On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote:
> I keep getting hit by phishing attacks, and they aren't being stopped by
> anything I've thrown up in front of them:
>
> postfix is doing:
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client list.dsbl.org,
>
> I've got clamav pulling signatures updated once a day from sanesecurity
> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
> securesiteinfo) and Malware Black List, MSRBL (images, spam).


I'd increase this, at least for the SaneSecurity phish sigs. They are
being updated much more frequently.


> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
> pulls in the 25_uribl.cf automatically, right? Or do I need to configure


Yes, unless you disable network tests in general. Should be easy to
answer yourself if they are working, just by grepping for the rule names
defined in 25_uribl.cf.


> that? if its automatic, that pulls in SURBL phishing). I've got Botnet
> setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the
> hashcash, and SPF plugins loaded, imageinfo, pretty much everything I
> can think of....but for some reason phishing attempts keep getting
> through.
>
> Sadly, I do not have an example I can share at the moment, as I
> typically delete them in a rage after training my bayes filter on
> them. However, I am looking for any suggestions of other things I can
> turn on... in particular, are there rules that people have created that
> look for certain keywords where the body is asking for your
> account/password information?


So you've pretty much thrown everything at it you could find... And
they are still slipping through? How many are we talking here? Compared
to the total number of spam / phish?

Also, how many are being caught? Strikes me as odd that you don't have a
sample but yet sound like every single one is slipping by.

I guess, I would start verifying that all the above actually is working.
Most notably the SaneSecurity phish sigs. ClamAV should catch the lions
share, by far, assuming it comes before SA in your chain.

guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}