[Mimedefang] Blocking phishing

Todd Aiken todd.aiken at ubishops.ca
Mon Jan 30 09:55:51 EST 2012 

Hi everybody.  Recently I've noticed the amount of phishing attempts at
our site has increased significantly.  Most of them are of the type
claiming to be our helpdesk and indicate to the user that they have
reached their email quota, and need to click a link to send their
credentials to increase the space.  No matter how many times we send
information to our users telling them that we will NEVER ask them for
their username or password, we still get people who click these links and
give out their information.  Their account is then used to send out spam
from our system.

I've set up a script on our Linux gateway to monitor the outgoing Sendmail
queue for any address that has triggered excessive bounces, and to insert
an entry into /etc/mail/access causing mail from that address to tempfail
when it tries to go out.  This causes the particular user's mail to be
backlogged at our Exchange server, where I can examine the messages to
verify they are spam and then clear them if so, and thus limits the amount
of outbound spam that is sent out from our site until I am able to change
the user's password.

I'm just wondering if there are other people on this list that are
experiencing the same type of phishing, and what they are doing to stop
it?  I'm running MIMEDefang with SpamAssassin, ClamAV, NAI (uvscan), and
scamp.sh, and using the following extra ClamAV definitions, but these
phishing messages still get through as ham.

INetMsg-SpamDomains-2m.ndb
crdfam.clamav.hdb
doppelstern.hdb
doppelstern.ndb
honeynet.hdb
junk.ndb
jurlbl.ndb
jurlbla.ndb
lott.ndb
mbl.ndb
phish.ndb
rogue.hdb
sanesecurity.ftm
scam.ndb
scamnailer.ndb
securiteinfo.hdb
securiteinfobat.hdb
securiteinfodos.hdb
securiteinfoelf.hdb
securiteinfohtml.hdb
securiteinfooffice.hdb
securiteinfopdf.hdb
securiteinfosh.hdb
sigwhitelist.ign2
spam.ldb
spamattach.hdb
spamimg.hdb
spear.ndb
spearl.ndb
winnow.attachments.hdb
winnow.complex.patterns.ldb
winnow_extended_malware.hdb
winnow_extended_malware_links.ndb
winnow_malware.hdb
winnow_malware_links.ndb
winnow_phish_complete.ndb
winnow_phish_complete_url.ndb
winnow_spam_complete.ndb


Thanks.


Todd A. Aiken
Systems Analyst & Administrator
ITS Department
BISHOP'S UNIVERSITY
2600 College Street
Sherbrooke, Quebec
CANADA   J1M 1Z7

More information about the MIMEDefang mailing list