Hi Thomas! Casartello, Thomas wrote ... (4/24/2009 8:05 PM): > > One major issue we’ve been having lately is with phishing emails being > targeted at us. They’re being sent to us from hacked accounts at other > educational institutes. The message usually is about “Your EDU webmail > account is expiring. Please send us your username and password to fix > it.” We’ve had some users fall for it, then their Exchange account > gets turned into a spam machine (sending out usual junk spam as well > as the original phishing message.) Because they are coming from > legitimate sites, it’s been very difficult to block these messages. > I’ve been trying to write phrase rules with common words used in the > message, but whoever’s responsible for this is continually changing > the message to prevent you from being able to catch them with phrase > rules. Any thoughts? > > >
I've discovered that most folks outside .EDU address space don't face the dozen of variations of these message each day. Sad part is they do in fact come from legitimate users and domains, just from a compromised account. The best advice is to use ClamAV with the SaneSecurity Databases. There is a ClamAV plugin which makes it trivial to add to spam assassin: ClamAv Plugin: http://wiki.apache.org/spamassassin/ClamAVPlugin SaneSecurity Phishing Signatures: http://sanesecurity.com/ I also have setup some rather crude SA rules that seem effective for us. When you really break down a large sampling of these you will find there are also a couple of very common words, like "WebMail", "Password", "Warning", etc. Feel free to try the following and adjust scoring as needed for your environment. ##################################### # SPEAR ATTACKS 12/10/2008 ##################################### body EDU_SPEAR_S /Edu Email Support Team/i descrbe EDU_SPEAR_S Email Attempting to get User Logins score EDU_SPEAR_S 15.0 body EDU_SPEAR_WM /WEBMAIL/i describe EDU_SPEAR_WM Email Contains WebMail score EDU_SPEAR_WM 0.1 body EDU_SPEAR_P /password/i describe EDU_SPEAR_P Email Contains password score EDU_SPEAR_P 0.1 meta EDU_SPEAR EDU_SPEAR_WM && EDU_SPEAR_P describe EDU_SPEAR Potenital Phish WebMail / Password score EDU_SPEAR 7.5 body EDU_SPEAR_U /username|user name/i describe EDU_SPEAR_U Email Contains username score EDU_SPEAR_U 0.1 body EDU_SPEAR_W /warning/i describe EDU_SPEAR_W Email Contains warning score EDU_SPEAR_W 0.1 body EDU_SPEAR_C /confirm/i describe EDU_SPEAR_C Email Contains confirm score EDU_SPEAR_C 0.1 body EDU_SPEAR_F /failure/i describe EDU_SPEAR_F Email Contains failure score EDU_SPEAR_F 0.1 meta EDU_SPEAR_1 EDU_SPEAR_U && EDU_SPEAR_P && EDU_SPEAR_W describe EDU_SPEAR_1 Potenital Phish Username, Password, Warning score EDU_SPEAR_1 5.0 meta EDU_SPEAR_2 EDU_SPEAR_U && EDU_SPEAR_P && EDU_SPEAR_C describe EDU_SPEAR_2 Potenital Phish Username, Password, Confirm score EDU_SPEAR_2 5.0 meta EDU_SPEAR_3 EDU_SPEAR_U && EDU_SPEAR_P && EDU_SPEAR_F describe EDU_SPEAR_3 Potenital Phish Username, Password, Failure score EDU_SPEAR_3 5.0
