On Sat, 10 Mar 2012, haman...@t-online.de wrote:
Hello,
We are getting a fair amount of very targetted phish attempts to our
userbase. Since we are relatively small, I don't think any of the URIBLs
really help (or phishtank or other lists) since we're not a large bank or
paypal or anything like that.
I did see some gentleman make a rather valiant attempt at listing all the
common phrases here:
Hi,
I would not feel inclined to update a filter every day .... so the question is:
what do
these things have in common?
It seems somebody wants your users to complete a form .... where would the form
be sent to?
A valid domain, or just some ip address
Regards
Wolfgang
As an admin on a site that regularly gets hit with phish attacks, I can
answer that. The forms are most often a web-page, which are:
1) forms hosted on Google-Docs or legit servey sites.[0]
2) sites hidden behind URL-shorteners
3) forms hidden in pages hosted on compromised legit sites.[1]
4) forms attached to mail messages, the attachments obfuscated by being
MIME-typed as application/octet-stream but the file names ending in ".htm"
so SA won't try looking inside but mail-clients -will- automagically
"just do the right thing"(tm) [2]
5) URIs that are obfuscated by being buried inside javascript that
dynamically generates them at message open time.[3]
I've got a number of invisible __rules that look for things such as URIs
that have the text "form" anywhere in it etc, look for various key words
("quota","passord","account", etc) and then a bunch of metas that tie them
together; but it's a never ending battle. ;(
[0] Have to regularly scan my spamtraps, look for such crap and then go
click the "report abuse" link.
[1] I wish I could dope-slap all the people who think they can set up a
WordPress site and just let it run with out ever updating/monitoring
it.
[2] How do you fight attacks that SA isn't even willing to try to look at?
Hey SA devs, can I make an enhancement request. I tried creating a
rule that looked for that sort of crap but there's legit mail that
does it too.
[3] Damn people who insist that HTML should be acceptable everwhere.
I tried creating rules that blacklist email containing javascript
but there's legit sites (purchase confirmations, reservation notices,
etc) that insist on doing that crap.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{