>> >> I agree, we definitely need SURBL black lists. They have helped tremendously >> against spam! I just feel that it would be chasing one's tail a bit to try >> to catch phishing in SURBL. >> >> People who do phishing are going to change their IP address (IP where the >> actual target/sucker is sent) frequently. They are also probably going to >> use random and ever changing computer IPs outside the US for obvious legal >> reasons. Maybe zombies even, who knows. >> >> Any domain names in a phishing email code are most likely going to be legit >> domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. >> These are the domains visible to the target/sucker. >>
Hi, whatever does the job :) I have suggested before to implement a check of visible vs. actual url. While it seems that some legit sites use that as well, probably a little relationship between the two addresses should exist. e.g. an url with something like ?id=4711 and with /some_product_name can be accepted, if both servers belong to the same netblock or are served by the same nameservers. I do not really feel bad about a big "this might be a phish" warning on legit mail, and legit senders should hopefully be interested in changing their mails so that they do not get trapped. If a big company really feels the need to launch an ad campaign created by an outside company which looks phishy, and definitely matches everybody's idea of unsolicited commercial mail, I would not really feel any sympathy just because they get an extra phish tag attached :) While catching phish is not the primary job of SA, nor that of an antivirus, SA already has the infrastructure to check urls against the dns >> So it just seems to me that an antivirus program is better for detecting >> HTML code patter of these schemes rather than the IP address of the day/week >> that they would be sending from in South Korea, Russia or China, etc. There >> is a very simple ClamAV plugin that does this (see the SA Wiki). I am using >> it on my SA system and it does the job of sending it on to my next >> downstream systems marked as spam. I have more antivirus on downstream >> systems that will delete real viruses as well since I just use ClamAV for >> spam tagging for simplicity sake. (I don't want to put a ton of programs on >> the computer to call SA, such as Amavis-new, etc., so that is why I do >> this.) >> Checking whether apparent and actual url are related should detect all cases where the real url points at a zombie Wolfgang Hamann >> >> >> >> >And by the way: I REALLY appreciate your SURBL lists and hard >> >work even if I think other tools supplement and help make your >> >stuff even better. >> > >> >My security principles include (but are not limited to): >> > >> > 1) Stop as much as possible at the outer perimeter >> > (earlier the better) >> > >> > 2) Defense in depth >> > >> >For us, the virus scanning happens before the Spam tests; >> >early is good. >> > >> >-- >> >Herb Martin >> >> >> >>
