Re: emailBL code

Fri, 01 May 2009 12:37:15 -0700 

John Hardin wrote:

On Fri, 1 May 2009, Adam Katz wrote:


The emailBL mechanism could easily be populated by a spamtrap, but the
danger from false positives (forged sender addresses) would be quite
real.
On a related note: you also need to worry about the phishers intentionally forging the Reply-To with normal addresses in an attempt to poison the list.
Suggestion: ignore the sender address if there is a Reply-To: header or if there is an email address in the body of the message. There might need to be some logic around detecting the contact address in the message body - there could be garbage addresses inserted to get the phishtrap to ignore the sender address...
That's what we do. We've had lengthy discussions about this issue. It all boils down accurately gauging the intention of the phisher, which is essentially impossible to automate.
It gets tricky when you consider the situation where the phisher intended the user to reply to the address included in the body, but the user doesn't pay attention and replies to the From instead, *and* the phisher happens to still have access to the original compromised account (the From address) used to send the phish. So, it makes sense to add the From to the list in this case. However, the account in question is usually cleaned up by the email provider quickly, so now a normal user's address is on the list. And... to make matters worse, that user will potentially start receiving credentials from other users that are replying to the phish messages. 

Anyway, here is the current state of how we classify the addresses:

    Possible values for TYPE:

        A: The ADDRESS was used in the Reply-To header.

        B: The ADDRESS was used in the From header.

        C: The content of the phishing message contained the ADDRESS.

        D: The content of the phishing message contained the ADDRESS,
            and it was obfuscated.

        E: The ADDRESS (usually in the From header) might receive replies
            but it was not intended to receive the replies.

    Note: unless otherwise specified, in order for the ADDRESS to
          qualify for each TYPE, it must have been intended to
          receive the replies.

Jesse

--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM: jesse.thomp...@doit.wisc.edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to