Thanks - I'm running ClamAV but what I'm trying to block isn't viruses.
I'm trying to block phishing attempts where the users are tricked into
giving up their account info. I did find a list and typed in the biggest
names.
This is my initial list:
2checkout.com
2co.com
amazon.com
banknorth.com
bankofamerica.com
bankofoklahoma.com
bankofthewest.com
barclays.co.uk
capitalone.com
charteronebank.com
charterone.com
citibank.com
citizensbank.com
commercebank.com
ebay.com
e-gold.com
fleetbank.com
hsbc.co.uk
huntington.com
keybank.com
lasallebank.com
lloydstsb.co.uk
mbna.com
paypal.com
regionsbank.com
smithbarney.com
southtrust.com
suntrust.com
tcfbank.com
unionplanters.com
usbank.com
visa.com
wamu.com
wellsfargo.com
This is the ACL I'm testing it with - but I hope to change the warn into
a drop.
warn message = X-Verify-failure: Sender domain does not match
received hosts! $sender_address_domain
log_message = Fraud - Sender domain does not match received hosts!
$sender_address_domain
senders = *@dbm;/etc/exim/run/verifylist.db
!condition = ${if
match{$h_Received:}{$sender_address_domain}{true}{false}}
The idea is that if the sender is in this list then I compare the
senders domain to the received lines and if it doesn't match - it's
phishing. It should catch a lot of it.
Odhiambo G. Washington wrote:
>* Marc Perkel <marc@???> [20050630 00:42]: wrote:
>
>
>Hi Marc,
>
>I looked at my rejectlog and found these mentions: southtrust.com
>gte.net lasallebank.com - rejectlog because clamav detected and rejected
>them.
>So you'd be better of running ClamAv as your malware scanner.
>No need to reinvent a wheel, but yeah, if you believe yours will be
>better, then why not? ;)
>
>
