I use two things to 2 things use to combat phish. 1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656 in January. It's a beast on your CPU utilization as almost every mail will need to be virus scanned.
2. A MINWEIGHTTOFAIL filter that means the filter must match 4 or more lines to take affect. This helps cut down on the false positives in the filter. It uses other tests like a spamdomains test for Phish, Matt's IP-Linked filter and a another filter that looks for bank domain names. It's all posted at http://it.farmprogress.com/declude/Multiline.htm I still get occasional phish, but they are pretty rare. ----- Original Message ----- From: "David Sullivan" <[EMAIL PROTECTED]> To: <Declude.JunkMail@declude.com> Sent: Wednesday, February 16, 2005 1:23 PM Subject: [Declude.JunkMail] Phishing > We're running JM+Sniffer and still having some problems with phishes. > Here's the headers of a message that passed through and didn't trip a > single test. Our user got 140 of these in a period of a few hours. He > always seems to be on the front end of these things. > > I'm running spf so it didn't fail that. Notice the envelope from and > the from though. Any ideas on how to combat this? What about some type > of combo test or something that could look at the "from" the user sees > and compares against known good IPs for companies like ebay, paypal, > citibank, etc? > > If anybody has a good way of catching these your input would be > greatly appreciated. > > Received: from outbound3.example.net (outbound2.example.net > [16.45.66.4]) by email_server.ourcustomerdomain.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) > id 10628P6B; Tue, 15 Feb 2005 21:42:05 -0500 > Received: from mail2.example.net (unknown [10.1.16.2]) > by outbound3.example.net (Postfix) with ESMTP id BB00767835 > for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005 21:44:12 -0500 (EST) > Received: from mx1.example.net [192.168.200.60] by mail2.example.net with ESMTP > (SMTPD32-8.15) id A36C16770102; Tue, 15 Feb 2005 21:43:56 -0500 > Received: from vps.parlori.net (vps.parlori.net [216.22.48.204]) > by mx1.example.net (Postfix) with ESMTP id BCFE143AC2 > for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005 21:44:23 -0500 (EST) > (envelope-from [EMAIL PROTECTED]) > Received: from nobody by vps.parlori.net with local (Exim 4.44) > id 1D1FAQ-0001Yt-6Z > for [EMAIL PROTECTED]; Tue, 15 Feb 2005 20:43:54 -0600 > To: [EMAIL PROTECTED] > Subject: Security Validations > From: eBay <[EMAIL PROTECTED]> > Reply-To: > MIME-Version: 1.0 > Content-Type: text/html > Message-Id: <[EMAIL PROTECTED]> > Date: Tue, 15 Feb 2005 20:43:54 -0600 > X-Note: Spam Score: 0 > > > example.net is us > > -- > Best regards, > David mailto:[EMAIL PROTECTED] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.