Re: [exim] Phishing Targets

Top Page
Delete this message
Reply to this message
Author: Fred Viles
Date:  
To: exim-users
Subject: Re: [exim] Phishing Targets
On 30 Jun 2005 at 6:52, Marc Perkel wrote about
    "Re: [exim] Phishing Targets":


| Thanks - I'm running ClamAV but what I'm trying to block isn't viruses.
| I'm trying to block phishing attempts where the users are tricked into
| giving up their account info.


Understood. ClamAV does detect phishing attempts, perhaps only if
you enable ScanHTML (which is enabled by default). Eg:

reject-20050620:2005-06-20 19:46:59 1DkYmx-0001T4-Dr
H=globalrxstore.com [64.136.56.111] F=<paul@???>
rejected after DATA: This message contains malware
(HTML.Phishing.Auction-68)
reject-20050620:2005-06-20 19:51:09 1DkYqs-0001Tc-CY H=201-26-173-
140.dial-up.telesp.net.br [201.26.173.140]
F=<identdep_op46@???> rejected after DATA: This message
contains malware (HTML.Phishing.Bank-1)
reject-20050624:2005-06-24 13:43:16 1Dlv1A-0000CC-9W H=host-66-59-229-17.lcinet.net
(dns2.montgomerycreative.com) [66.59.229.17] F=<root@???>
rejected after DATA: This message contains malware (HTML.Phishing.Pay-33)

But since it's signature based, it certainly can't catch them all.
My casual observation is that it isn't nearly as good at catching
phish as it is at other malware, which I don't find surprising.

Similarly, your heuristic won't help with new phish that use
different sender domains. But it should catch new phish using the
usual suspects, like the PayPal phish that Clam missed today.

| I did find a list and typed in the biggest names.

|...

FWIW, of the last 10 phish that Clam did catch here, your list would
have caught three (two southtrust & one lasallebank).

- Fred