At 17:05 24-04-2009, Casartello, Thomas wrote:
One major issue we've been having lately is with phishing emails
being targeted at us. They're being sent to us from hacked accounts
at other educational institutes. The message usually is about "Your
EDU webmail account is expiring. Please send us your username and
password to fix it." We've had some users fall for it, then their
Exchange account gets turned into a spam machine (sending out usual
junk spam as well as the original phishing message.) Because they
are coming from legitimate sites, it's been very difficult to block
these messages. I've been trying to write phrase rules with common
words used in the message, but whoever's responsible for this is
continually changing the message to prevent you from being able to
catch them with phrase rules. Any thoughts?
There was a project from an educational institution to target
phishing emails. I don't recall the name of the project or whether
the source code was released.
It is going to be a lot of work to keep the rules updated to catch
these emails. Analyze the emails instead of trying to apply the
usual techniques to catch them. Instead of considering the emails as
coming from legitimate sites, you should treat that as a data point
as part of the patterns to identify. The words in the emails might
change but the sender relies on some information for the phish to
work. You should be able to parse the mail traffic for that
information. BTW, there is a larger problem if there are "hacked"
accounts available on the sending network and on your network.
Regards,
-sm
