On Tue, 8 Dec 2009, Michael Holstein wrote: > > > 3. Spammers abusing your webmail and/or remote message submission service > > using phished credentials. > > I'll admit .. this has happened a few times too. Usually we see the > incoming phish attempt and configure an outbound block for RE: (same > subject) and it never fails .. we catch at least one person that > responds. We've seriously considered sending our own phishing emails > with a link that automatically disables anyone's account if they click it.
In addition to rate-limiting, you can get some assistance from the anti-phishing email reply blacklist (see http://code.google.com/p/anti-phishing-email-reply/) which is included in the Sanesecurity ClamAV add-on databases (see http://sanesecurity.co.uk/databases.htm). Even if it's too late to block the incoming phish it can be useful to block your users' replies. There's also "Kochi" which analyses email for phishing- related patterns, including detecting messages that contain users' passwords (see http://oss.lboro.ac.uk/kochi1.html). There's a fair amount of discussion of this kind of thing on the hied-emailadmin list (see https://listserv.nd.edu/cgi-bin/wa?A0=HIED-EMAILADMIN). > Our volume is 1.5-2m msg/day, and I'd say we catch ~95% of it .. but > when a batch gets through and a third of our students have mail > forwarded to Yahoo, from Yahoo's point-of-view, they just got 10,000 > spam from our IPs. Ah, you have rather more forwarding than we do. > Anyone know how to do this in Domino off-hand? (without sending IBM a > fat check) .. if so, I'd love to hear about it so I can tell our Lotus > admins. Put a Unix mailer between it and the real world :-) I think Exim's rate limiting facility is excellent, but then I wrote it :-) Tony. -- <[email protected]> <[email protected]> http://dotat.at/ ${sg{\N${sg{\ N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\ \N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
