Well by "hacked" I mean people that have fallen for the phishing and have sent their username and password. When I notice it on our network, we immediately reset the password and inform the user. But the emails we get are coming from other colleges where users have given away their passwords.
-----Original Message----- From: SM [mailto:s...@resistor.net] Sent: Saturday, April 25, 2009 1:03 AM To: users@spamassassin.apache.org Subject: Re: Phishing At 17:05 24-04-2009, Casartello, Thomas wrote: >One major issue we've been having lately is with phishing emails >being targeted at us. They're being sent to us from hacked accounts >at other educational institutes. The message usually is about "Your >EDU webmail account is expiring. Please send us your username and >password to fix it." We've had some users fall for it, then their >Exchange account gets turned into a spam machine (sending out usual >junk spam as well as the original phishing message.) Because they >are coming from legitimate sites, it's been very difficult to block >these messages. I've been trying to write phrase rules with common >words used in the message, but whoever's responsible for this is >continually changing the message to prevent you from being able to >catch them with phrase rules. Any thoughts? There was a project from an educational institution to target phishing emails. I don't recall the name of the project or whether the source code was released. It is going to be a lot of work to keep the rules updated to catch these emails. Analyze the emails instead of trying to apply the usual techniques to catch them. Instead of considering the emails as coming from legitimate sites, you should treat that as a data point as part of the patterns to identify. The words in the emails might change but the sender relies on some information for the phish to work. You should be able to parse the mail traffic for that information. BTW, there is a larger problem if there are "hacked" accounts available on the sending network and on your network. Regards, -sm
