On Tue, 22 Mar 2005, Matt Kettler wrote:
> Sunny Forro wrote:
>
> >Hello,
> > I've got a problem. I've got a lot of phishing attacks making it
> >through my mailscanner setup. I do have phishing fraud detection turned
> >on, and I have not modifed the phishing safe sites list. Most(if not
> >all) of the phishing emails are ebay account notices with forged IP
[snip..]
> Have you considered adding clamav to your MailScanner setup? clamav
> detects a wide variety of stock phishing scams as if they were viruses.
> Works great for me with my setup. (I use it with MailScanner, but I have
> the MailScanner phishing net disabled). It's not 100%, but it catches
> 80-90% of them without any work on my part.
>
> http://www.clamav.net/
>
> From there you might want to consider the SARE spoofing ruleset for
> SpamAssassin (I've not tried it myself, but it seems well written)
>
> http://www.rulesemporium.com/rules/70_sare_spoof.cf
I'll second that advice, am doing both and well worth the effort.
(not to mention the side effect of blocking viri ;).
I've integrated clamav into the SMTP system to do a SMTP-REJECT on all
detected baddies, so viri and many phishes never make it in our front
door.
I augmented 70_sare_spoof.cf to improve its coverage, added more
bank sites we've seen (EG: wamu.com, huntington.com, keybank.com
hiberniainfo.com, etc).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
