MailScanner mailing list