Re: [exim] Phishing Targets

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: Marc Perkel, exim-users
CC: 
Subject: Re: [exim] Phishing Targets


--On 30 June 2005 06:52:18 -0700 Marc Perkel <marc@???> wrote:

> Thanks - I'm running ClamAV but what I'm trying to block isn't viruses.


Yeah, but ClamAV blocks phish bait AND viruses.

<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=phish&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&.submit=Submit&.cgifields=database&.cgifields=case-sensitivity&.cgifields=search-type&.cgifields=display>

> I'm trying to block phishing attempts where the users are tricked into
> giving up their account info. I did find a list and typed in the biggest
> names.
>
> This is my initial list:
>
>
> 2checkout.com
> 2co.com
> amazon.com
> banknorth.com
> bankofamerica.com
> bankofoklahoma.com
> bankofthewest.com
> barclays.co.uk
> capitalone.com
> charteronebank.com
> charterone.com
> citibank.com
> citizensbank.com
> commercebank.com
> ebay.com
> e-gold.com
> fleetbank.com
> hsbc.co.uk
> huntington.com
> keybank.com
> lasallebank.com
> lloydstsb.co.uk
> mbna.com
> paypal.com
> regionsbank.com
> smithbarney.com
> southtrust.com
> suntrust.com
> tcfbank.com
> unionplanters.com
> usbank.com
> visa.com
> wamu.com
> wellsfargo.com
>
> This is the ACL I'm testing it with - but I hope to change the warn into
> a drop.
>
> warn    message    = X-Verify-failure: Sender domain does not match
> received hosts! $sender_address_domain
>     log_message = Fraud - Sender domain does not match received hosts!
> $sender_address_domain
>     senders = *@dbm;/etc/exim/run/verifylist.db
>     !condition = ${if
> match{$h_Received:}{$sender_address_domain}{true}{false}}

>
> The idea is that if the sender is in this list then I compare the senders
> domain to the received lines and if it doesn't match - it's phishing. It
> should catch a lot of it.
>
>
> Odhiambo G. Washington wrote:
>
>> * Marc Perkel <marc@???> [20050630 00:42]: wrote:
>>
>>
>> Hi Marc,
>>
>> I looked at my rejectlog and found these mentions: southtrust.com
>> gte.net lasallebank.com - rejectlog because clamav detected and rejected
>> them.
>> So you'd be better of running ClamAv as your malware scanner.
>> No need to reinvent a wheel, but yeah, if you believe yours will be
>> better, then why not? ;)
>>




--
Ian Eiloart
Servers Team
Sussex University ITS