Re: [exim] Phishing Targets

Inizio della pagina
Delete this message
Reply to this message
Autore: Marc Perkel
Data:  
To: exim-users
Oggetto: Re: [exim] Phishing Targets
Thanks - I'm running ClamAV but what I'm trying to block isn't viruses.
I'm trying to block phishing attempts where the users are tricked into
giving up their account info. I did find a list and typed in the biggest
names.

This is my initial list:


2checkout.com
2co.com
amazon.com
banknorth.com
bankofamerica.com
bankofoklahoma.com
bankofthewest.com
barclays.co.uk
capitalone.com
charteronebank.com
charterone.com
citibank.com
citizensbank.com
commercebank.com
ebay.com
e-gold.com
fleetbank.com
hsbc.co.uk
huntington.com
keybank.com
lasallebank.com
lloydstsb.co.uk
mbna.com
paypal.com
regionsbank.com
smithbarney.com
southtrust.com
suntrust.com
tcfbank.com
unionplanters.com
usbank.com
visa.com
wamu.com
wellsfargo.com

This is the ACL I'm testing it with - but I hope to change the warn into
a drop.

warn    message    = X-Verify-failure: Sender domain does not match 
received hosts! $sender_address_domain
    log_message = Fraud - Sender domain does not match received hosts! 
$sender_address_domain
    senders = *@dbm;/etc/exim/run/verifylist.db
    !condition = ${if 
match{$h_Received:}{$sender_address_domain}{true}{false}}


The idea is that if the sender is in this list then I compare the
senders domain to the received lines and if it doesn't match - it's
phishing. It should catch a lot of it.


Odhiambo G. Washington wrote:

>* Marc Perkel <marc@???> [20050630 00:42]: wrote:
>
>
>Hi Marc,
>
>I looked at my rejectlog and found these mentions: southtrust.com
>gte.net lasallebank.com - rejectlog because clamav detected and rejected
>them.
>So you'd be better of running ClamAv as your malware scanner.
>No need to reinvent a wheel, but yeah, if you believe yours will be
>better, then why not? ;)
>
>