Re: Phishing attempts getting through.
> Can someone expand on the ClamAV detecting phishing attempts. Or direct > me some where? Pick up some of the SARE rulesets. I think spoof or fraud is the one that contains an assortment of phishhooks. Won't get 'em all, but will sure cut down on the more common ones. Loren
Re: Phishing attempts getting through.
Joe Young wrote: > > Can someone expand on the ClamAV detecting phishing attempts. Or > direct me some where? > > Thank you, It just detects the message itself as a virus. Here's a sample report generated when MailScanner fed a phishing email to our virus scanners: The following e-mails were found to have: Virus Detected Sender: [EMAIL PROTECTED] IP Address: 66.199.161.40 Recipient: [EMAIL PROTECTED] Subject: Your Account Will Be Suspended ; Checking MessageID: j2ELE82X031642 Report: ClamAV: msg-18232-49.html contains HTML.Phishing.Pay-6
Re: Phishing attempts getting through.
Can someone expand on the ClamAV detecting phishing attempts. Or direct me some where? Thank you, --Joe Matt Kettler wrote: Sunny Forro wrote: Hello, I've got a problem. I've got a lot of phishing attacks making it through my mailscanner setup. I do have phishing fraud detection turned on, and I have not modifed the phishing safe sites list. Most(if not all) of the phishing emails are ebay account notices with forged IP addresses. I don't understand how these are getting through. Is anyone else out there having the same problem? Does anyone have any suggestions? The only reason I know they're getting through is because I've set up MailWatch for MailScanner(works great, makes it easy to see what's going on) Have you considered adding clamav to your MailScanner setup? clamav detects a wide variety of stock phishing scams as if they were viruses. Works great for me with my setup. (I use it with MailScanner, but I have the MailScanner phishing net disabled). It's not 100%, but it catches 80-90% of them without any work on my part. http://www.clamav.net/ From there you might want to consider the SARE spoofing ruleset for SpamAssassin (I've not tried it myself, but it seems well written) http://www.rulesemporium.com/rules/70_sare_spoof.cf
Re: Phishing attempts getting through.
Sunny depends where the problem is and what you mean by the phishing emails getting through? 1. Ask on the MailScanner list, I'll be there too.. 2. use the free ClamAV anti-virus system, this is quite good at catchingthis stuff. 3. Do you mean the MS phishing net or actual phishing emails? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Sunny Forro wrote: Hello, I've got a problem. I've got a lot of phishing attacks making it through my mailscanner setup. I do have phishing fraud detection turned on, and I have not modifed the phishing safe sites list. Most(if not all) of the phishing emails are ebay account notices with forged IP addresses. I don't understand how these are getting through. Is anyone else out there having the same problem? Does anyone have any suggestions? The only reason I know they're getting through is because I've set up MailWatch for MailScanner(works great, makes it easy to see what's going on). Any ideas? Sunny Elmer Steve Forro III (Sunny) Assistant Manager of Information Systems Compco Industries 400 West Railroad Street Suite 1 Columbiana, OH 44408 Phone: (330) 482-0200 Cell: (330) 881-8401 Fax: (330) 482-6492 Email: [EMAIL PROTECTED] Web: http://www.compcoind.com/ ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Phishing attempts getting through.
On Tuesday, March 22, 2005, 10:58:30 AM, Sunny Forro wrote: > Hello, > I've got a problem. I've got a lot of phishing attacks making it > through my mailscanner setup. I do have phishing fraud detection turned > on, and I have not modifed the phishing safe sites list. Most(if not > all) of the phishing emails are ebay account notices with forged IP > addresses. I don't understand how these are getting through. Is anyone > else out there having the same problem? Does anyone have any > suggestions? The only reason I know they're getting through is because > I've set up MailWatch for MailScanner(works great, makes it easy to see > what's going on). Try using SURBLs: http://www.surbl.org/ specifically: http://www.surbl.org/lists.html#ph Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Phishing attempts getting through.
> From: "David B Funk" <[EMAIL PROTECTED]> > > I augmented 70_sare_spoof.cf to improve its coverage, added more > bank sites we've seen (EG: wamu.com, huntington.com, keybank.com > hiberniainfo.com, etc). If yould' be willing to share your rule enhancements with the rest of the community, we'd be more than happy to mass-check them and add them to the file! We'll credit you with the rules, and about all you have to do is agree with the licence terms on the file. Loren
Re: Phishing attempts getting through.
Are you using the SARE anti-spoof rules? We catch the ebay stuff pretty well. Loren
Re: Phishing attempts getting through.
On Tue, 22 Mar 2005, Matt Kettler wrote: > Sunny Forro wrote: > > >Hello, > > I've got a problem. I've got a lot of phishing attacks making it > >through my mailscanner setup. I do have phishing fraud detection turned > >on, and I have not modifed the phishing safe sites list. Most(if not > >all) of the phishing emails are ebay account notices with forged IP [snip..] > Have you considered adding clamav to your MailScanner setup? clamav > detects a wide variety of stock phishing scams as if they were viruses. > Works great for me with my setup. (I use it with MailScanner, but I have > the MailScanner phishing net disabled). It's not 100%, but it catches > 80-90% of them without any work on my part. > > http://www.clamav.net/ > > From there you might want to consider the SARE spoofing ruleset for > SpamAssassin (I've not tried it myself, but it seems well written) > > http://www.rulesemporium.com/rules/70_sare_spoof.cf I'll second that advice, am doing both and well worth the effort. (not to mention the side effect of blocking viri ;). I've integrated clamav into the SMTP system to do a SMTP-REJECT on all detected baddies, so viri and many phishes never make it in our front door. I augmented 70_sare_spoof.cf to improve its coverage, added more bank sites we've seen (EG: wamu.com, huntington.com, keybank.com hiberniainfo.com, etc). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Phishing attempts getting through.
And this has what to do with Spamassassin? Sunny Forro wrote: Hello, I've got a problem. I've got a lot of phishing attacks making it through my mailscanner setup. I do have phishing fraud detection turned on, and I have not modifed the phishing safe sites list. Most(if not all) of the phishing emails are ebay account notices with forged IP addresses. I don't understand how these are getting through. Is anyone else out there having the same problem? Does anyone have any suggestions? The only reason I know they're getting through is because I've set up MailWatch for MailScanner(works great, makes it easy to see what's going on). Any ideas? Sunny Elmer Steve Forro III (Sunny) Assistant Manager of Information Systems Compco Industries 400 West Railroad Street Suite 1 Columbiana, OH 44408 Phone: (330) 482-0200 Cell: (330) 881-8401 Fax: (330) 482-6492 Email: [EMAIL PROTECTED] Web: http://www.compcoind.com/ -- Michael H. Collins Admiral, Penguinista Navy http://linuxlink.com /"\ASCII Ribbon Campaign \ / No HTML/RTF in email x No Word docs in email / \ Respect for open standards In a related story, the IRS has recently ruled that the cost of Windows upgrades can NOT be deducted as a gambling loss.
Re: Phishing attempts getting through.
Sunny Forro wrote: >Hello, > I've got a problem. I've got a lot of phishing attacks making it >through my mailscanner setup. I do have phishing fraud detection turned >on, and I have not modifed the phishing safe sites list. Most(if not >all) of the phishing emails are ebay account notices with forged IP >addresses. I don't understand how these are getting through. Is anyone >else out there having the same problem? Does anyone have any >suggestions? The only reason I know they're getting through is because >I've set up MailWatch for MailScanner(works great, makes it easy to see >what's going on) > Have you considered adding clamav to your MailScanner setup? clamav detects a wide variety of stock phishing scams as if they were viruses. Works great for me with my setup. (I use it with MailScanner, but I have the MailScanner phishing net disabled). It's not 100%, but it catches 80-90% of them without any work on my part. http://www.clamav.net/ >From there you might want to consider the SARE spoofing ruleset for SpamAssassin (I've not tried it myself, but it seems well written) http://www.rulesemporium.com/rules/70_sare_spoof.cf
Phishing attempts getting through.
Hello, I've got a problem. I've got a lot of phishing attacks making it through my mailscanner setup. I do have phishing fraud detection turned on, and I have not modifed the phishing safe sites list. Most(if not all) of the phishing emails are ebay account notices with forged IP addresses. I don't understand how these are getting through. Is anyone else out there having the same problem? Does anyone have any suggestions? The only reason I know they're getting through is because I've set up MailWatch for MailScanner(works great, makes it easy to see what's going on). Any ideas? Sunny Elmer Steve Forro III (Sunny) Assistant Manager of Information Systems Compco Industries 400 West Railroad Street Suite 1 Columbiana, OH 44408 Phone: (330) 482-0200 Cell: (330) 881-8401 Fax:(330) 482-6492 Email: [EMAIL PROTECTED] Web:http://www.compcoind.com/