SM wrote:
One major issue we've been having lately is with phishing emails being
targeted at us. They're being sent to us from hacked accounts at other
educational institutes. The message usually is about "Your EDU webmail
account is expiring. Please send us your username and password to fix
it." We've had some users fall for it, then their Exchange account
gets turned into a spam machine (sending out usual junk spam as well
as the original phishing message.) Because they are coming from
legitimate sites, it's been very difficult to block these messages.
I've been trying to write phrase rules with common words used in the
message, but whoever's responsible for this is continually changing
the message to prevent you from being able to catch them with phrase
rules. Any thoughts?
There was a project from an educational institution to target phishing
emails. I don't recall the name of the project or whether the source
code was released.
It's called Kochi. I wrote it for Loughborough University. The source
code was released under the GPL. Read this:
https://secure.grepular.com/blog/index.php/2009/04/08/mitigating-spear-phishing/
If a phishing email gets through, and one of our staff or students
replies to it, Kochi will detect the username/password in the email and
block it from getting out. Kochi pulls out all of the possible
username/password combinations from the email and does authentication
attempts on each of them. This works for us because the usernames follow
a very specific format, and our password policy is quite strict meaning
that the number of possible username/password combos we pull out of
emails is quite low.
It has been very successful for us.
--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)
