You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Menschel <Ro...@Menschel.net> on 2004/12/07 03:29:29 UTC
Re[2]: Phishing attempt wasn't blocked by SpamAssassin
Hello Wolfgang,
Monday, December 6, 2004, 7:39:09 AM, you wrote:
LW>> That's because such a rule won't work. All manner of real mail ends up
LW>> sending things that have a real link address different from the one shown in
LW>> the link. Often it is a very minor difference, like https vs http, but
LW>> sometimes there are no points of reality at all between them. This shows up
LW>> a lot in stuff generated from databases.
WH> if there is a visible url to a different server than the one in
WH> real url, I would not only want to tag that as possible spam, but
WH> rather have a nice red 20pt headline added to the mail: WARNING -
WH> DO NOT CLICK - THESE LINKS MIGHT BE FORGED
As the current ninja maintaining the SARE URI rules file (though not
the fraud or spoof files), I gladly invite you to develop such a rule.
If you can offer us a rule that does what you want, and in our testing
does not hit excessively on non-spam, we'll gladly include it in our
SARE rules file, and will support your submission of that rule to the
SA developers.
At this point in time, I can't think of a good (efficient) way to do
this that wouldn't also hit huge numbers of non-spam.
Bob Menschel
Re: Re[2]: Phishing attempt wasn't blocked by SpamAssassin
Posted by Bill Randle <bi...@neocat.org>.
On Mon, 2004-12-06 at 20:00, Kenneth Porter wrote:
> --On Monday, December 06, 2004 6:44 PM -0800 Bill Randle <bi...@neocat.org>
> wrote:
>
> > Obviously, these are tailored for each specific message, so it's
> > not a generic solution, but it can help. Currently, there are
> > signatures for 18 different banking phish and two auction phish.
>
> Additionally, if you run SA and Clam from MIMEDefang, you can use the
> contributed Graphdefang package to serve graphs of your spam, viruses, and
> phish from your web server, and can see how many phishing attempts of each
> type were blocked.
>
> <http://mimedefang.org/>
Good point! I use amavisd-new with postfix and graphdefang for much
the same thing.
-Bill
Re: Re[2]: Phishing attempt wasn't blocked by SpamAssassin
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Monday, December 06, 2004 6:44 PM -0800 Bill Randle <bi...@neocat.org>
wrote:
> Obviously, these are tailored for each specific message, so it's
> not a generic solution, but it can help. Currently, there are
> signatures for 18 different banking phish and two auction phish.
Additionally, if you run SA and Clam from MIMEDefang, you can use the
contributed Graphdefang package to serve graphs of your spam, viruses, and
phish from your web server, and can see how many phishing attempts of each
type were blocked.
<http://mimedefang.org/>
Re: Re[2]: Phishing attempt wasn't blocked by SpamAssassin
Posted by Bill Randle <bi...@neocat.org>.
On Mon, 2004-12-06 at 18:29, Robert Menschel wrote:
> Hello Wolfgang,
>
> Monday, December 6, 2004, 7:39:09 AM, you wrote:
>
> LW>> That's because such a rule won't work. All manner of real mail ends up
> LW>> sending things that have a real link address different from the one shown in
> LW>> the link. Often it is a very minor difference, like https vs http, but
> LW>> sometimes there are no points of reality at all between them. This shows up
> LW>> a lot in stuff generated from databases.
>
> WH> if there is a visible url to a different server than the one in
> WH> real url, I would not only want to tag that as possible spam, but
> WH> rather have a nice red 20pt headline added to the mail: WARNING -
> WH> DO NOT CLICK - THESE LINKS MIGHT BE FORGED
>
> As the current ninja maintaining the SARE URI rules file (though not
> the fraud or spoof files), I gladly invite you to develop such a rule.
> If you can offer us a rule that does what you want, and in our testing
> does not hit excessively on non-spam, we'll gladly include it in our
> SARE rules file, and will support your submission of that rule to the
> SA developers.
>
> At this point in time, I can't think of a good (efficient) way to do
> this that wouldn't also hit huge numbers of non-spam.
>
> Bob Menschel
Just a note of information, for those looking to stop phishing attacks:
the open source anti-virus program ClamAV has added signatures for
several phishing emails. When this is used, they will be blocked
before they ever hit SpamAssassin.
Obviously, these are tailored for each specific message, so it's
not a generic solution, but it can help. Currently, there are
signatures for 18 different banking phish and two auction phish.
http://www.clamav.net/
-Bill