On Mon, 12 Mar 2012, Paul Russell wrote:
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that should
ever appear in an email, create a meta rule that looks for a url containing
bway.net (or even just bway or webmail or login etc), but isn't
https://webmail.bway.net/.
Create meta rules for the common words you have identified. Link these with
a rule such as __HAS_ANY_URI or some of your webmail based URI rules above.
What other rules commonly hit - are they sent from freemail accounts? Do
they hit any DNSBL's?
It's not that simple. If it were, the problem would not have been ongoing for
at least 4 years.
Technically what Ned said is correct "This one is easy enough".
Yes THIS ONE (emphasis mine) is easy enough, but for some of us these
kind of spear-phishing attacks are an ever mutating problem and some
are damned clever.
Even the not too clever ones are problematic if they're good enough
to fool the victims (which sadly doesn't take too much ).
We have to control it in the mail stream as we cannot control how
our clients read their mail.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
