(My reply to the direct copy....)
On 2011/03/18 17:38, Hamad Ali wrote:
Interesting: (I think you have bigger problems than mere spear-phishing.
> Spam detection software, running on the system "morticia.wizardess.wiz", has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or label
> similar future email. If you have any questions, see
> jdow for details.
>
> Content preview:> Date: Fri, 18 Mar 2011 16:06:15 -0700> From:
j...@earthlink.net
> > To: users@spamassassin.apache.org> Subject: Re: SA and Spear Phishing
> > And for well targeted spearfishing, he's still stuck because
nothing> distinguishes
> it from his normal mail flow other than "unknown sender"> or DNS
check failures.
> The human mind can be a better filter against> such spam than any result
> of mass checks. [...]
>
> Content analysis details: (6.2 points, 5.0 required)
(edited)
> pts rule name description
> ---- ----------------------
--------------------------------------------------
> 1.6 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
> [64p79p213p206 listed in combined.njabl.org]
> 0.8 RCVD_IN_SORBS_SOCKS RBL: SORBS: sender is open SOCKS proxy server
> [64p79p213p206 listed in dnsbl.sorbs.net]
> 0.4 RCVD_IN_SORBS_MISC RBL: SORBS: sender is open proxy server
> 0.0 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server
> 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
>
>
"I highly appreciate your use of open/honest communication. Not to "pretend"
being the nice boy, nor to defend myself (I'm not offended by that), but
merely to define what is Spear Phishing to make sure we are on same page:
Spear phishing is a form of phishing attacks that are tailored for specific
scenarios/targets based on specific conditions (on top of my head, didn't
google -- honest o/~). E.g. if an attacker knows my boss's name and email
address, and that I'm in charge for certain deals, the attacker can do
better social engineering attacks knowing more information about me."
etc...
A well targeted spear phish is designed to look as much like other
transactions your business and the specific targeted individual might
receive as possible. I do not think I could legitimately ask an email
filter program to guess the intent of each email. You would need to
institute some rules in your company such that requests for specific
information are automatically transferred to a person delegated to work
with law enforcement by the recipient if it gets past the the automated
filters. Otherwise you'll find yourself targeted by "The Boss" when an
email is binned rather than fed on to him.
The delegated person should forward the message to the recipient in a
wrapper warning message, keeping the original as "evidence".
Now you have the nifty problem of picking out of messages the requests
for forbidden data. This will entail learning how to write rules as
your organization's needs will almost assuredly not be merely generic.
At some point each sysadmin must do some of his or her own work.
I am told I am rather "direct" for a woman. Just color me old, tired,
and Irish (easily irritated.) Directness is easier than complex
circumlocution, which I am getting too old for. It seems to make as
many fans as enemies. {^_-}
{o_o}
