You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Micah Anderson <mi...@riseup.net> on 2008/10/30 20:56:53 UTC
Phishing rules?
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
postfix is doing:
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client list.dsbl.org,
I've got clamav pulling signatures updated once a day from sanesecurity
(phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
securesiteinfo) and Malware Black List, MSRBL (images, spam).
I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
pulls in the 25_uribl.cf automatically, right? Or do I need to configure
that? if its automatic, that pulls in SURBL phishing). I've got Botnet
setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the
hashcash, and SPF plugins loaded, imageinfo, pretty much everything I
can think of....but for some reason phishing attempts keep getting
through.
Sadly, I do not have an example I can share at the moment, as I
typically delete them in a rage after training my bayes filter on
them. However, I am looking for any suggestions of other things I can
turn on... in particular, are there rules that people have created that
look for certain keywords where the body is asking for your
account/password information?
Thanks for any ideas,
micah
Re: Phishing rules?
Posted by Micah Anderson <mi...@riseup.net>.
Karsten Bräckelmann <gu...@rudersport.de> writes:
> On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote:
>> I keep getting hit by phishing attacks, and they aren't being stopped by
>> anything I've thrown up in front of them:
>>
>> postfix is doing:
>> reject_rbl_client b.barracudacentral.org,
>> reject_rbl_client zen.spamhaus.org,
>> reject_rbl_client list.dsbl.org,
>>
>> I've got clamav pulling signatures updated once a day from sanesecurity
>> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
>> securesiteinfo) and Malware Black List, MSRBL (images, spam).
>
> I'd increase this, at least for the SaneSecurity phish sigs. They are
> being updated much more frequently.
Thanks for the pointer. For some reason I thought I had read on the
SaneSecurity site that you shouldn't pull more than once a day, but now
after you mentioned it I went and read again and they ask you dont pull
more frequently than once an hour... so I've changed that cronjob, that
should help.
>> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
>> pulls in the 25_uribl.cf automatically, right? Or do I need to configure
>
> Yes, unless you disable network tests in general. Should be easy to
> answer yourself if they are working, just by grepping for the rule names
> defined in 25_uribl.cf.
Network tests aren't disabled, and yeah I am seeing those rules occur in
some of my headers of mail that I can search through, so I think that
they are working. I've increased my overall URIBL scoring to 2.5 from
the default.
>> Sadly, I do not have an example I can share at the moment, as I
>> typically delete them in a rage after training my bayes filter on
>> them. However, I am looking for any suggestions of other things I can
>> turn on... in particular, are there rules that people have created that
>> look for certain keywords where the body is asking for your
>> account/password information?
>
> So you've pretty much thrown everything at it you could find... ;) And
> they are still slipping through? How many are we talking here? Compared
> to the total number of spam / phish?
>
> Also, how many are being caught? Strikes me as odd that you don't have a
> sample but yet sound like every single one is slipping by.
These are hard for me to answer as I am not doing any analysis of how
many are caught. In the last week, I've gotten four of them through, and
I've received reports from a number of users that they too have received
them.
I've just sent a sample to the list however.
> I guess, I would start verifying that all the above actually is working.
> Most notably the SaneSecurity phish sigs. ClamAV should catch the lions
> share, by far, assuming it comes before SA in your chain.
Yeah, I'm using the clamav-milter, so those get rejected really early
on.
Thanks for the ideas,
Micah
Re: Phishing rules?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote:
> I keep getting hit by phishing attacks, and they aren't being stopped by
> anything I've thrown up in front of them:
>
> postfix is doing:
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client list.dsbl.org,
>
> I've got clamav pulling signatures updated once a day from sanesecurity
> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
> securesiteinfo) and Malware Black List, MSRBL (images, spam).
I'd increase this, at least for the SaneSecurity phish sigs. They are
being updated much more frequently.
> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
> pulls in the 25_uribl.cf automatically, right? Or do I need to configure
Yes, unless you disable network tests in general. Should be easy to
answer yourself if they are working, just by grepping for the rule names
defined in 25_uribl.cf.
> that? if its automatic, that pulls in SURBL phishing). I've got Botnet
> setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the
> hashcash, and SPF plugins loaded, imageinfo, pretty much everything I
> can think of....but for some reason phishing attempts keep getting
> through.
>
> Sadly, I do not have an example I can share at the moment, as I
> typically delete them in a rage after training my bayes filter on
> them. However, I am looking for any suggestions of other things I can
> turn on... in particular, are there rules that people have created that
> look for certain keywords where the body is asking for your
> account/password information?
So you've pretty much thrown everything at it you could find... ;) And
they are still slipping through? How many are we talking here? Compared
to the total number of spam / phish?
Also, how many are being caught? Strikes me as odd that you don't have a
sample but yet sound like every single one is slipping by.
I guess, I would start verifying that all the above actually is working.
Most notably the SaneSecurity phish sigs. ClamAV should catch the lions
share, by far, assuming it comes before SA in your chain.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phishing rules?
Posted by Micah Anderson <mi...@riseup.net>.
SM <sm...@resistor.net> writes:
> At 07:56 01-11-2008, Micah Anderson wrote:
>>Here is an example one I received recently, note the hideously low bayes
>>score on this one, caused it to autolearn as ham even, grr.
>
> [snip]
>
>>X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
>> autolearn=ham version=3.2.5
>
> The sender is whitelisted by www.dnswl.org.
Yeah, because this one was forwarded through debian.org, which is
legitimate. The spam originator was not debian.org, but debian.org is
the one in dnswl.org.
>>Received: from master.debian.org (master.debian.org [70.103.162.29])
>> by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1
>> for <mi...@riseup.net>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT)
>
> The mail is coming through debian.org. Do you want to blacklist that host?
No, I do not.
Re: Phishing rules?
Posted by SM <sm...@resistor.net>.
At 07:56 01-11-2008, Micah Anderson wrote:
>Here is an example one I received recently, note the hideously low bayes
>score on this one, caused it to autolearn as ham even, grr.
[snip]
>X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
> autolearn=ham version=3.2.5
The sender is whitelisted by www.dnswl.org.
>Received: from master.debian.org (master.debian.org [70.103.162.29])
> by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1
> for <mi...@riseup.net>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT)
The mail is coming through debian.org. Do you want to blacklist that host?
Regards,
-sm
Re: Phishing rules?
Posted by Byung-Hee HWANG <bh...@izb.knu.ac.kr>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Micah Anderson wrote:
[...]
> Report them where exactly?
>
> Here is an example one I received recently, note the hideously low bayes
> score on this one, caused it to autolearn as ham even, grr.
>
>
> From mayodayo@3web.net Fri Oct 31 20:00:45 2008
> Return-Path: <ma...@3web.net>
> X-OfflineIMAP-x792266711-4c6f63616c-494e424f58: 1225549253-0134941395044-v6.0.3
> X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on spamd2.riseup.net
> X-Spam-Level:
> X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
> autolearn=ham version=3.2.5
> Delivered-To: micah@riseup.net
> Received: from mx1.riseup.net (unknown [10.8.0.3])
> by cormorant.riseup.net (Postfix) with ESMTP id 58BFA19581F7
> for <mi...@riseup.net>; Fri, 31 Oct 2008 20:00:40 -0700 (PDT)
> Received: from master.debian.org (master.debian.org [70.103.162.29])
> by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1
> for <mi...@riseup.net>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT)
[...]
Contact debian.org's list manager instead of other actions. That's more
reasonable. And more, i think we need to study about DKIM specification
[RFC4871] to make the Internet of trust ;;
byunghee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iEYEARECAAYFAkkNE/oACgkQsCouaZaxlv5YqACeIozvqJ96tTKm4oLnRySHAfc1
xUIAoI0G4FXr+PqdqvULxm0V+xZOSP77
=8NV0
-----END PGP SIGNATURE-----
Re: Casino scams
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Am 2008-11-01 17:00:09, schrieb Martin Gregorie:
> I've started to see Casino spam in the last week and noticed, that of
You mean this "Royal Casino" thing from whgich I get all 2 hours one?
I like to have the rule since my current spamassassin let it through...
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Re: Casino scams
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
Please do not hi-jack threads. Compose a new email rather than hitting
Reply. Changing the subject does not make it a new thread.
Well, at least it's related. ;)
On Sat, 2008-11-01 at 17:00 +0000, Martin Gregorie wrote:
> I've started to see Casino spam in the last week and noticed, that of
> the five examples I captured, only one was hit by the FM_VEGAS_CASINO
> rule, which appears to be too narrowly targeted on Las Vegas casinos
These are actually malware spreading mail. ClamAV plus its third-party
SaneSecurity phish sigs do stop almost all of those quite nicely.
Also, various URI BLs should include the URIs rather early. Are you
perhaps missing some of these in your SA setup? Maybe put some examples
up a pastebin and send the link here.
> I've written a rule running that hits all five example messages and none
> of the other 59 messages on my rogues gallery. If this is of interest to
> the rest of the SA community, kindly let me know how new rule
> suggestions should be submitted.
If you're feeling confident about the rule, you can open a new bug.
However, you always can simply post it here for discussion and a broader
peer-review first in either case.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Casino scams
Posted by Martin Gregorie <ma...@gregorie.org>.
I've started to see Casino spam in the last week and noticed, that of
the five examples I captured, only one was hit by the FM_VEGAS_CASINO
rule, which appears to be too narrowly targeted on Las Vegas casinos
I've written a rule running that hits all five example messages and none
of the other 59 messages on my rogues gallery. If this is of interest to
the rest of the SA community, kindly let me know how new rule
suggestions should be submitted.
Martin
Re: Phishing rules?
Posted by Benny Pedersen <me...@junc.org>.
On Mon, November 3, 2008 12:02, Martin Gregorie wrote:
> ^http:.*\.spaces\.live\.com\/$
> in its body but the From: header identifies a completely unrelated
> address. Would a rule that tags messages with this From and URI combo be
> useful or would it generate too many FPs?
http://www.nabble.com/Re:-FreeMail-plugin-td16200020.html
might be helpfull
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Phishing rules?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Sun, 2008-11-02 at 22:36 -0500, Micah Anderson wrote:
> Joseph Brennan <br...@columbia.edu> writes:
>
> >> Reply-to: s.team43@live.com
> >
> >
> > First pass:
> >
> > header LOCAL_REPLYTO_LIVE Reply-to =~ /\@live\.com/
> > score LOCAL_REPLYTO_LIVE 8.0
> >
> > Maybe scoring 8.0 for one thing scares you, but I haven't seen this
> > fp in a couple of months.
>
> Is live.com a legitimate email sender? It looks microsoft related. If I
> set it to 8, then any mail from that address is surely to get caught as
> spam, which may not be the right thing depending on other potential
> legitimate addresses sending from that domain.
>
The latest pharmacy scam to get through my filters has a URI that
matches:
^http:.*\.spaces\.live\.com\/$
in its body but the From: header identifies a completely unrelated
address. Would a rule that tags messages with this From and URI combo be
useful or would it generate too many FPs?
Martin
Re: Phishing rules?
Posted by Micah Anderson <mi...@riseup.net>.
Sahil Tandon <sa...@tandon.net> writes:
> Joseph Brennan <br...@columbia.edu> wrote:
>
>>> We get some legitimate email from @live.com users.
>>
>> But they don't set a Reply-to header. That's the test.
>
> But that wasn't his question; he asked whether any legitimate mail flows
> from live.com. That was my answer. :)
You are technically correct, but Joseph's message made clear the
information that I was not aware of, which was quite helpful and
technically better.
Micah
Re: Phishing rules?
Posted by Sahil Tandon <sa...@tandon.net>.
Joseph Brennan <br...@columbia.edu> wrote:
>> We get some legitimate email from @live.com users.
>
> But they don't set a Reply-to header. That's the test.
But that wasn't his question; he asked whether any legitimate mail flows
from live.com. That was my answer. :)
--
Sahil Tandon <sa...@tandon.net>
Re: Phishing rules?
Posted by Joseph Brennan <br...@columbia.edu>.
Sahil Tandon <sa...@tandon.net> wrote:
> We get some legitimate email from @live.com users.
But they don't set a Reply-to header. That's the test.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Re: Phishing rules?
Posted by Sahil Tandon <sa...@tandon.net>.
Micah Anderson <mi...@riseup.net> wrote:
> Joseph Brennan <br...@columbia.edu> writes:
>
> >> Reply-to: s.team43@live.com
> >
> >
> > First pass:
> >
> > header LOCAL_REPLYTO_LIVE Reply-to =~ /\@live\.com/
> > score LOCAL_REPLYTO_LIVE 8.0
> >
> > Maybe scoring 8.0 for one thing scares you, but I haven't seen this
> > fp in a couple of months.
>
> Is live.com a legitimate email sender? It looks microsoft related. If I
> set it to 8, then any mail from that address is surely to get caught as
> spam, which may not be the right thing depending on other potential
> legitimate addresses sending from that domain.
It is Microsoft:
% whois `dig +short live.com`
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
...
> Or perhaps nothing but spam comes from live.com? I dont know anything
> about it.
We get some legitimate email from @live.com users.
--
Sahil Tandon <sa...@tandon.net>
Re: Phishing rules?
Posted by Micah Anderson <mi...@riseup.net>.
Joseph Brennan <br...@columbia.edu> writes:
>> Reply-to: s.team43@live.com
>
>
> First pass:
>
> header LOCAL_REPLYTO_LIVE Reply-to =~ /\@live\.com/
> score LOCAL_REPLYTO_LIVE 8.0
>
> Maybe scoring 8.0 for one thing scares you, but I haven't seen this
> fp in a couple of months.
Is live.com a legitimate email sender? It looks microsoft related. If I
set it to 8, then any mail from that address is surely to get caught as
spam, which may not be the right thing depending on other potential
legitimate addresses sending from that domain.
Or perhaps nothing but spam comes from live.com? I dont know anything
about it.
micah
Re: Phishing rules?
Posted by Joseph Brennan <br...@columbia.edu>.
> Reply-to: s.team43@live.com
First pass:
header LOCAL_REPLYTO_LIVE Reply-to =~ /\@live\.com/
score LOCAL_REPLYTO_LIVE 8.0
Maybe scoring 8.0 for one thing scares you, but I haven't seen this
fp in a couple of months.
Joseph Brennan
Columbia University Information Technology
Re: Phishing rules?
Posted by Micah Anderson <mi...@riseup.net>.
Randy <rr...@livedatagroup.com> writes:
> Micah Anderson wrote:
>> Sadly, I do not have an example I can share at the moment, as I
>> typically delete them in a rage after training my bayes filter on
>> them. However, I am looking for any suggestions of other things I can
>> turn on... in particular, are there rules that people have created that
>> look for certain keywords where the body is asking for your
>> account/password information?
>>
> Report these and maybe they will add something that catches them. If
> one wanted to, they can get any mail the want through your filters if
> they are good and don't use things that trigger the rules.
Report them where exactly?
Here is an example one I received recently, note the hideously low bayes
score on this one, caused it to autolearn as ham even, grr.
>From mayodayo@3web.net Fri Oct 31 20:00:45 2008
Return-Path: <ma...@3web.net>
X-OfflineIMAP-x792266711-4c6f63616c-494e424f58: 1225549253-0134941395044-v6.0.3
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on spamd2.riseup.net
X-Spam-Level:
X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
autolearn=ham version=3.2.5
Delivered-To: micah@riseup.net
Received: from mx1.riseup.net (unknown [10.8.0.3])
by cormorant.riseup.net (Postfix) with ESMTP id 58BFA19581F7
for <mi...@riseup.net>; Fri, 31 Oct 2008 20:00:40 -0700 (PDT)
Received: from master.debian.org (master.debian.org [70.103.162.29])
by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1
for <mi...@riseup.net>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT)
Received: from cat.cybersurf.net ([209.197.145.185] helo=cat.cia.com)
by master.debian.org with esmtp (Exim 4.63)
(envelope-from <ma...@3web.net>)
id 1Kw6j8-0003iT-Ix
for micah@riseup.net; Sat, 01 Nov 2008 03:00:38 +0000
Received: from reef.cybersurf.com ([209.197.145.198])
by cat.cia.com with esmtp (Exim 4.50)
id 1Kw6iz-0002Li-Pg; Fri, 31 Oct 2008 21:00:29 -0600
Received: from apache by reef.cybersurf.com with local (Exim 4.44)
id 1Kw6j0-0006W5-UJ; Fri, 31 Oct 2008 20:00:30 -0700
Received: from 196-207-0-227.netcomng.com (196-207-0-227.netcomng.com [196.207.0.227])
by webmail.3web.com (IMP) with HTTP
for <ma...@mail.cybersurf.com>; Sat, 1 Nov 2008 14:00:30 +1100
Message-ID: <12...@webmail.3web.com>
Date: Sat, 1 Nov 2008 14:00:30 +1100
From: WEBMAIL Help Desk <ma...@3web.net>
Reply-to: s.team43@live.com
Subject: WEBMAIL Help Desk
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.2.1
X-Originating-IP: 196.207.0.227
To: undisclosed-recipients:;
X-Virus-Scanned: ClamAV 0.94/8552/Fri Oct 31 18:14:36 2008 on mx1.riseup.net
X-Virus-Status: Clean
Status: RO
Content-Length: 1427
Lines: 38
Dear Webmail User,
This message was sent automatically by a program on Webmail which
periodically checks the size of inboxes, where new messages are
received.
The program is run weekly to ensure no one's inbox grows too large. If
your inbox becomes too large, you will be unable to receive new email.
Just before this message was sent, you had 18 Megabytes (MB) or more of
messages stored in your inbox on your Webmail. To help us re-set your
SPACE on our database prior to maintain your INBOX, you must reply to
this e-mail and enter your
Current User name ( )
and Password( ).
You will continue to receive this warning message periodically if your
inbox size continues to be between 18 and 20 MB. If your inbox size
grows to 20 MB, then a program on Bates Webmai
will move your oldest email to a
folder in your home directory to ensure that you will continue to be
able to receive incoming email. You will be notified by email that this
has taken place. If your inbox grows to 25 MB, you will be unable to
receive new email as it will be returned to the sender.
After you read a message, it is best to REPLY and SAVE it to another
folder.
Thank you for your cooperation.
WEBMAIL Help Desk
---------------------------------------------------------------------------
3webXS HiSpeed Dial-up...surf up to 5x faster than regular dial-up alone...
just $14.90/mo...visit www.get3web.com for details
Re: Phishing rules?
Posted by Randy <rr...@livedatagroup.com>.
Micah Anderson wrote:
> I keep getting hit by phishing attacks, and they aren't being stopped by
> anything I've thrown up in front of them:
>
> postfix is doing:
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client list.dsbl.org,
>
> I've got clamav pulling signatures updated once a day from sanesecurity
> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
> securesiteinfo) and Malware Black List, MSRBL (images, spam).
>
> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
> pulls in the 25_uribl.cf automatically, right? Or do I need to configure
> that? if its automatic, that pulls in SURBL phishing). I've got Botnet
> setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the
> hashcash, and SPF plugins loaded, imageinfo, pretty much everything I
> can think of....but for some reason phishing attempts keep getting
> through.
>
> Sadly, I do not have an example I can share at the moment, as I
> typically delete them in a rage after training my bayes filter on
> them. However, I am looking for any suggestions of other things I can
> turn on... in particular, are there rules that people have created that
> look for certain keywords where the body is asking for your
> account/password information?
>
> Thanks for any ideas,
> micah
>
>
Report these and maybe they will add something that catches them. If one
wanted to, they can get any mail the want through your filters if they
are good and don't use things that trigger the rules.
Re: Phishing rules?
Posted by Micah Anderson <mi...@riseup.net>.
Joseph Brennan <br...@columbia.edu> writes:
> /Dear .{0,12}(web ?mail|columbia\.edu)/i
>
> /Password.{0,10}\([\s\.\*\_]+\)/
>
> /you must reply to this email/i
>
> Reply-to =~ /\@live\.com/
I created a meta-rule out of these (with a score of 8), and then ran
spamassassin -D < phish to see how it worked, it matched the metarule
flawlessly, but the phish ended up with only a 5.4 score due to BAYES_00
dragging it down. That was surprising to me, so I started to wonder if
my bayes DB was poisoned.
I ran some stats, and the results seem to indicate a healthy bayes
database (unless I am reading this wrong)... A side note: its
interesting to note how only 9% of our email is spam, which seems low,
but maybe clamav-milter+rbls are blocking the remaining 40%?
Email: 2379392 Autolearn: 1075396 AvgScore: -6.32 AvgScanTime: 5.96 sec
Spam: 227816 Autolearn: 114079 AvgScore: 14.75 AvgScanTime: 4.23 sec
Ham: 2151576 Autolearn: 961317 AvgScore: -8.56 AvgScanTime: 6.15 sec
Time Spent Running SA: 3941.26 hours
Time Spent Processing Spam: 267.76 hours
Time Spent Processing Ham: 3673.50 hours
TOP SPAM RULES FIRED
----------------------------------------------------------------------
RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM
----------------------------------------------------------------------
1 HTML_MESSAGE 154522 54.03 67.83 52.57
2 BAYES_99 134531 6.09 59.05 0.48
3 BOTNET 133687 8.90 58.68 3.63
4 RDNS_NONE 102255 10.19 44.88 6.51
5 URIBL_JP_SURBL 98879 4.94 43.40 0.87
6 MIME_HTML_ONLY 87518 7.62 38.42 4.36
7 URIBL_OB_SURBL 76624 3.98 33.63 0.84
8 DCC_CHECK 74600 8.51 32.75 5.94
9 URIBL_AB_SURBL 59890 2.72 26.29 0.23
10 URIBL_SC_SURBL 53911 2.51 23.66 0.27
11 RCVD_IN_BL_SPAMCOP_NET 43120 2.43 18.93 0.68
12 URIBL_WS_SURBL 38251 1.79 16.79 0.21
13 URIBL_RHS_DOB 36565 2.17 16.05 0.70
14 BAYES_50 35322 3.93 15.50 2.71
15 HTML_IMAGE_ONLY_16 33887 1.68 14.87 0.28
16 HTML_SHORT_LINK_IMG_2 33118 1.56 14.54 0.19
17 HTML_IMAGE_RATIO_02 32757 2.93 14.38 1.72
18 URIBL_SBL 30456 1.80 13.37 0.57
19 RAZOR2_CHECK 27722 2.55 12.17 1.53
20 RAZOR2_CF_RANGE_51_100 26856 2.41 11.79 1.41
----------------------------------------------------------------------
TOP HAM RULES FIRED
----------------------------------------------------------------------
RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM
----------------------------------------------------------------------
1 BAYES_00 2002969 84.67 5.15 93.09
2 HTML_MESSAGE 1131073 54.03 67.83 52.57
3 UNPARSEABLE_RELAY 760567 32.93 10.12 35.35
4 DKIM_SIGNED 693328 29.74 6.26 32.22
5 DKIM_VERIFIED 531590 22.67 3.38 24.71
6 ALL_TRUSTED 173612 7.30 0.05 8.07
7 USER_IN_WHITELIST 155704 6.54 0.00 7.24
8 RDNS_NONE 140127 10.19 44.88 6.51
9 DCC_CHECK 127844 8.51 32.75 5.94
10 RCVD_IN_DNSWL_LOW 101863 4.31 0.34 4.73
11 MIME_HTML_ONLY 93817 7.62 38.42 4.36
12 RCVD_IN_DNSWL_MED 90038 3.81 0.31 4.18
13 WHOIS_NETSOLPR 87575 3.72 0.38 4.07
14 MIME_QP_LONG_LINE 82804 4.49 10.52 3.85
15 BOTNET 78052 8.90 58.68 3.63
16 BAYES_50 58286 3.93 15.50 2.71
17 FUZZY_AMBIEN 53284 2.28 0.38 2.48
18 SARE_SUB_ENC_UTF8 50533 2.14 0.17 2.35
19 SARE_MILLIONSOF 42268 1.84 0.67 1.96
20 FORGED_YAHOO_RCVD 38762 1.74 1.16 1.80
----------------------------------------------------------------------
Then I looked to see what bayes did with the message, but I do not
understand how to read the output, can someone explain this to me and
give me an idea why BAYES_00 fired when we've been feeding every one of
these spams to bayes to train on it?
$ spamassassin -D bayes < phish
[9595] dbg: bayes: using username: @GLOBAL
[9595] dbg: bayes: database connection established
[9595] dbg: bayes: found bayes db version 3
[9595] dbg: bayes: Using userid: 4
[9595] dbg: bayes: corpus size: nspam = 6782956, nham = 15364321
[9595] dbg: bayes: header tokens for *p = "U*mayodayo D*3web.net D*net"
[9595] dbg: bayes: header tokens for *F = "U*mayodayo D*3web.net D*net"
[9595] dbg: bayes: header tokens for Reply-to = "U*s.team43 D*live.com
D*com"
[9595] dbg: bayes: header tokens for MIME-Version = ""
[9595] dbg: bayes: header tokens for *c = "/plain; charset=ISO-8859-1"
[9595] dbg: bayes: header tokens for Content-Transfer-Encoding = "8bit"
[9595] dbg: bayes: header tokens for X-Originating-IP = "196.207.0.227"
[9595] dbg: bayes: header tokens for To = ""
[9595] dbg: bayes: header tokens for X-Languages = " en"
[9595] dbg: bayes: header tokens for X-Languages-Length = " 1213"
[9595] dbg: bayes: header tokens for X-Spam-Relays-External = " [
ip=209.197.145.198 rdns=reef.cybersurf.com helo=reef.cybersurf.com
by=cat.cia.com ident= envfrom= intl=0 id=1Kw6iz-0002Li-Pg auth= msa=0 ]
[ ip=196.207.0.227 rdns=196-207-0-227.netcomng.com
helo=196-207-0-227.netcomng.com by=webmail.3web.com ident= envfrom=
intl=0 id= auth=HTTP msa=0 ] [ ip=196.207.0.227 rdns= helo= by= ident=
envfrom= intl=0 id= auth= msa=0 ]"
[9595] dbg: bayes: header tokens for X-Spam-Relays-Internal = " "
[9595] dbg: bayes: header tokens for *RT = " "
[9595] dbg: bayes: header tokens for *RU = " [ ip=209.197.145.198
rdns=reef.cybersurf.com helo=reef.cybersurf.com by=cat.cia.com ident=
envfrom= intl=0 id=1Kw6iz-0002Li-Pg auth= msa=0 ] [ ip=196.207.0.227
rdns=196-207-0-227.netcomng.com helo=196-207-0-227.netcomng.com
by=webmail.3web.com ident= envfrom= intl=0 id= auth=HTTP msa=0 ] [
ip=196.207.0.227 rdns= helo= by= ident= envfrom= intl=0 id= auth= msa=0
]"
[9595] dbg: bayes: header tokens for *r = " 196-207-0-227.netcomng.com
(196-207-0-227.netcomng.com [196.207.0 ip*196.207.0.227 ]) by
webmail.3web.com (IMP) HTTP <ma...@mail.cybersurf.com>; "
[9595] dbg: bayes: header tokens for *r = " 196-207-0-227.netcomng.com
(196-207-0-227.netcomng.com [196.207.0 ip*196.207.0.227 ]) by
webmail.3web.com (IMP) HTTP <ma...@mail.cybersurf.com>; apache by
reef.cybersurf.com local (Exim 4.44) id 1Kw6j0-0006W5-UJ; "
[9595] dbg: bayes: tok_get_all: token count: 142
[9595] dbg: bayes: token 'weekly' => 0.000135596068218096
[9595] dbg: bayes: token 'becomes' => 0.000298722931704609
[9595] dbg: bayes: token 'inbox' => 0.000343185200935573
[9595] dbg: bayes: token 'one's' => 0.000597114317425083
[9595] dbg: bayes: token 'folder' => 0.00064482620854974
[9595] dbg: bayes: token 'webmail' => 0.000671660424469413
[9595] dbg: bayes: token 'INBOX' => 0.000805791313030454
[9595] dbg: bayes: token 'Webmail' => 0.00100686213349969
[9595] dbg: bayes: token 'inboxes' => 0.00107385229540918
[9595] dbg: bayes: token 'SPACE' => 0.0011503920171062
[9595] dbg: bayes: token 'reset' => 0.00200996264009963
[9595] dbg: bayes: token 'oldest' => 0.00320874751491054
[9595] dbg: bayes: token 'SAVE' => 0.00400496277915633
[9595] dbg: bayes: token 'Bates' => 0.0156699029126214
[9595] dbg: bayes: token 'bates' => 0.0156699029126214
[9595] dbg: bayes: token 'current' => 0.0200447781112092
[9595] dbg: bayes: token 'H*r:IMP' => 0.0961561369397845
[9595] dbg: bayes: token 'notified' => 0.121287867011135
[9595] dbg: bayes: token 'Password' => 0.13640095340516
[9595] dbg: bayes: token 'HX-Spam-Relays-External:sk:webmail' => 0.1492193587257
[9595] dbg: bayes: token 'H*RU:sk:webmail' => 0.1492193587257
[9595] dbg: bayes: score = 1.83186799063151e-15
Any ideas would be very appreciated! My goal is to stop these phishers
from getting their mail through, but even with a customized rule set to
a high score, they will get through if BAYES_00 fires...
micah
Re: Phishing rules?
Posted by Ned Slider <ne...@unixmail.co.uk>.
Micah Anderson wrote:
> Joseph Brennan <br...@columbia.edu> writes:
>
>
>> /Dear .{0,12}(web ?mail|columbia\.edu)/i
>>
>> /Password.{0,10}\([\s\.\*\_]+\)/
>>
>> /you must reply to this email/i
>>
>> Reply-to =~ /\@live\.com/
>
> I'm new at writing custom rules, so I am trying to figure out the best
> way to do this. Would it be better to make a different rule for each one
> of these, or would it be better to bmake a meta-rule? My guess is its
> better to make a meta-rule, but that means that each rule must hit in
> order to get the larger score, versus some of the individual rules
> hitting and adding up to the larger score. The meta-rule seems good
> because it describes a full profile phishing email that must be met, but
> it seems bad because one tweak of the phish would result in the
> meta-rule not matching overall. I suppose this is the point of the
> arthemetic meta-rule possibility, however I'm puzzled at the best
> mechanism to choose. Any advice would be appreciated.
>
My thinking is lots of low scoring rules are better than one large
scoring rule. You can however combine the two techniques with metarules
whereby if 3 or more single scoring rules are met a metarule adds an
additional score just for good measure.
> Once I figure out the best way to match these, I need a good way to
> determine what I should score these, the rule-writing documentation
> suggests starting at 0.1 and then moving it up as you test it, and
> suggests extreme caution scoring a custom rule over 1, however it seems
> like these would be better scored higher than that.
>
That depends on how specific your rules are. Try to write rules for
phrases rather than single words. If the phish are specific to you then
it shouldn't be too difficult to write rules to specifically catch them.
If/when the phishers tweak the phish then you'll need to tweak your rules.
Look at the emails with an analytical eye - what giveaway signs tell you
that they are spam? Then try to write rules to detect what you see.
>> The first of course is partly local to us. Another useful local rule
>> is to check for the uri of your own webmail.
>
> Yeah, i'll make a uri rule for that and probably add that to the
> meta-rule.
>
> Thanks for any advice,
> micah
>
>
Re: Phishing rules?
Posted by Micah Anderson <mi...@riseup.net>.
Joseph Brennan <br...@columbia.edu> writes:
> /Dear .{0,12}(web ?mail|columbia\.edu)/i
>
> /Password.{0,10}\([\s\.\*\_]+\)/
>
> /you must reply to this email/i
>
> Reply-to =~ /\@live\.com/
I'm new at writing custom rules, so I am trying to figure out the best
way to do this. Would it be better to make a different rule for each one
of these, or would it be better to bmake a meta-rule? My guess is its
better to make a meta-rule, but that means that each rule must hit in
order to get the larger score, versus some of the individual rules
hitting and adding up to the larger score. The meta-rule seems good
because it describes a full profile phishing email that must be met, but
it seems bad because one tweak of the phish would result in the
meta-rule not matching overall. I suppose this is the point of the
arthemetic meta-rule possibility, however I'm puzzled at the best
mechanism to choose. Any advice would be appreciated.
Once I figure out the best way to match these, I need a good way to
determine what I should score these, the rule-writing documentation
suggests starting at 0.1 and then moving it up as you test it, and
suggests extreme caution scoring a custom rule over 1, however it seems
like these would be better scored higher than that.
> The first of course is partly local to us. Another useful local rule
> is to check for the uri of your own webmail.
Yeah, i'll make a uri rule for that and probably add that to the
meta-rule.
Thanks for any advice,
micah
Re: Phishing rules?
Posted by Joseph Brennan <br...@columbia.edu>.
Micah Anderson <mi...@riseup.net> wrote:
> I mean attempts to get my users to send their passwords, are these not
> called phishing?
>
> micah
>
Yes, it's phishing, but for thos you might want to make local rules to
catch things specific to your own web mail system and domain.
I find myself reluctant to publish all the patterns we check, in case
someone is watching, but taking your sample, these would match here:
/Dear .{0,12}(web ?mail|columbia\.edu)/i
/Password.{0,10}\([\s\.\*\_]+\)/
/you must reply to this email/i
Reply-to =~ /\@live\.com/
The first of course is partly local to us. Another useful local rule
is to check for the uri of your own webmail.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Re: Phishing rules?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2008-11-01 at 18:01 -0400, Joseph Brennan wrote:
> Karsten Bräckelmann <gu...@rudersport.de> wrote:
>
> > Anyway, can't you educate your users [...]
>
> Experience tells me the answer is no, or at least a qualified no. And
> we're supposed to have smart people here.
>
> I suppose the number of responses might be even higher if we did not
> try to educate people. I'll try to comfort myself with that.
Joseph, I was afraid you or Micah would tell me exactly that. *sigh*
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phishing rules?
Posted by Joseph Brennan <br...@columbia.edu>.
Karsten Bräckelmann <gu...@rudersport.de> wrote:
> Anyway, can't you educate your users
Experience tells me the answer is no, or at least a qualified no. And
we're supposed to have smart people here.
I suppose the number of responses might be even higher if we did not
try to educate people. I'll try to comfort myself with that.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Re: Phishing rules?
Posted by Micah Anderson <mi...@riseup.net>.
Karsten Bräckelmann <gu...@rudersport.de> writes:
> On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote:
>> Joseph Brennan <br...@columbia.edu> writes:
>
>> > Do you mean attempts to get your users to send their passwords,
>> > or fake mail pretending to be from banks?
>>
>> I mean attempts to get my users to send their passwords, are these not
>> called phishing?
>
> An important bit of information, missing from the OP. :) Targeted
> attacks at your users, so the general phishing BLs don't really apply.
>
> Anyway, can't you educate your users, that
>
> (a) Any administrative email will be sent from an official, well known,
> internal address? That means *not* an arbitrary address. Yes, sorry,
> the obvious...
> (b) They will *never* ever be asked for a password by mail. Period.
> Again, obvious...
We've been telling our users this for years, but there is always someone
who doesn't listen, or forgets, or something. I dont know. I find it
absolutely incredible that anyone would fall for any of these, yet I am
the one who has to clean up the mess :P
> Then block internal / administrative From addresses coming from any
> external SMTP.
Yeah, thats done, they dont get by faking our From, but the body is
constructed in a way to mislead and impersonate our "staff" or whatever,
usually by threatening people that their account will be closed, unless
they reply.
> This is not a technical way to stopping these, but an educational
> approach to prevent the most dumb and gross social engineering. At least
> the second one actually should be well-known, and I've seen ISPs
> pointing it out frequently...
Thanks, but we've done all these, and continue to do them, they are
another plank in the various mechanisms that we must employ.
micah
Re: Phishing rules?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote:
> Joseph Brennan <br...@columbia.edu> writes:
> > Do you mean attempts to get your users to send their passwords,
> > or fake mail pretending to be from banks?
>
> I mean attempts to get my users to send their passwords, are these not
> called phishing?
An important bit of information, missing from the OP. :) Targeted
attacks at your users, so the general phishing BLs don't really apply.
Anyway, can't you educate your users, that
(a) Any administrative email will be sent from an official, well known,
internal address? That means *not* an arbitrary address. Yes, sorry,
the obvious...
(b) They will *never* ever be asked for a password by mail. Period.
Again, obvious...
Then block internal / administrative From addresses coming from any
external SMTP.
This is not a technical way to stopping these, but an educational
approach to prevent the most dumb and gross social engineering. At least
the second one actually should be well-known, and I've seen ISPs
pointing it out frequently...
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phishing rules?
Posted by Micah Anderson <mi...@riseup.net>.
Joseph Brennan <br...@columbia.edu> writes:
> Micah Anderson <mi...@riseup.net> wrote:
>
>> I keep getting hit by phishing attacks, and they aren't being stopped by
>> anything I've thrown up in front of them:
>
> Do you mean attempts to get your users to send their passwords,
> or fake mail pretending to be from banks?
I mean attempts to get my users to send their passwords, are these not
called phishing?
micah
Re: Phishing rules?
Posted by Joseph Brennan <br...@columbia.edu>.
Micah Anderson <mi...@riseup.net> wrote:
> I keep getting hit by phishing attacks, and they aren't being stopped by
> anything I've thrown up in front of them:
Do you mean attempts to get your users to send their passwords,
or fake mail pretending to be from banks?
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Re: Phishing rules?
Posted by Bill Landry <bi...@inetmsg.com>.
Micah Anderson wrote:
> I keep getting hit by phishing attacks, and they aren't being stopped by
> anything I've thrown up in front of them:
>
> postfix is doing:
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client list.dsbl.org,
>
> I've got clamav pulling signatures updated once a day from sanesecurity
> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
> securesiteinfo) and Malware Black List, MSRBL (images, spam).
>
> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
> pulls in the 25_uribl.cf automatically, right? Or do I need to configure
> that? if its automatic, that pulls in SURBL phishing). I've got Botnet
> setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the
> hashcash, and SPF plugins loaded, imageinfo, pretty much everything I
> can think of....but for some reason phishing attempts keep getting
> through.
>
> Sadly, I do not have an example I can share at the moment, as I
> typically delete them in a rage after training my bayes filter on
> them. However, I am looking for any suggestions of other things I can
> turn on... in particular, are there rules that people have created that
> look for certain keywords where the body is asking for your
> account/password information?
>
> Thanks for any ideas,
> micah
>
Consider submitting them to SaneSecurity (www.sanesecurity.com) so that
the signatures can be added to their phishing signature database.
Bill
Re: Phishing rules?
Posted by mouss <mo...@netoyen.net>.
Jeff Chan wrote:
> On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote:
>
>> I keep getting hit by phishing attacks, and they aren't being stopped by
>> anything I've thrown up in front of them:
>
> [...]
>> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
>> pulls in the 25_uribl.cf automatically, right? Or do I need to configure
>> that? if its automatic, that pulls in SURBL phishing).
>
> Increase the score on:
>
> URIBL_PH_SURBL
>
out of curiosity, what score do you suggest?
> The current SpamAssassin rules scoring process gives it an
> artificially low score which is counterproductive IMO. If you
> want to stop more phishing spams, consider increasing the score.
>
> Jeff C.
Re: Phishing rules?
Posted by Micah Anderson <mi...@riseup.net>.
Brent Clark <br...@gmail.com> writes:
> Hiya
>
> See SA examples
>
> http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
>
> Also add hostkarma.junkemailfilter.com to you DNSBL.
Thanks, I'll add this to my local.cf and see how it goes.
> Another thing I do find is useful is adding additional higher valued
> MX records.
>
> http://www.junkemailfilter.com/spam/support.html
I dont really like the idea of adding some other site's MX to my DNS, so
I think I'll pass on this one.
thanks for the suggestions!
micah
Re: Phishing rules?
Posted by Brent Clark <br...@gmail.com>.
Hiya
See SA examples
http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
Also add hostkarma.junkemailfilter.com to you DNSBL.
Works really well.
Another thing I do find is useful is adding additional higher valued MX
records.
http://www.junkemailfilter.com/spam/support.html
HTH
Regards
Brent Clark
Re: Phishing rules?
Posted by Micah Anderson <mi...@riseup.net>.
* Jeff Chan <je...@surbl.org> [2008-10-31 02:36-0400]:
> On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote:
>
> > I keep getting hit by phishing attacks, and they aren't being stopped by
> > anything I've thrown up in front of them:
>
> [...]
> > I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
> > pulls in the 25_uribl.cf automatically, right? Or do I need to configure
> > that? if its automatic, that pulls in SURBL phishing).
>
> Increase the score on:
>
> URIBL_PH_SURBL
>
> The current SpamAssassin rules scoring process gives it an
> artificially low score which is counterproductive IMO. If you
> want to stop more phishing spams, consider increasing the score.
Thanks, I will do so... however the phishing emails I am getting are
of two types:
. generalized phishes, which I would expect SURBL to be able to detect a
large percentage of
. targetted phishing to my domain where the phisher attempts to
impersonate the 'admins' and ask for usernames/passwords. These I dont
think will get hits on SURBL, because they are specific to my domain,
and these are actually the more damaging because users are more likely
to be fooled by something that is claiming to come from 'us'.
Micah
Re: Phishing rules?
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote:
> I keep getting hit by phishing attacks, and they aren't being stopped by
> anything I've thrown up in front of them:
[...]
> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
> pulls in the 25_uribl.cf automatically, right? Or do I need to configure
> that? if its automatic, that pulls in SURBL phishing).
Increase the score on:
URIBL_PH_SURBL
The current SpamAssassin rules scoring process gives it an
artificially low score which is counterproductive IMO. If you
want to stop more phishing spams, consider increasing the score.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Phishing rules?
Posted by mouss <mo...@netoyen.net>.
Micah Anderson wrote:
> * Kelson <ke...@speed.net> [2008-10-30 17:29-0400]:
>> Micah Anderson wrote:
>>> reject_rbl_client list.dsbl.org,
>> DSBL has shut down, and you should remove the query from your list. It
>> won't help with the phishing, but it'll free up some network resources.
>> Info: http://dsbl.org/node/3
>
> Thanks, I wasn't aware of that. I'm only using zen.spamhaus now, which
> is a shame.
why? that's what I use (I only use other DNSBLs in some cases).
>I had to remove barracuda because I've received already 3
> complaints about false-positives, thats a real shame, because it was
> blocking about 3x as much as zen was.
>
can you share these FPs? if you can't post them to a public list but can
post them to me, I am interested.
>>> I've got clamav pulling signatures updated once a day from sanesecurity
>>> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
>>> securesiteinfo) and Malware Black List, MSRBL (images, spam).
>> Odd, ClamAV + SaneSecurty does a really good job here at blocking phish
>> before they even get to SpamAssassin. We call clamd through MIMEDefang,
>> then call SpamAssassin (also through MimeDefang) if a message passes.
>>
>> Have you verified that Clam is using the SaneSecurity signatures? How
>> are you calling ClamAV?
>
> Oh I'm certainly blocking phishing attempts via the SaneSecurity
> signatures, probably 200+ in the last hour alone. However, the phishing
> emails that are getting through are not known to their signature
> database, and in some case have been directly targetted at the domain I
> am managing. Thats why I am interested in rules that look for typical
> phishing emails. These emails are usually quite similar in their
> construction, so it seems like a good case for rules.
>
It's hard to block all phishes, since new forms appear every now and then.
Re: Phishing rules?
Posted by Micah Anderson <mi...@riseup.net>.
* Kelson <ke...@speed.net> [2008-10-30 17:29-0400]:
> Micah Anderson wrote:
>> reject_rbl_client list.dsbl.org,
>
> DSBL has shut down, and you should remove the query from your list. It
> won't help with the phishing, but it'll free up some network resources.
> Info: http://dsbl.org/node/3
Thanks, I wasn't aware of that. I'm only using zen.spamhaus now, which
is a shame. I had to remove barracuda because I've received already 3
complaints about false-positives, thats a real shame, because it was
blocking about 3x as much as zen was.
>> I've got clamav pulling signatures updated once a day from sanesecurity
>> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
>> securesiteinfo) and Malware Black List, MSRBL (images, spam).
>
> Odd, ClamAV + SaneSecurty does a really good job here at blocking phish
> before they even get to SpamAssassin. We call clamd through MIMEDefang,
> then call SpamAssassin (also through MimeDefang) if a message passes.
>
> Have you verified that Clam is using the SaneSecurity signatures? How
> are you calling ClamAV?
Oh I'm certainly blocking phishing attempts via the SaneSecurity
signatures, probably 200+ in the last hour alone. However, the phishing
emails that are getting through are not known to their signature
database, and in some case have been directly targetted at the domain I
am managing. Thats why I am interested in rules that look for typical
phishing emails. These emails are usually quite similar in their
construction, so it seems like a good case for rules.
micah
Re: Phishing rules?
Posted by Kelson <ke...@speed.net>.
Micah Anderson wrote:
> reject_rbl_client list.dsbl.org,
DSBL has shut down, and you should remove the query from your list. It
won't help with the phishing, but it'll free up some network resources.
Info: http://dsbl.org/node/3
> I've got clamav pulling signatures updated once a day from sanesecurity
> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
> securesiteinfo) and Malware Black List, MSRBL (images, spam).
Odd, ClamAV + SaneSecurty does a really good job here at blocking phish
before they even get to SpamAssassin. We call clamd through MIMEDefang,
then call SpamAssassin (also through MimeDefang) if a message passes.
Have you verified that Clam is using the SaneSecurity signatures? How
are you calling ClamAV?
--
Kelson Vibber
SpeedGate Communications <www.speed.net>