looking for suggestions to catch more phising attempts

John Baker johnnyb at marlboro.edu
Tue Nov 9 18:08:52 GMT 2010 

Thanks, I knew I must be missing something. I've read the 
MailScanner.conf file a million times and somehow missed the section for 
custom actions on specific rule hits.


Glenn Steen wrote:
>
> So the envelope sender isn't forged, but a lot of the rest?
> Then this is a job for SA, write your own rules, and use SA rule hit 
> actions in MS (this superseeds MCP, and is way more efficient than that).
>
> Cheers
> -- 
> -- Glenn
>
>> Den 8 nov 2010 20.41, "John Baker" <johnnyb at marlboro.edu 
>> <mailto:johnnyb at marlboro.edu>> skrev:
>>
>> Hi all,
>>
>> I'm trying to figure out what the easiest solution with the smallest 
>> footprint for this problem might be.
>>
>> Along with a lot of other schools we've had a chronic problem with 
>> phishing attempts that pretend to be us and ask for usernames and 
>> passwords. Pretty much all of them come from compromised accounts at 
>> other colleges and the spammers keep the numbers low enough and slow 
>> enough to not register on phising lists like ScamNailer. We always 
>> seem to have at least one taker who's account gets compromised by 
>> spammers for every major phishing attempt of this type. We have 
>> mechanisms like rate limiting in place to keep the damage limited but 
>> I'd really rather keep the accounts from getting compromised in the 
>> first place.
>>
>> What I need is something like the phishing feature in Mailscanner 
>> that looks for mismatches between claimed and actual addresses and 
>> warns that it might be phising but looks for things like password 
>> requests or pretending to be from "helpdesk" or "webmail" instead. 
>> I'd like to pick-out them out and warn users that it might be a 
>> phising attempt.
>>
>> I think that either Mailscanner MCP or postfix header/body checks 
>> could do this but I'm concerned about the added system load and 
>> possible slowdowns that either may add.
>>
>> Is their anything obvious I'm overlooking here like a way to do this 
>> in Mailscanner's non mcp configuration?
>>
>> Thanks
>>
>> -- 
>> John Baker
>> Network Systems Administrator
>> Marlboro College
>> Phone: 451-7551 Cell: 451-6748
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info 
>> <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website! 


-- 
John Baker
Network Systems Administrator
Marlboro College
Phone: 451-7551 Cell: 451-6748

More information about the MailScanner mailing list