You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by in...@cs.utexas.edu on 2009/04/04 18:04:30 UTC

webmail phishing?

Hi,

Before I try to roll my own, does anyone have a set of rules or a plugin
designed to detect all these webmail account phishes.   You know -- the kind
that pretend to be a webmail administrator who informs the user his/her
webmail account is being upgraded or has exceeded quota or whatever ..
And that it is necessary for the user to send them a login/password
pair for validation?  One commonly used indicator is
	username: ....
	password: ....
and many variations of the same.  They frequently use a Reply-To header
with a From header of the local organization (university, in our case).

I would also be interested in a more general ruleset to identify other
types of identity theft via personal data such as DOB, SSN, PIN, etc.

One would hope that users have seen so many of these by now that they
would immediately detect them as fraudulent.  But at a large university
we have an ever-renewing crop of naive users.

Thanks,
Fletcher

Re: webmail phishing?

Posted by Rick Macdougall <ri...@ummm-beer.com>.

info-spamassassin-talk@cs.utexas.edu wrote:
> Hi,
> 
> Before I try to roll my own, does anyone have a set of rules or a plugin
> designed to detect all these webmail account phishes.   You know -- the kind
> that pretend to be a webmail administrator who informs the user his/her
> webmail account is being upgraded or has exceeded quota or whatever ..
> And that it is necessary for the user to send them a login/password
> pair for validation?  One commonly used indicator is
> 	username: ....
> 	password: ....

Hi,

I've used the following to block on the subject.

header   PHISH2    Subject =~ /UPGRADE YOUR.*ACCOUNT/i
describe PHISH2         Attempted password scam
score    PHISH2         50

header   PHISH3    Subject =~ /UPDATE YOUR.*ACCOUNT/i
describe PHISH3         Attempted password scam
score    PHISH3         50
Regards,

Rick

Re: webmail phishing?

Posted by Benny Pedersen <me...@junc.org>.

On Sat, April 4, 2009 18:04, info-spamassassin-talk@cs.utexas.edu
wrote:
> But at a large university we have an ever-renewing crop of
> naive users.

http://www.clamav.org/ here i have over 1 million sigs now, maybe i
am naive to ?

help get more here http://www.clamav.net/sendvirus/ :-)

http://www.sanesecurity.org/ also more sigs

-- 
http://localhost/ 100% uptime and 100% mirrored :)