This is a discussion on Re: Phishing rules? - SpamAssassin ; Micah Anderson wrote: > * Kelson [2008-10-30 17:29-0400]: >> Micah Anderson wrote: >>> reject_rbl_client list.dsbl.org, >> DSBL has shut down, and you should remove the query from your list. It >> won't help with the phishing, but it'll free up ...
Micah Anderson wrote:
> * Kelson
>> Micah Anderson wrote:
>>> reject_rbl_client list.dsbl.org,
>> DSBL has shut down, and you should remove the query from your list. It
>> won't help with the phishing, but it'll free up some network resources.
>> Info: http://dsbl.org/node/3
> Thanks, I wasn't aware of that. I'm only using zen.spamhaus now, which
> is a shame.
why? that's what I use (I only use other DNSBLs in some cases).
>I had to remove barracuda because I've received already 3
> complaints about false-positives, thats a real shame, because it was
> blocking about 3x as much as zen was.
can you share these FPs? if you can't post them to a public list but can
post them to me, I am interested.
>>> I've got clamav pulling signatures updated once a day from sanesecurity
>>> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
>>> securesiteinfo) and Malware Black List, MSRBL (images, spam).
>> Odd, ClamAV + SaneSecurty does a really good job here at blocking phish
>> before they even get to SpamAssassin. We call clamd through MIMEDefang,
>> then call SpamAssassin (also through MimeDefang) if a message passes.
>> Have you verified that Clam is using the SaneSecurity signatures? How
>> are you calling ClamAV?
> Oh I'm certainly blocking phishing attempts via the SaneSecurity
> signatures, probably 200+ in the last hour alone. However, the phishing
> emails that are getting through are not known to their signature
> database, and in some case have been directly targetted at the domain I
> am managing. Thats why I am interested in rules that look for typical
> phishing emails. These emails are usually quite similar in their
> construction, so it seems like a good case for rules.
It's hard to block all phishes, since new forms appear every now and then.