The phish are coming from real hacked accounts (Basically people that have gotten the phish email and fallen for it) at other Educational institutes (We already use SPF).
Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -----Original Message----- From: Jeff Chan [mailto:je...@surbl.org] Sent: Friday, April 24, 2009 9:43 PM To: Casartello, Thomas Cc: users@spamassassin.apache.org Subject: Re: Phishing On Friday, April 24, 2009, 5:05:38 PM, Thomas Casartello wrote: > One major issue we've been having lately is with phishing emails being > targeted at us. They're being sent to us from hacked accounts at other > educational institutes. The message usually is about "Your EDU webmail > account is expiring. Please send us your username and password to fix it." > We've had some users fall for it, then their Exchange account gets turned > into a spam machine (sending out usual junk spam as well as the original > phishing message.) Because they are coming from legitimate sites, it's been > very difficult to block these messages. I've been trying to write phrase > rules with common words used in the message, but whoever's responsible for > this is continually changing the message to prevent you from being able to > catch them with phrase rules. Any thoughts? If the phishes are claiming to come from your own domain, then use SPF or DKIM on your real outbound mail. Then any message claiming to be from your domain that doesn't match the SPF record or DKIM key can be considered a forgery and handled appropriately. Cheers, Jeff C. -- Jeff Chan mailto:je...@surbl.org http://www.surbl.org/
smime.p7s
Description: S/MIME cryptographic signature
