On 3/18/2012 8:16 PM, sporkman wrote:
Joseph Brennan wrote:
Imagine one of your users sending mail to a list that another of your
users subscribes to.
I can't quite see the case there. My rule specifically matches a mismatch
between the envelope-from and From: only when the From: purports to b
Joseph Brennan wrote:
>
>
>
> --On Thursday, March 15, 2012 19:21 -0700 sporkman wrote:
>
>> -envelope-from is not from our domain, From: line in the message is,
>> being
>> able to clobber that pattern would be quite helpful by itself.
>
>
> Imagine one of your users sending mail to a li
On 3/16/2012 1:11 PM, Joseph Brennan wrote:
--On Thursday, March 15, 2012 19:21 -0700 sporkman
wrote:
-envelope-from is not from our domain, From: line in the message is,
being
able to clobber that pattern would be quite helpful by itself.
Imagine one of your users sending mail to a list t
sporkman wrote:
-I'm not going to go into details, but the messages quite often have a
from or envelope-from that we simply don't use when sending email to
customers or replying to them. In fact, all of these samples have that
wrong.
Just reject that. No chance of false positives. No MET
--On Thursday, March 15, 2012 19:21 -0700 sporkman wrote:
-envelope-from is not from our domain, From: line in the message is, being
able to clobber that pattern would be quite helpful by itself.
Imagine one of your users sending mail to a list that another of your
users subscribes to.
Jo
Ned Slider wrote:
>
> On 16/03/12 02:21, sporkman wrote:
>>
>>
>>
>> Ned Slider wrote:
>>>
>>> On 12/03/12 17:02, David B Funk wrote:
On Mon, 12 Mar 2012, Paul Russell wrote:
> On 3/10/2012 16:43, Ned Slider wrote:
>>
>> This one is easy enough - if the latter is the only
-Original Message-
From: David F. Skoll [mailto:d...@roaringpenguin.com]
Sent: Monday, March 12, 2012 12:49 PM
To: users@spamassassin.apache.org
Subject: Re: Better phish detection
Hi,
I've been following this thread... not sure how many of you are aware of this
project:
On 16/03/12 02:21, sporkman wrote:
Ned Slider wrote:
On 12/03/12 17:02, David B Funk wrote:
On Mon, 12 Mar 2012, Paul Russell wrote:
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that
should ever appear in an email, create a meta rul
>Here's a collection from our support folks:
> http://home.bway.net/spork/phish/
Hi,
I've added a few sigs to junk.ndb and phish.ndb which might help a little,
if you are using ClamAV and Third-Party signatures.
Cheers,
Steve
Sanesecurity.co.uk
--
View this message in context:
http://old.na
Ned Slider wrote:
>
> On 12/03/12 17:02, David B Funk wrote:
>> On Mon, 12 Mar 2012, Paul Russell wrote:
>>
>>> On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that
should ever appear in an email, create a meta rule that looks f
On 12/03/12 17:02, David B Funk wrote:
On Mon, 12 Mar 2012, Paul Russell wrote:
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that
should ever appear in an email, create a meta rule that looks for a
url containing bway.net (or even just bw
On Mon, 12 Mar 2012 14:47:41 -0500 (CDT)
David B Funk wrote:
> This concept was discussed/debated on this list about 2 years ago (~
> Apr 2009; search for the subject of "emailBL").
> There was some disagreement about how to handle the '@' within
> the context of a DNS record and about privacy/s
On Mon, 12 Mar 2012, Simon Loewenthal wrote:
Paul Russell wrote:
The list was originally started by a group of email administrators in
higher education who
were attempting to deal with an epidemic of compromised accounts that
were being exploited
to send password phishing spam, mostly to addr
Paul Russell wrote:
>On 3/12/2012 12:58, Simon Loewenthal wrote:
>>
>> At first glance:
>> This is private black list of email assesses maintened by many. Free
>to use, but it'll turn into a huge file for a server to parse.
>>
>> Eventually we moved from hosts files to DNS :)
>>
>> I shoul
I have some statistics about the Anti-Phishing Email Reply project.
Our quarantine currently has 1,906,179 messages of which 4022 were caught
because of addresses on APER. All 4022 look like spam or phishing attempts.
So even though APER caught only about 0.21% of our quarantined messages,
the on
On 3/12/2012 12:58, Simon Loewenthal wrote:
At first glance:
This is private black list of email assesses maintened by many. Free to use,
but it'll turn into a huge file for a server to parse.
Eventually we moved from hosts files to DNS :)
I should rather block content not email addresses
On Mon, 12 Mar 2012 13:05:24 -0400
Paul Russell wrote:
> Most of the phishing spam we see seems to come from
> apparently-compromised accounts, so we seldom see the same sender
> address for more than a few hours, or a few days, at most.
Right... the list is reactive. I find it usually takes an
On 3/12/2012 12:49, David F. Skoll wrote:
Hi,
I've been following this thread... not sure how many of you are aware of
this project:
http://code.google.com/p/anti-phishing-email-reply/
We use the phishing address list and it does catch a few things. We
don't yet use the phishing URL list, but
On Mon, 12 Mar 2012 17:58:22 +0100
Simon Loewenthal wrote:
> At first glance:
> This is private black list of email assesses maintened by many. Free
> to use, but it'll turn into a huge file for a server to parse.
Well yes, if you aren't smart about how you use it. :)
We use it by throwing aw
On Mon, 12 Mar 2012, Paul Russell wrote:
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that should
ever appear in an email, create a meta rule that looks for a url containing
bway.net (or even just bway or webmail or login etc), but isn't
"David F. Skoll" wrote:
>Hi,
>
>I've been following this thread... not sure how many of you are aware
>of
>this project:
>
>http://code.google.com/p/anti-phishing-email-reply/
>
>We use the phishing address list and it does catch a few things. We
>don't yet use the phishing URL list, but it look
On 03/12/2012 05:45 PM, Paul Russell wrote:
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that
should ever appear in an email, create a meta rule that looks for a
url containing bway.net (or even just bway or webmail or login etc),
but isn't
Hi,
I've been following this thread... not sure how many of you are aware of
this project:
http://code.google.com/p/anti-phishing-email-reply/
We use the phishing address list and it does catch a few things. We
don't yet use the phishing URL list, but it looks like it might help.
Naturally, th
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that
should ever appear in an email, create a meta rule that looks for a url
containing bway.net (or even just bway or webmail or login etc), but
isn't https://webmail.bway.net/.
Create meta
On Sun, 11 Mar 2012, dar...@chaosreigns.com wrote:
The software used to generate the sought rules, or perhaps an old version
of it, is in the spamassassin source tree. You can feed it a folder of
known non-spams, and a folder of known spams, and it'll auto-generate rules
that hit the spams but
Dave Funk wrote:
>>
>> As an admin on a site that regularly gets hit with phish attacks, I can
>> answer that. The forms are most often a web-page, which are:
>>
>> 1) forms hosted on Google-Docs or legit servey sites.[0]
>> 2) sites hidden behind URL-shorteners
would you want to submit detai
The software used to generate the sought rules, or perhaps an old version
of it, is in the spamassassin source tree. You can feed it a folder of
known non-spams, and a folder of known spams, and it'll auto-generate rules
that hit the spams but not the non-spams.
Ah, I documented it some here:
h
On 10/03/12 20:27, sporkman wrote:
Generally it is easier to offer suggestions if examples are provided (on
pastebin)
Here's the latest example:
http://broomesol.com/upgrade.webmail.bway.net/main_login.htm
Compare to our actual webmail login:
https://webmail.bway.net/
This one is ea
Hi,
the replica seems to be down
Things that could be promising:
a) the form target seems to be similar to your site name
b) it is probably possible to detect similarity between your image and the
replica
I guess that the presence of upgrade or webmail and a form url with bway inside
migh
On Sat, 10 Mar 2012, haman...@t-online.de wrote:
Hello,
We are getting a fair amount of very targetted phish attempts to our
userbase. Since we are relatively small, I don't think any of the URIBLs
really help (or phishtank or other lists) since we're not a large bank or
paypal or anything lik
hamann.w wrote:
>
>>>
>>>
>>> Hello,
>>>
>>> We are getting a fair amount of very targetted phish attempts to our
>>> userbase. Since we are relatively small, I don't think any of the
>>> URIBLs
>>> really help (or phishtank or other lists) since we're not a large bank
>>> or
>>> paypal or a
>>
>>
>> Hello,
>>
>> We are getting a fair amount of very targetted phish attempts to our
>> userbase. Since we are relatively small, I don't think any of the URIBLs
>> really help (or phishtank or other lists) since we're not a large bank or
>> paypal or anything like that.
>>
>> I did see s
32 matches
Mail list logo
