Tagging phishing emails

Joolee mailscanner at joolee.nl
Mon Aug 29 17:43:02 IST 2011


Yes, that would be MailScanner itself. I disabled the option because it
gives a lot of false positives.

Mailscanner checks the contents of anchor texts against their href. (<a
href="http://mybank.com.fake.com">https://mybank.com</a>) Problem is that
something like this also gets flagged: <a href="
http://groupon.com/action/987219837">Coupon worth $50 on booking.com for
only $5!</a>
When MailScanner detects something with this method and Spamassassin thinks
the E-mail is okay, the mail gets cleaned and delivered with all headers set
like nothing is wrong.

I've implemented a few simple rules in Spamassassin to detect https / http
replacements like above. Doesn't catch all the phishing but sure does a lot.

On 29 August 2011 18:21, Mauricio Tavares <raubvogel at gmail.com> wrote:

> On Mon, Aug 29, 2011 at 11:41 AM, Kristofer Pettijohn
> <kristofer at cybernetik.net> wrote:
> > Hello,
> >
> > I have set up Mailscanner as a gateway box in front of my mailserver.  I
> > have it adding a header to messages identified as Spam
> > "X-Organization-Spam-Flag: Yes".  My mail server then parses the headers,
> > and if it sees that header it automatically filters it into my users'
> "Junk"
> > folder.
> >
> > I see messages that go through MailScanner where in the log it says
> "Found
> > phishing fraud from", but it still passes SpamAssassin, so that flag
> doesn't
> > get set.  MailScanner will clean and disarm the email, however.  What I
> > would like is for MailScanner to leave the message alone, but also tag it
> as
> > being spam.  Basically I would like it to do that for all emails where it
> > finds phishing fraud.
> >
>       Correct me if I am wrong but wouldn't that mean a
> program/module/something other than spamassassin is handling the phishing
> stuff?
>
> > Is this possible?
> >
> > Thanks!
> > Kris
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
> >
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110829/7dc47276/attachment.html


More information about the MailScanner mailing list