On Fri, May 1, 2009 at 7:52 AM, Jesse Thompson <jesse.thomp...@doit.wisc.edu> wrote: > Yet Another Ninja wrote: >> >> I'm trying hard to convince myself this data is really useful.
I work for a Canadian provincial government, on a system with about 50,000 mailboxes. I scanned our outbound mail logs over the past 6 months with this data. There were 31 replies to "Your webmail is expired!! !" type messages in that period. If we had had been blocking outbound mail based on this list, the two compromised accounts we had to deal with (one of which made the list in its turn) wouldn't have happened. I definitely see value here. >> compared to the big_boyz my trap feed is quite small and I collected 1598 >> entries during the last 4 hrs > > Hello Yet Another Ninja, > > "big_boyz": as in a small collection of university postmasters? I guess we > should be honored, but I have a feeling that you were being condescending. I got the impression he was talking about the major RBL providers (spamhaus, spamcop), and the commercial filtering vendors. [snip] > Even the largest password-reply phishing campaign we've seen was only sent > to 2500 of our users (and that was using the same reply-to). On average, we > see around 200 messages (30 unique reply-to's; not all new) of this type of > phishing attempt every day. I assume that the other universities see > something similar. After I spend some more time evaluating things, and looking for this specific type of campaign, I'm planning to start blocking outbound mail based on your list. If I develop some tools for finding the campaigns I'd be happy to contribute the messages. Austin.
