Zitat von Robert Lopez <rlopez...@gmail.com>:
A recent postfix-users thread had comments (about Spamassassin) along the lines of content inspection being evil by design. (Andreas and Stan) In my mind content inspection would include anti-virus checking. Am I wrong?
At least my comment was in the context of spam, not malware. Even the human recipients sometimes have trouble to decide by content what is spam, so a automatic detection for such a diffuse target is doomed to fail. Furthermore if you don't use pre-queue filter (most content filter don't), you have no useful option what to do with spam-tagged mail.
I recognize postscreen as an effective defence. But there are other kinds of attacks. It seems the only thing to attempt to identify spear phishing is content inspection. When someone takes the time and puts out the effort to target an organization, appearing to be from that organization, I know of no other way than to do pattern matching against email content. If I am trying the wrong approach I would like to know. What are the alternative that are successfully used? Especially in the area of Spear Phishing?
Real Spear Phishing is handcrafted special targeted, so you won't detect it with automatic content filters which rely on patterns and already known URLs and the like anyway. If the sender is able to fool the human recipient it is also able to fool the content filter, taken it is not a widspread already known attack which is also caught by RBL/Postscreen/Greylisting etc.
Baseline is you might gain some low additional percentage spam caught with a big percentage additional problems. I have seen to many mail silently vanish in some spam-folder to believe that content filters could be desireable.
But as always: YMMV Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
