On Tue, 22 Mar 2005, Matt Kettler wrote: > Sunny Forro wrote: > > >Hello, > > I've got a problem. I've got a lot of phishing attacks making it > >through my mailscanner setup. I do have phishing fraud detection turned > >on, and I have not modifed the phishing safe sites list. Most(if not > >all) of the phishing emails are ebay account notices with forged IP [snip..] > Have you considered adding clamav to your MailScanner setup? clamav > detects a wide variety of stock phishing scams as if they were viruses. > Works great for me with my setup. (I use it with MailScanner, but I have > the MailScanner phishing net disabled). It's not 100%, but it catches > 80-90% of them without any work on my part. > > http://www.clamav.net/ > > From there you might want to consider the SARE spoofing ruleset for > SpamAssassin (I've not tried it myself, but it seems well written) > > http://www.rulesemporium.com/rules/70_sare_spoof.cf
I'll second that advice, am doing both and well worth the effort. (not to mention the side effect of blocking viri ;). I've integrated clamav into the SMTP system to do a SMTP-REJECT on all detected baddies, so viri and many phishes never make it in our front door. I augmented 70_sare_spoof.cf to improve its coverage, added more bank sites we've seen (EG: wamu.com, huntington.com, keybank.com hiberniainfo.com, etc). -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{