On 30/09/11 18:04, John Hardin wrote:
On Fri, 30 Sep 2011, Ned Slider wrote:
On 30/09/11 01:41, jida...@jidanni.org wrote:
Sure a lot of "Your mailbox has exceeded" spam these days. I'll use
body J_MAILBOX_FULL /^Your mailbox has exceeded/
score J_MAILBOX_FULL ...
myself for now.
I've seen a few of these, but probably not enough examples to have
Bayes reliably catch them yet - the first few sneaked straight through
uncaught.
If we could organise a working group or something, and/or collect some
examples, I'd happily help with writing some rules specifically for
these.
I've been collecting phishes for a while now - in several languages -
and I've been intending to start working on some rules, perhaps evolved
along the lines of the ADVANCE FEE rules.
Anyone who wants to send me .tar.gz archives of phish samples is welcome
to do so.
John,
I have a rather small set (277) of purely UK bank-related phish I
started collecting back in 2009 (happy to share them with you if you
feel such a small/old set would be useful). Similarly, my plan was to
try to write a set of rules to catch these. In the end I took a somewhat
different (and simpler) approach of scoring all mail that claims to be
FROM a banking domain, and then whitelist legitimate senders through
whitelist_from_dkim/spf.
# Claiming to be from a bank or other financial institution
# We can whitelist legitimate mail using SPF and/or DKIM
header LOCAL_FROM_BANK From:addr =~
/\@(abbey|abbeyinternational|abbeynational|allianceleicester|alliance-leicester|bankofamerica|barclaycard|barclays|cahoot|cbonline|citibank|cooperativebank|co-operativebank|cooperative-bank|egg|eggconnect|firstdirect|halifax|halifax-online|hbos|hsbc|hsbcgroup|lloydstsb|mbna|natwest|nationwide|newegg|new\.egg|northernbank|northernrock|nwolb|rbs|santander|santandercards|smile|woolwich|ybonline|zenithbank)\.(com|co\.uk)/i
score LOCAL_FROM_BANK 6
describe LOCAL_FROM_BANK From a bank domain
I have more rules along this line scoring senders from .org/net domains
etc that banks are unlikely to ever use - I'm sure you get the idea.
This approach stemmed from the fact that for my small set of banking
phish, I noticed nearly all claim to be FROM the primary domain (e.g.
@bank.com), wherein in reality (again from the very small set of
legitimate banking mails I have) banks typically send from a subdomain,
something like @email.bank.com or @e.bank.com etc, so this approach
seems to produce very few FPs.
Not the most sophisticated approach but it works really well for me - it
just needs a different mindset, moving from the default view that one
should accept all email and then try to filter out the spam to one where
we deny all bank-related email by default and then whitelist the known
good senders. Ultimately 99% of email I see claiming to be from a bank
was phish.
If one were to adopt such an approach, it would be useful to share
information of which domains have working spf records and/or dkim
signatures as this information isn't always easy to collate, and such
domains could either be incorporated into SA's USER_IN_DEF_*_WHITELIST's
or shipped as separate whitelist_from_dkim/spf rule sets that users
could enable/disable at will.
If banks were to clearly publish the (sub)domains they intend to send
mail from, and publish accurate spf records/dkim signatures for those
domains then this would be an almost trivial issue to solve.
I'm really not sure of the best approach to tackling the wider phish
problem, nor the specific problem of mailbox phish of this thread.
