Return-Path: X-Original-To: apmail-spamassassin-users-archive@www.apache.org Delivered-To: apmail-spamassassin-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CD71499D0 for ; Sun, 11 Mar 2012 08:52:23 +0000 (UTC) Received: (qmail 30583 invoked by uid 500); 11 Mar 2012 08:52:21 -0000 Delivered-To: apmail-spamassassin-users-archive@spamassassin.apache.org Received: (qmail 30532 invoked by uid 500); 11 Mar 2012 08:52:20 -0000 Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 30519 invoked by uid 99); 11 Mar 2012 08:52:20 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 11 Mar 2012 08:52:20 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS,UNPARSEABLE_RELAY X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [194.25.134.82] (HELO mailout05.t-online.de) (194.25.134.82) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 11 Mar 2012 08:52:12 +0000 Received: from fwd02.aul.t-online.de (fwd02.aul.t-online.de ) by mailout05.t-online.de with smtp id 1S6eVK-00089z-PE; Sun, 11 Mar 2012 09:51:50 +0100 Received: from musicman.homeip.net (bpAD6GZV8hxcAfs+ZkoRCR9mfOFtWhSXxiiKepEi8hs6MYqIAejWBBSn9sV2AVHQlQ@[93.233.80.233]) by fwd02.aul.t-online.de with esmtp id 1S6eVI-1x8ao40; Sun, 11 Mar 2012 09:51:48 +0100 Received: (qmail 17964 invoked by uid 501); 11 Mar 2012 08:51:47 -0000 Date: 11 Mar 2012 08:51:47 -0000 Subject: Re: Better phish detection To: users@spamassassin.apache.org From: hamann.w@t-online.de Message-Id: X-Mailer: TkMail 4.0beta9 Content-type: text/plain; charset=iso-8859-1 In-Reply-To: X-ID: bpAD6GZV8hxcAfs+ZkoRCR9mfOFtWhSXxiiKepEi8hs6MYqIAejWBBSn9sV2AVHQlQ X-TOI-MSGID: 237df49d-b9f2-4006-b05c-c5ce2f4a33cf X-Virus-Checked: Checked by ClamAV on apache.org Dave Funk wrote: >> >> As an admin on a site that regularly gets hit with phish attacks, I can >> answer that. The forms are most often a web-page, which are: >> >> 1) forms hosted on Google-Docs or legit servey sites.[0] >> 2) sites hidden behind URL-shorteners would you want to submit details to a site with a redirected url? Probably SA is not the right tool here, because it would have to mark detected mail as "caution" >> 3) forms hidden in pages hosted on compromised legit sites.[1] >> 4) forms attached to mail messages, the attachments obfuscated by being >> MIME-typed as application/octet-stream but the file names ending in ".htm" >> so SA won't try looking inside but mail-clients -will- automagically >> "just do the right thing"(tm) [2] sounds like a potential improvement on any filter: try to identify attachments by their first 512 bytes rather than by filename or mime type >> 5) URIs that are obfuscated by being buried inside javascript that >> dynamically generates them at message open time.[3] If there was a "caution" rather than just "potential spam" mark, it should certainly mark javascript >> [3] Damn people who insist that HTML should be acceptable everwhere. >> I tried creating rules that blacklist email containing javascript >> but there's legit sites (purchase confirmations, reservation notices, >> etc) that insist on doing that crap. >> My own way of life: a) messages that do not list me in either To or Cc (that is most mailing lists) must come from whitelisted senders, otherwise they do not even make it to SA b) I read mails on a text interface with a nice "read this one message in browser" pushbutton c) the actual sending email address should not be completely obscured in the mail reader, in favor of a display name I have implemented b) at the company where I work. For more than 50 % of mails handled by average staff, the same pushbutton means "open in application". When this project started a decade ago, I could not find a way to associate that particular class of mails (identified by sender, subject line, and mime-type) with an application in either Netscape or Outlook. So the incentive is: have better workflow for the majority of messages, in exchange for a need to hit "view in browser" for some messages