We've seen some of it with our webmail too. When one of your users gives out their password and you notice their account being abused, lookin the message headers or apache logs to see where the perp is. We've seen them mostly to be from Africa, Nigeria probably. I've taken to blocking their /16 on our webmail server, and after a dozen or so IP ranges added, it's stopped. The have a lot of time on their hands and phish so they can spam. Who knows what else they do with data collected from the naieve.
On Sat, Apr 25, 2009 at 09:13:52AM -0400, Casartello, Thomas wrote: > Well by "hacked" I mean people that have fallen for the phishing and > have sent their username and password. When I notice it on our > network, we immediately reset the password and inform the user. But > the emails we get are coming from other colleges where users have > given away their passwords. > > -----Original Message----- > From: SM [mailto:s...@resistor.net] > Sent: Saturday, April 25, 2009 1:03 AM > To: users@spamassassin.apache.org > Subject: Re: Phishing > > At 17:05 24-04-2009, Casartello, Thomas wrote: > >One major issue we've been having lately is with phishing emails > >being targeted at us. They're being sent to us from hacked accounts > >at other educational institutes. The message usually is about "Your > >EDU webmail account is expiring. Please send us your username and > >password to fix it." We've had some users fall for it, then their > >Exchange account gets turned into a spam machine (sending out usual > >junk spam as well as the original phishing message.) Because they > >are coming from legitimate sites, it's been very difficult to block > >these messages. I've been trying to write phrase rules with common > >words used in the message, but whoever's responsible for this is > >continually changing the message to prevent you from being able to > >catch them with phrase rules. Any thoughts? > > There was a project from an educational institution to target > phishing emails. I don't recall the name of the project or whether > the source code was released. > > It is going to be a lot of work to keep the rules updated to catch > these emails. Analyze the emails instead of trying to apply the > usual techniques to catch them. Instead of considering the emails as > coming from legitimate sites, you should treat that as a data point > as part of the patterns to identify. The words in the emails might > change but the sender relies on some information for the phish to > work. You should be able to parse the mail traffic for that > information. BTW, there is a larger problem if there are "hacked" > accounts available on the sending network and on your network. > > Regards, > -sm -- /* Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL KB1IOJ | Broadband Internet Access, Dialup, and Hosting http://f64.nu/ | for Midcoast Maine http://www.midcoast.com/ */
