* Kelson <[EMAIL PROTECTED]> [2008-10-30 17:29-0400]: > Micah Anderson wrote: >> reject_rbl_client list.dsbl.org, > > DSBL has shut down, and you should remove the query from your list. It > won't help with the phishing, but it'll free up some network resources. > Info: http://dsbl.org/node/3
Thanks, I wasn't aware of that. I'm only using zen.spamhaus now, which is a shame. I had to remove barracuda because I've received already 3 complaints about false-positives, thats a real shame, because it was blocking about 3x as much as zen was. >> I've got clamav pulling signatures updated once a day from sanesecurity >> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, >> securesiteinfo) and Malware Black List, MSRBL (images, spam). > > Odd, ClamAV + SaneSecurty does a really good job here at blocking phish > before they even get to SpamAssassin. We call clamd through MIMEDefang, > then call SpamAssassin (also through MimeDefang) if a message passes. > > Have you verified that Clam is using the SaneSecurity signatures? How > are you calling ClamAV? Oh I'm certainly blocking phishing attempts via the SaneSecurity signatures, probably 200+ in the last hour alone. However, the phishing emails that are getting through are not known to their signature database, and in some case have been directly targetted at the domain I am managing. Thats why I am interested in rules that look for typical phishing emails. These emails are usually quite similar in their construction, so it seems like a good case for rules. micah
