spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Funk <dbf...@engineering.uiowa.edu>
Subject Re: Better phish detection
Date Sat, 10 Mar 2012 21:05:23 GMT
On Sat, 10 Mar 2012, hamann.w@t-online.de wrote:

>>> Hello,
>>>
>>> We are getting a fair amount of very targetted phish attempts to our
>>> userbase.  Since we are relatively small, I don't think any of the URIBLs
>>> really help (or phishtank or other lists) since we're not a large bank or
>>> paypal or anything like that.
>>>
>>> I did see some gentleman make a rather valiant attempt at listing all the
>>> common phrases here:
>
> Hi,
>
> I would not feel inclined to update a filter every day .... so the question is: what
do
> these things have in common?
> It seems somebody wants your users to complete a form .... where would the form be sent
to?
> A valid domain, or just some ip address
>
> Regards
> Wolfgang

As an admin on a site that regularly gets hit with phish attacks, I can 
answer that. The forms are most often a web-page, which are:

1) forms hosted on Google-Docs or legit servey sites.[0]
2) sites hidden behind URL-shorteners
3) forms hidden in pages hosted on compromised legit sites.[1]
4) forms attached to mail messages, the attachments obfuscated by being
    MIME-typed as application/octet-stream but the file names ending in ".htm"
    so SA won't try looking inside but mail-clients -will- automagically
    "just do the right thing"(tm) [2]
5) URIs that are obfuscated by being buried inside javascript that
    dynamically generates them at message open time.[3]

I've got a number of invisible __rules that look for things such as URIs
that have the text "form" anywhere in it etc, look for various key words 
("quota","passord","account", etc) and then a bunch of metas that tie them
together; but it's a never ending battle. ;(

[0] Have to regularly scan my spamtraps, look for such crap and then go
     click the "report abuse" link.

[1] I wish I could dope-slap all the people who think they can set up a
     WordPress site and just let it run with out ever updating/monitoring 
it.

[2] How do you fight attacks that SA isn't even willing to try to look at?
     Hey SA devs, can I make an enhancement request. I tried creating a
     rule that looked for that sort of crap but there's legit mail that
     does it too.

[3] Damn people who insist that HTML should be acceptable everwhere.
     I tried creating rules that blacklist email containing javascript
     but there's legit sites (purchase confirmations, reservation notices,
     etc) that insist on doing that crap.

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Mime
View raw message