<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.24.1.1">
</HEAD>
<BODY>
Awesome Julian, I've been looking for something that would catch those.<BR>
<BR>
I'll stick it on our testbed tonight<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<BR>
</TD>
</TR>
</TABLE>
<BR>
On Wed, 2008-12-31 at 23:24 +0000, Julian Field wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
On 31/12/08 22:54, Kevin Miller wrote:
> Just a quick note to wish everyone a Happy (and spam free) New Year,
> especially Jules. Your hard work and giving spirit has certainly made
> the past year much nicer for all of us...
>
Many thanks!
You might be interested I've been doing a bit of work with the
Google-hosted project "anti-phishing-email-reply" which you can find here:
<A HREF="http://code.google.com/p/anti-phishing-email-reply/">http://code.google.com/p/anti-phishing-email-reply/</A>
My aim was to create a trap for all those nasty spear-phishing attacks
and those endless "Temporary job offer" spams that some of you will get.
I have created a little script (which is pretty obvious, source code is
given below) which just generates a list of addresses based on what's in
their file. I add that to my own list of known troublesome addresses,
which can have "*" wildcards in them, so you can do things like michael
loucas * @ gmail . com (extra spaces added to stop my stuff picking up
that address and killing this message).
I then generate a bunch of SpamAssassin rules from that which detect any
of these few thousand addresses appearing anywhere in a message, with
lots of safeguards to protect against false alarms. It also compacts
them into only a hundred or two rules, instead of having 1 SpamAssassin
rule for each address!
I then use SpamAssassin Rule Actions to do this:
SpamAssassin Rule Actions = ECS_MAIL_ACCESS=>store,not-deliver,forward
<A HREF="mailto:postmaster@ecs.soton.ac.uk">postmaster@ecs.soton.ac.uk</A>,header "X-ECS-Mail-Access: was to _TO_"
This lot fires whenever any of my SpamAssassin rules fires. It
1) Adds a header "X-ECS-Mail-Access:" containing the list of original
recipient addresses,
2) Stores a copy of the message
3) Stops delivery to the original recipients
4) Sends a copy to postmaster, where I have a Sieve rule firing on the
presence of the "X-ECS-Mail-Access:" header to store it in a folder
without cluttering up postmaster's inbox.
My script, that builds all the SpamAssassin rules, works from a YP/NIS
map called "mail.access" which contains each email address from the
google list and my list in the first word of a line, looking like this
<A HREF="mailto:bad@domain.com">bad@domain.com</A> REJECT
<A HREF="mailto:nasty@false.bank.com">nasty@false.bank.com</A> REJECT
I sort it so that the regular expressions created are more optimal for
Perl, so it can apply them faster to each message.
My script that builds all the SpamAssassin rules is attached.
My script that reads the google list and creates the YP/NIS map from it
is simply this:
#!/bin/sh
echo Fetching phishing addresses...
rm -f /tmp/$$.blocks
/usr/local/bin/wget -O /tmp/$$.blocks
<A HREF="http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses">http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses</A>
>/dev/null 2>&1
echo Read `grep -v '^#' /tmp/$$.blocks | wc -l` addresses
if [ -f /tmp/$$.blocks ]; then
sed -e 's/^#.*$//' < /tmp/$$.blocks | \
cut -d, -f1 | \
sort | \
uniq | \
grep -v '^$' | \
awk '{ printf("%s\tREJECT\n",$1); }' >
/opt/yp/etc/mail.access.anti-phishing
rm -f /tmp/$$.blocks
cd /opt/yp;
./ypmake;
fi
The "ypcat -k mail.access" command at the start of Build.Phishing.Rules
basically reads my list in addition to the contents of the file
/opt/yp/etc/mail.access.anti-phishing mentioned in the code above, so
you can easily convert it to just use a temporary file and do all of
this lot on the same server. If you aren't using YP/NIS then you
obviously won't need the "ypmake" command either.
I hope this is of some use to some of you. It traps "Temporary job
offer" spams and spear-phishing attacks very well indeed.
Jules
--
Julian Field MEng CITP CEng
<A HREF="http://www.MailScanner.info">www.MailScanner.info</A>
Buy the MailScanner book at <A HREF="http://www.MailScanner.info/store">www.MailScanner.info/store</A>
MailScanner customisation, or any advanced system administration help?
Contact me at <A HREF="mailto:Jules@Jules.FM">Jules@Jules.FM</A>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: <A HREF="http://www.jules.fm/julesfm.asc">http://www.jules.fm/julesfm.asc</A>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>