On Mon, 12 Mar 2012 13:05:24 -0400 Paul Russell <pruss...@nd.edu> wrote:
> Most of the phishing spam we see seems to come from > apparently-compromised accounts, so we seldom see the same sender > address for more than a few hours, or a few days, at most. Right... the list is reactive. I find it usually takes anywhere from an hour to a few hours for a compromised address to get on the list, so there is some value if the address is used for more than a few hours. Also, there's a lot of value in finding out that one of *your* users has been compromised. :) I see a couple of nd.edu addresses in the list, though the last-seen dates are old (Aug and October 2011.) > Phishing reply-to addresses and phishing URL's change less frequently. > There are several variants of phishing message text, and new variants > are introduced from time to time, but the message body seems to be > the most reliable source of filter fodder. I agree. The APER project is just one more tool in the toolbox. Regards, David.
