Re: [exim] Phishing Targets

Thu, 30 Jun 2005 07:30:46 -0700 


--On 30 June 2005 06:52:18 -0700 Marc Perkel <[EMAIL PROTECTED]> wrote:


Thanks - I'm running ClamAV but what I'm trying to block isn't viruses.


Yeah, but ClamAV blocks phish bait AND viruses.

<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=phish&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&.submit=Submit&.cgifields=database&.cgifields=case-sensitivity&.cgifields=search-type&.cgifields=display>


I'm trying to block phishing attempts where the users are tricked into
giving up their account info. I did find a list and typed in the biggest
names.

This is my initial list:


2checkout.com
2co.com
amazon.com
banknorth.com
bankofamerica.com
bankofoklahoma.com
bankofthewest.com
barclays.co.uk
capitalone.com
charteronebank.com
charterone.com
citibank.com
citizensbank.com
commercebank.com
ebay.com
e-gold.com
fleetbank.com
hsbc.co.uk
huntington.com
keybank.com
lasallebank.com
lloydstsb.co.uk
mbna.com
paypal.com
regionsbank.com
smithbarney.com
southtrust.com
suntrust.com
tcfbank.com
unionplanters.com
usbank.com
visa.com
wamu.com
wellsfargo.com

This is the ACL I'm testing it with - but I hope to change the warn into
a drop.

warn    message    = X-Verify-failure: Sender domain does not match
received hosts! $sender_address_domain
    log_message = Fraud - Sender domain does not match received hosts!
$sender_address_domain
    senders = [EMAIL PROTECTED];/etc/exim/run/verifylist.db
    !condition = ${if
match{$h_Received:}{$sender_address_domain}{true}{false}}

The idea is that if the sender is in this list then I compare the senders
domain to the received lines and if it doesn't match - it's phishing. It
should catch a lot of it.


Odhiambo G. Washington wrote:


* Marc Perkel <[EMAIL PROTECTED]> [20050630 00:42]: wrote:


Hi Marc,

I looked at my rejectlog and found these mentions: southtrust.com
gte.net lasallebank.com - rejectlog because clamav detected and rejected
them.
So you'd be better of running ClamAv as your malware scanner.
No need to reinvent a wheel, but yeah, if you believe yours will be
better, then why not? ;)





--
Ian Eiloart
Servers Team
Sussex University ITS


--

## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/

## Please use the Wiki with this list - http://www.exim.org/eximwiki/






















					Reply via email to