Re: Phishing rules?
* Kelson <firstname.lastname@example.org> [2008-10-30 17:29-0400]:[color=blue]
> Micah Anderson wrote:[color=green]
>> reject_rbl_client list.dsbl.org,[/color]
> DSBL has shut down, and you should remove the query from your list. It
> won't help with the phishing, but it'll free up some network resources.
> Info: [url]http://dsbl.org/node/3[/url][/color]
Thanks, I wasn't aware of that. I'm only using zen.spamhaus now, which
is a shame. I had to remove barracuda because I've received already 3
complaints about false-positives, thats a real shame, because it was
blocking about 3x as much as zen was.
>> I've got clamav pulling signatures updated once a day from sanesecurity
>> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
>> securesiteinfo) and Malware Black List, MSRBL (images, spam).[/color]
> Odd, ClamAV + SaneSecurty does a really good job here at blocking phish
> before they even get to SpamAssassin. We call clamd through MIMEDefang,
> then call SpamAssassin (also through MimeDefang) if a message passes.
> Have you verified that Clam is using the SaneSecurity signatures? How
> are you calling ClamAV?[/color]
Oh I'm certainly blocking phishing attempts via the SaneSecurity
signatures, probably 200+ in the last hour alone. However, the phishing
emails that are getting through are not known to their signature
database, and in some case have been directly targetted at the domain I
am managing. Thats why I am interested in rules that look for typical
phishing emails. These emails are usually quite similar in their
construction, so it seems like a good case for rules.