Ned Slider wrote:
>
> On 12/03/12 17:02, David B Funk wrote:
>> On Mon, 12 Mar 2012, Paul Russell wrote:
>>
>>> On 3/10/2012 16:43, Ned Slider wrote:
>>>>
>>>> This one is easy enough - if the latter is the only valid url that
>>>> should ever appear in an email, create a meta rule that looks for a
>>>> url containing bway.net (or even just bway or webmail or login etc),
>>>> but isn't https://webmail.bway.net/.
>>>>
>>>> Create meta rules for the common words you have identified. Link
>>>> these with a rule such as __HAS_ANY_URI or some of your webmail based
>>>> URI rules above.
>>>>
>>>> What other rules commonly hit - are they sent from freemail accounts?
>>>> Do they hit any DNSBL's?
>>>
>>> It's not that simple. If it were, the problem would not have been
>>> ongoing for at least 4 years.
>>
>> Technically what Ned said is correct "This one is easy enough".
>> Yes THIS ONE (emphasis mine) is easy enough, but for some of us these
>> kind of spear-phishing attacks are an ever mutating problem and some
>> are damned clever.
>>
>
> Exactly, if you only provide one snippet of an example you don't give us
> much to work with so the best we can do is suggest a rule that will
> catch that one very narrow example :-/
>
> Give us a tarball of (preferably unredacted) examples to work with - you
> must have hundreds collected over the last 4 years.
>
>
Here's a collection from our support folks:
http://home.bway.net/spork/phish/
Some patterns of interest (including some of the excellent suggestions
upthread):
-envelope-from is not from our domain, From: line in the message is, being
able to clobber that pattern would be quite helpful by itself.
-I'm not going to go into details, but the messages quite often have a from
or envelope-from that we simply don't use when sending email to customers or
replying to them. In fact, all of these samples have that wrong.
-Most the messages contain a URL that includes our domain in it after the
host part of the URL. The ones that don't still include "bway" somewhere in
the URL.
If I could slap together a rule that detects those three anomalies together,
I'd be pretty happy.
--
View this message in context:
http://old.nabble.com/Better-phish-detection-tp33478328p33514647.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
