On 3/18/2012 8:16 PM, sporkman wrote:
Joseph Brennan wrote:
Imagine one of your users sending mail to a list that another of your
users subscribes to.
I can't quite see the case there. My rule specifically matches a mismatch
between the envelope-from and From: only when the From: purports to b
sting for the last few days with a
low score and it's doing pretty well.
Always open to more ideas though...
Charles
--
View this message in context:
http://old.nabble.com/Better-phish-detection-tp33478328p33529003.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
On 3/16/2012 1:11 PM, Joseph Brennan wrote:
--On Thursday, March 15, 2012 19:21 -0700 sporkman
wrote:
-envelope-from is not from our domain, From: line in the message is,
being
able to clobber that pattern would be quite helpful by itself.
Imagine one of your users sending mail to a list t
sporkman wrote:
-I'm not going to go into details, but the messages quite often have a
from or envelope-from that we simply don't use when sending email to
customers or replying to them. In fact, all of these samples have that
wrong.
Just reject that. No chance of false positives. No MET
--On Thursday, March 15, 2012 19:21 -0700 sporkman wrote:
-envelope-from is not from our domain, From: line in the message is, being
able to clobber that pattern would be quite helpful by itself.
Imagine one of your users sending mail to a list that another of your
users subscribes to.
Jo
ispam\@bway.net/i
meta BWAY_PHISH_FROM (__ENV_FROM_TEST && __FROM_TEST)
describe BWAY_PHISH_FROM Mismatched From: and envelope-from
score BWAY_PHISH_MISMATCH_FROM 1.0
This one looks for our hostname in the URI, and if it's not there, but some
variation of our domain shows up in the rest of the URI, it matches:
uri_detail BWAY_PHISH_LINKS domain !~
/bway.net|www.bway.net|webmail.bway.net/ raw =~
/bway.htm|bway.html|webmail.bway.net/
describe BWAY_PHISH_LINKS Strange links that pretend to be webmail
score BWAY_PHISH_LINKS 1.0
I'm also toying with the idea of some meta rules that takes each of those
and also does a body check for the most common words (ie: "account",
"update", "deactivated", etc.) and bumps the score up further.
I'd never seen "uri_detail" before, but it seems pretty handy:
http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html
--
View this message in context:
http://old.nabble.com/Better-phish-detection-tp33478328p33516999.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
-Original Message-
From: David F. Skoll [mailto:d...@roaringpenguin.com]
Sent: Monday, March 12, 2012 12:49 PM
To: users@spamassassin.apache.org
Subject: Re: Better phish detection
Hi,
I've been following this thread... not sure how many of you are aware of this
project:
On 16/03/12 02:21, sporkman wrote:
Ned Slider wrote:
On 12/03/12 17:02, David B Funk wrote:
On Mon, 12 Mar 2012, Paul Russell wrote:
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that
should ever appear in an email, create a meta rul
n context:
http://old.nabble.com/Better-phish-detection-tp33478328p33516249.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
7;t use when sending email to customers or
replying to them. In fact, all of these samples have that wrong.
-Most the messages contain a URL that includes our domain in it after the
host part of the URL. The ones that don't still include "bway" somewhere in
the URL.
If I could slap together a rule that detects those three anomalies together,
I'd be pretty happy.
--
View this message in context:
http://old.nabble.com/Better-phish-detection-tp33478328p33514647.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
On 12/03/12 17:02, David B Funk wrote:
On Mon, 12 Mar 2012, Paul Russell wrote:
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that
should ever appear in an email, create a meta rule that looks for a
url containing bway.net (or even just bw
On Mon, 12 Mar 2012 14:47:41 -0500 (CDT)
David B Funk wrote:
> This concept was discussed/debated on this list about 2 years ago (~
> Apr 2009; search for the subject of "emailBL").
> There was some disagreement about how to handle the '@' within
> the context of a DNS record and about privacy/s
On Mon, 12 Mar 2012, Simon Loewenthal wrote:
Paul Russell wrote:
The list was originally started by a group of email administrators in
higher education who
were attempting to deal with an epidemic of compromised accounts that
were being exploited
to send password phishing spam, mostly to addr
Paul Russell wrote:
>On 3/12/2012 12:58, Simon Loewenthal wrote:
>>
>> At first glance:
>> This is private black list of email assesses maintened by many. Free
>to use, but it'll turn into a huge file for a server to parse.
>>
>> Eventually we moved from hosts files to DNS :)
>>
>> I shoul
I have some statistics about the Anti-Phishing Email Reply project.
Our quarantine currently has 1,906,179 messages of which 4022 were caught
because of addresses on APER. All 4022 look like spam or phishing attempts.
So even though APER caught only about 0.21% of our quarantined messages,
the on
On 3/12/2012 12:58, Simon Loewenthal wrote:
At first glance:
This is private black list of email assesses maintened by many. Free to use,
but it'll turn into a huge file for a server to parse.
Eventually we moved from hosts files to DNS :)
I should rather block content not email addresses
On Mon, 12 Mar 2012 13:05:24 -0400
Paul Russell wrote:
> Most of the phishing spam we see seems to come from
> apparently-compromised accounts, so we seldom see the same sender
> address for more than a few hours, or a few days, at most.
Right... the list is reactive. I find it usually takes an
On 3/12/2012 12:49, David F. Skoll wrote:
Hi,
I've been following this thread... not sure how many of you are aware of
this project:
http://code.google.com/p/anti-phishing-email-reply/
We use the phishing address list and it does catch a few things. We
don't yet use the phishing URL list, but
On Mon, 12 Mar 2012 17:58:22 +0100
Simon Loewenthal wrote:
> At first glance:
> This is private black list of email assesses maintened by many. Free
> to use, but it'll turn into a huge file for a server to parse.
Well yes, if you aren't smart about how you use it. :)
We use it by throwing aw
On Mon, 12 Mar 2012, Paul Russell wrote:
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that should
ever appear in an email, create a meta rule that looks for a url containing
bway.net (or even just bway or webmail or login etc), but isn't
"David F. Skoll" wrote:
>Hi,
>
>I've been following this thread... not sure how many of you are aware
>of
>this project:
>
>http://code.google.com/p/anti-phishing-email-reply/
>
>We use the phishing address list and it does catch a few things. We
>don't yet use the phishing URL list, but it look
On 03/12/2012 05:45 PM, Paul Russell wrote:
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that
should ever appear in an email, create a meta rule that looks for a
url containing bway.net (or even just bway or webmail or login etc),
but isn't
Hi,
I've been following this thread... not sure how many of you are aware of
this project:
http://code.google.com/p/anti-phishing-email-reply/
We use the phishing address list and it does catch a few things. We
don't yet use the phishing URL list, but it looks like it might help.
Naturally, th
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that
should ever appear in an email, create a meta rule that looks for a url
containing bway.net (or even just bway or webmail or login etc), but
isn't https://webmail.bway.net/.
Create meta
On Sun, 11 Mar 2012, dar...@chaosreigns.com wrote:
The software used to generate the sought rules, or perhaps an old version
of it, is in the spamassassin source tree. You can feed it a folder of
known non-spams, and a folder of known spams, and it'll auto-generate rules
that hit the spams but
Dave Funk wrote:
>>
>> As an admin on a site that regularly gets hit with phish attacks, I can
>> answer that. The forms are most often a web-page, which are:
>>
>> 1) forms hosted on Google-Docs or legit servey sites.[0]
>> 2) sites hidden behind URL-shorteners
would you want to submit detai
ounteract this?
>
> Thanks,
>
> Charles
> --
> View this message in context:
> http://old.nabble.com/Better-phish-detection-tp33478328p33478328.html
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
--
"If you are not paranoid... you may not be paying attention."
- j...@creative-net.net, on an IDPA mailing list
http://www.ChaosReigns.com
On 10/03/12 20:27, sporkman wrote:
Generally it is easier to offer suggestions if examples are provided (on
pastebin)
Here's the latest example:
http://broomesol.com/upgrade.webmail.bway.net/main_login.htm
Compare to our actual webmail login:
https://webmail.bway.net/
This one is ea
Hi,
the replica seems to be down
Things that could be promising:
a) the form target seems to be similar to your site name
b) it is probably possible to detect similarity between your image and the
replica
I guess that the presence of upgrade or webmail and a form url with bway inside
migh
On Sat, 10 Mar 2012, haman...@t-online.de wrote:
Hello,
We are getting a fair amount of very targetted phish attempts to our
userbase. Since we are relatively small, I don't think any of the URIBLs
really help (or phishtank or other lists) since we're not a large bank or
paypal or anything lik
hey used to hotlink our css
and images until I started serving up a "different" version. Now they host
the images and css with the form.
Here's the latest example:
http://broomesol.com/upgrade.webmail.bway.net/main_login.htm
Compare to our actual webmail login:
https://webma
>>
>>
>> Hello,
>>
>> We are getting a fair amount of very targetted phish attempts to our
>> userbase. Since we are relatively small, I don't think any of the URIBLs
>> really help (or phishtank or other lists) since we're not a large bank or
>> paypal or anything like that.
>>
>> I did see s
32 matches
Mail list logo
