On Fri, May 1, 2009 at 3:37 PM, Adam Katz <antis...@khopis.com> wrote: > Can you determine how many of those were out-of-office messages? Then > again, even at just two, if you can stop such compromises, it's worth > it (and then some).
The replies I was talking about was, sadly, manually filtered to remove everything that looked like an auto response. What I couldn't tell was how many were "yeah, right!" or "die, spammer, die!" style responses. Thankfully we only had 2 compromised accounts (but that's two too many). > I'd still rather block the offending message than intercept responses > to it (as that means it has suckered users, which means it has wasted > their time). I see APER as a possible aid in that pursuit, though as > Jesse has mentioned, it is not fully reliable (as to be determined). > Still, these little checks add up, so even if APER gives a message 0.1 > points, that might be enough to mark it as spam or even block it at > the door. > > As a secondary defense, blocking replies sounds like a grand idea. I absolutely agree that the messages should be stopped on their way in. I'd rather our users not have an opportunity to be suckered. But at least knowing about the replies gives us a way to target our education efforts (now, where'd I put that LART...) As far as blocking inbound messages, I'm going to have to remove a few addresses from the list before I can do that. My initial search results were chock full of false positives. One of the people who made the list corresponds very regularly with 10 - 20 people in my organization. Granted, at 0.1, it's not a big deal, and such a rule would probably make a fantastic META companion (warning, fictional, unlinted rule follows) meta L_PHISHY FROM_ON_APER && WEBMAIL_SUBJECT score L_PHISHY 2.5 anyone?
