On Tue, 25 Aug 2015 08:25:30 -0400
Joe Quinn wrote:
On 8/25/2015 7:51 AM, RW wrote:
On Tue, 25 Aug 2015 09:55:57 +0200
Tom Hendrikx wrote:
Basically every MUA I know will label the message as a possible
scam when you use the BAD version, which why you actually never
see it in
On 24-08-15 18:34, Joseph Brennan wrote:
Nick Edwards nick.z.edwa...@gmail.com wrote:
example
the displayed version in mail might be www.example.com, but the actual
URI when you highlight or click on it, is foobar.example.net
The most common case is that the text shows the real web
On Tue, 25 Aug 2015 09:55:57 +0200
Tom Hendrikx wrote:
Basically every MUA I know will label the message as a possible scam
when you use the BAD version, which why you actually never see it in
non-spam mail, unless the editor was a real noob.
That applies to spam too.
Would this really
On 8/25/2015 7:51 AM, RW wrote:
On Tue, 25 Aug 2015 09:55:57 +0200
Tom Hendrikx wrote:
Basically every MUA I know will label the message as a possible scam
when you use the BAD version, which why you actually never see it in
non-spam mail, unless the editor was a real noob.
That applies to
Nick Edwards nick.z.edwa...@gmail.com wrote:
example
the displayed version in mail might be www.example.com, but the actual
URI when you highlight or click on it, is foobar.example.net
The most common case is that the text shows the real web page, but the link
goes to a click counter page
On Mon, 24 Aug 2015 13:14:41 +1000
Nick Edwards wrote:
Hey,
Kind of had enough of regular URIBL's not getting this stuff, so
wondering has anyone wrote any rules they want to share on/off list to
match on mismatched URI links,
Are you getting a lot of phishes that still do this?
It used
Hey,
Kind of had enough of regular URIBL's not getting this stuff, so
wondering has anyone wrote any rules they want to share on/off list to
match on mismatched URI links,
example
the displayed version in mail might be www.example.com, but the actual
URI when you highlight or click on it, is
On August 24, 2015 5:14:53 AM Nick Edwards nick.z.edwa...@gmail.com wrote:
ciao
Agere, create share deploy, thank you
Quite a bit has been said under Better phish detection
Just put up an autocreated little rule file based the few dozen phises
in my corpus.
http://sourceforge.net/projects/sare/
If enough ppl contribute with samples, it could be created regularly.
Anybody interested in sharing not
Sahil Tandon [EMAIL PROTECTED] writes:
Joseph Brennan [EMAIL PROTECTED] wrote:
We get some legitimate email from @live.com users.
But they don't set a Reply-to header. That's the test.
But that wasn't his question; he asked whether any legitimate mail flows
from live.com. That was my
Joseph Brennan [EMAIL PROTECTED] writes:
/Dear .{0,12}(web ?mail|columbia\.edu)/i
/Password.{0,10}\([\s\.\*\_]+\)/
/you must reply to this email/i
Reply-to =~ /[EMAIL PROTECTED]/
I created a meta-rule out of these (with a score of 8), and then ran
spamassassin -D phish to see how it
Micah Anderson wrote:
Joseph Brennan [EMAIL PROTECTED] writes:
/Dear .{0,12}(web ?mail|columbia\.edu)/i
/Password.{0,10}\([\s\.\*\_]+\)/
/you must reply to this email/i
Reply-to =~ /[EMAIL PROTECTED]/
I'm new at writing custom rules, so I am trying to figure out the best
way to do this.
Joseph Brennan [EMAIL PROTECTED] writes:
/Dear .{0,12}(web ?mail|columbia\.edu)/i
/Password.{0,10}\([\s\.\*\_]+\)/
/you must reply to this email/i
Reply-to =~ /[EMAIL PROTECTED]/
I'm new at writing custom rules, so I am trying to figure out the best
way to do this. Would it be better to
On Sun, 2008-11-02 at 22:36 -0500, Micah Anderson wrote:
Joseph Brennan [EMAIL PROTECTED] writes:
Reply-to: [EMAIL PROTECTED]
First pass:
header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/
score LOCAL_REPLYTO_LIVE8.0
Maybe scoring 8.0 for one thing scares you,
Jeff Chan wrote:
On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote:
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
[...]
I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
pulls in the
Micah Anderson wrote:
* Kelson [EMAIL PROTECTED] [2008-10-30 17:29-0400]:
Micah Anderson wrote:
reject_rbl_client list.dsbl.org,
DSBL has shut down, and you should remove the query from your list. It
won't help with the phishing, but it'll free up some network resources.
On Mon, November 3, 2008 12:02, Martin Gregorie wrote:
^http:.*\.spaces\.live\.com\/$
in its body but the From: header identifies a completely unrelated
address. Would a rule that tags messages with this From and URI combo be
useful or would it generate too many FPs?
Joseph Brennan [EMAIL PROTECTED] wrote:
We get some legitimate email from @live.com users.
But they don't set a Reply-to header. That's the test.
But that wasn't his question; he asked whether any legitimate mail flows
from live.com. That was my answer. :)
--
Sahil Tandon [EMAIL
Joseph Brennan [EMAIL PROTECTED] writes:
Reply-to: [EMAIL PROTECTED]
First pass:
header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/
score LOCAL_REPLYTO_LIVE8.0
Maybe scoring 8.0 for one thing scares you, but I haven't seen this
fp in a couple of months.
Is live.com a
SM [EMAIL PROTECTED] writes:
At 07:56 01-11-2008, Micah Anderson wrote:
Here is an example one I received recently, note the hideously low bayes
score on this one, caused it to autolearn as ham even, grr.
[snip]
X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
Karsten Bräckelmann [EMAIL PROTECTED] writes:
On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote:
Joseph Brennan [EMAIL PROTECTED] writes:
Do you mean attempts to get your users to send their passwords,
or fake mail pretending to be from banks?
I mean attempts to get my users to
Micah Anderson [EMAIL PROTECTED] wrote:
Joseph Brennan [EMAIL PROTECTED] writes:
Reply-to: [EMAIL PROTECTED]
First pass:
header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/
score LOCAL_REPLYTO_LIVE8.0
Maybe scoring 8.0 for one thing scares you, but I haven't
Sahil Tandon [EMAIL PROTECTED] wrote:
We get some legitimate email from @live.com users.
But they don't set a Reply-to header. That's the test.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Randy [EMAIL PROTECTED] writes:
Micah Anderson wrote:
Sadly, I do not have an example I can share at the moment, as I
typically delete them in a rage after training my bayes filter on
them. However, I am looking for any suggestions of other things I can
turn on... in particular, are there
Karsten Bräckelmann [EMAIL PROTECTED] writes:
On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote:
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
postfix is doing:
reject_rbl_client b.barracudacentral.org,
Joseph Brennan [EMAIL PROTECTED] writes:
Micah Anderson [EMAIL PROTECTED] wrote:
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
Do you mean attempts to get your users to send their passwords,
or fake mail pretending to be
Brent Clark [EMAIL PROTECTED] writes:
Hiya
See SA examples
http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
Also add hostkarma.junkemailfilter.com to you DNSBL.
Thanks, I'll add this to my local.cf and see how it goes.
Another thing I do find is useful is adding additional
At 07:56 01-11-2008, Micah Anderson wrote:
Here is an example one I received recently, note the hideously low bayes
score on this one, caused it to autolearn as ham even, grr.
[snip]
X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
autolearn=ham
Reply-to: [EMAIL PROTECTED]
First pass:
header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/
score LOCAL_REPLYTO_LIVE8.0
Maybe scoring 8.0 for one thing scares you, but I haven't seen this
fp in a couple of months.
Joseph Brennan
Columbia University Information
Micah Anderson [EMAIL PROTECTED] wrote:
I mean attempts to get my users to send their passwords, are these not
called phishing?
micah
Yes, it's phishing, but for thos you might want to make local rules to
catch things specific to your own web mail system and domain.
I find myself
On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote:
Joseph Brennan [EMAIL PROTECTED] writes:
Do you mean attempts to get your users to send their passwords,
or fake mail pretending to be from banks?
I mean attempts to get my users to send their passwords, are these not
called
Karsten Bräckelmann [EMAIL PROTECTED] wrote:
Anyway, can't you educate your users
Experience tells me the answer is no, or at least a qualified no. And
we're supposed to have smart people here.
I suppose the number of responses might be even higher if we did not
try to educate people.
On Sat, 2008-11-01 at 18:01 -0400, Joseph Brennan wrote:
Karsten Bräckelmann [EMAIL PROTECTED] wrote:
Anyway, can't you educate your users [...]
Experience tells me the answer is no, or at least a qualified no. And
we're supposed to have smart people here.
I suppose the number of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Micah Anderson wrote:
[...]
Report them where exactly?
Here is an example one I received recently, note the hideously low bayes
score on this one, caused it to autolearn as ham even, grr.
From [EMAIL PROTECTED] Fri Oct 31 20:00:45 2008
On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote:
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
[...]
I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
pulls in the 25_uribl.cf
Hiya
See SA examples
http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
Also add hostkarma.junkemailfilter.com to you DNSBL.
Works really well.
Another thing I do find is useful is adding additional higher valued MX
records.
http://www.junkemailfilter.com/spam/support.html
HTH
* Jeff Chan [EMAIL PROTECTED] [2008-10-31 02:36-0400]:
On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote:
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
[...]
I've got spamassassin 3.2.5 with URIBL
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
postfix is doing:
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client list.dsbl.org,
I've got
Micah Anderson wrote:
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
postfix is doing:
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client
Micah Anderson wrote:
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
postfix is doing:
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client
On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote:
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
postfix is doing:
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
Micah Anderson wrote:
reject_rbl_client list.dsbl.org,
DSBL has shut down, and you should remove the query from your list. It
won't help with the phishing, but it'll free up some network resources.
Info: http://dsbl.org/node/3
I've got clamav pulling signatures updated
Micah Anderson [EMAIL PROTECTED] wrote:
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
Do you mean attempts to get your users to send their passwords,
or fake mail pretending to be from banks?
Joseph Brennan
Lead Email
I've noticed that many phishing emails contain URLs with one of these two
formats:
http://trusteddomain.com.fakedomain.xx/...
http://fakedomain.xx/.../trusteddomain.com/
where .xx is any TLD and ... is any series of characters. More
specifically, the trusted domain usually ends in .com
Hi all,
I've been tinkering with this rule for a while, and have got to the
point where is seems to do what I want, but I can't see the wood for the
trees so I'd appreciate comments for improvement from fresh eyes, and
people with a different spam/ham corpus to me.
It has 3 checks:
1) Mail is
45 matches
Mail list logo
