Karsten Bräckelmann <[EMAIL PROTECTED]> writes: > On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote: >> I keep getting hit by phishing attacks, and they aren't being stopped by >> anything I've thrown up in front of them: >> >> postfix is doing: >> reject_rbl_client b.barracudacentral.org, >> reject_rbl_client zen.spamhaus.org, >> reject_rbl_client list.dsbl.org, >> >> I've got clamav pulling signatures updated once a day from sanesecurity >> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, >> securesiteinfo) and Malware Black List, MSRBL (images, spam). > > I'd increase this, at least for the SaneSecurity phish sigs. They are > being updated much more frequently.
Thanks for the pointer. For some reason I thought I had read on the SaneSecurity site that you shouldn't pull more than once a day, but now after you mentioned it I went and read again and they ask you dont pull more frequently than once an hour... so I've changed that cronjob, that should help. >> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand >> pulls in the 25_uribl.cf automatically, right? Or do I need to configure > > Yes, unless you disable network tests in general. Should be easy to > answer yourself if they are working, just by grepping for the rule names > defined in 25_uribl.cf. Network tests aren't disabled, and yeah I am seeing those rules occur in some of my headers of mail that I can search through, so I think that they are working. I've increased my overall URIBL scoring to 2.5 from the default. >> Sadly, I do not have an example I can share at the moment, as I >> typically delete them in a rage after training my bayes filter on >> them. However, I am looking for any suggestions of other things I can >> turn on... in particular, are there rules that people have created that >> look for certain keywords where the body is asking for your >> account/password information? > > So you've pretty much thrown everything at it you could find... ;) And > they are still slipping through? How many are we talking here? Compared > to the total number of spam / phish? > > Also, how many are being caught? Strikes me as odd that you don't have a > sample but yet sound like every single one is slipping by. These are hard for me to answer as I am not doing any analysis of how many are caught. In the last week, I've gotten four of them through, and I've received reports from a number of users that they too have received them. I've just sent a sample to the list however. > I guess, I would start verifying that all the above actually is working. > Most notably the SaneSecurity phish sigs. ClamAV should catch the lions > share, by far, assuming it comes before SA in your chain. Yeah, I'm using the clamav-milter, so those get rejected really early on. Thanks for the ideas, Micah
