Karsten Bräckelmann writes:

> On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote:
>> I keep getting hit by phishing attacks, and they aren't being stopped by
>> anything I've thrown up in front of them:
>>
>> postfix is doing:
>> reject_rbl_client b.barracudacentral.org,
>> reject_rbl_client zen.spamhaus.org,
>> reject_rbl_client list.dsbl.org,
>>
>> I've got clamav pulling signatures updated once a day from sanesecurity
>> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
>> securesiteinfo) and Malware Black List, MSRBL (images, spam).

>
> I'd increase this, at least for the SaneSecurity phish sigs. They are
> being updated much more frequently.


Thanks for the pointer. For some reason I thought I had read on the
SaneSecurity site that you shouldn't pull more than once a day, but now
after you mentioned it I went and read again and they ask you dont pull
more frequently than once an hour... so I've changed that cronjob, that
should help.

>> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
>> pulls in the 25_uribl.cf automatically, right? Or do I need to configure

>
> Yes, unless you disable network tests in general. Should be easy to
> answer yourself if they are working, just by grepping for the rule names
> defined in 25_uribl.cf.


Network tests aren't disabled, and yeah I am seeing those rules occur in
some of my headers of mail that I can search through, so I think that
they are working. I've increased my overall URIBL scoring to 2.5 from
the default.

>> Sadly, I do not have an example I can share at the moment, as I
>> typically delete them in a rage after training my bayes filter on
>> them. However, I am looking for any suggestions of other things I can
>> turn on... in particular, are there rules that people have created that
>> look for certain keywords where the body is asking for your
>> account/password information?

>
> So you've pretty much thrown everything at it you could find... And
> they are still slipping through? How many are we talking here? Compared
> to the total number of spam / phish?
>
> Also, how many are being caught? Strikes me as odd that you don't have a
> sample but yet sound like every single one is slipping by.


These are hard for me to answer as I am not doing any analysis of how
many are caught. In the last week, I've gotten four of them through, and
I've received reports from a number of users that they too have received
them.

I've just sent a sample to the list however.

> I guess, I would start verifying that all the above actually is working.
> Most notably the SaneSecurity phish sigs. ClamAV should catch the lions
> share, by far, assuming it comes before SA in your chain.


Yeah, I'm using the clamav-milter, so those get rejected really early
on.

Thanks for the ideas,
Micah