Re: [exim] Anti Phishing ACL

Startseite
Nachricht löschen
Nachricht beantworten
Autor: neil
Datum:  
To: W B Hacker
CC: exim users
Betreff: Re: [exim] Anti Phishing ACL

W B Hacker wrote:
> neil wrote:
>
>> Hi;
>> I've been trying to stop these bank phishing mails. Rather than trying
>> to get the banks to implement DK, DKIM or SPF so I can check against
>> that, I have the snippet below.
>>
>> I was wondering if this is of any use to anyone else or if it could be
>> made better. I've checked the list and cant see anything similar.
>>
>>
>
> There may be sound reason for that.
>
> - For the most part, phishing will come from criminally-run zombot farms.
>
> - As these are generally compromised Winboxen, not compromised 'proper'
> MTA, vanishingly few will have a valid PTR RR - eg will not survive
> forward/reverse DSN, rDNS, FQDN HELO, or RBL checks.
>

We do a dns, rbl checks, helo checks, rate limiting, sender / recipient
verify etc, etc, before they reach clam and SA,
but some slip through.

At the time of writing this, the ip 201.134.16.230 is not listed in any
rbl (according to robtex) it also has valid helo and dns entries. It
will fail sender verify checks, but my acl entry is before that check as
it is quicker to do a cached dns lookup than a call out via smtp.

2008-10-30 11:53:39 H=dns01.labmoreira.com.mx (mail.labmoreira.com)
[201.134.16.230] F=<onlineservices@???>

> - For those that might do so, perhaps by comandeering MUA UID:PWD and
> UTH'ing and relaying thru the victim's ISP, ClamAV, to name just one,
> will catch many of the survivors.
> We don't let those pass any further, so SpamAssassin sees even fewer.
>
> Those few, when pulled up from logs and such, were found to not even be
> *attempting* to forge a bank as a source at the level Exim 'sees'.
>
> Only in the message body did they do that. And badly so.
>
> Now - given our extensive blocking before they get into the front
> hallway, I have only a miniscule sample (17 in the past 12 months) on
> which to base that last part.
>
> But that was, after all, the purpose of the stringent qualifying of
> correspondent 'servers' in the first instance.
>
> Bottom Line:
>
> Your submitted code would have the most value where, and only where,
> more general - and 'resource cheaper' - anti-bot filtering was absent.
> or had to be bypassed for one or more clients who insist they must never
> risk losing an incoming message, no matter how 'dirty' the source.
>

I've not proposed a magic bullet to stop all phishing, merely added
another check to the rcpt acl, that may be of use to some people in
certain cases. Just another tool in the tool kit. If it can be improved
on or there are any fatal flaws, then point them out.

Rgds
n

> Those folks cannot be protected effectively by ordinary means.
>
> JM2CW,
>
> Bill Hacker
>
>
>> ## set up a list of banks
>> domainlist banks            = partial-lsearch;/usr/exim/banks

>>
>> acl_check_rcpt:
>>
>> ## if they send from bank domain but not from a bank IP then drop them
>> ## override with our local white list for companies that do mail shots
>> for banks
>>
>> drop log_message         = DENIED BANK PHISHING from:  $sender_address @ 
>> $sender_host_address
>>          message                = DENIED $sender_address @ 
>> $sender_host_address You appear to be Phishing. \n\
>>                                            $tod_full on host 
>> $interface_address
>>         sender_domains     = +banks
>>         !dnslists                  = list.dnswl.org=127.0.2.0, 
>> 127.0.2.1, 127.0.2.2, 127.0.2.3
>>         !dnslists                  = my-local-whitelist.example.com

>>
>>
>> Note: Not all UK banks are in DNSWL. When I can be certain of the
>> sending IPs of the commented out banks then I will add them to our white
>> list.
>>
>> cat /usr/exim/banks
>>
>> #abbey.co.uk
>> #abbeynational.co.uk
>> #abbey.com
>> alliance-leicester.co.uk
>> americanexpress.com
>> #barclays.com
>> barclays.co.uk
>> egg.com
>> halifax.co.uk
>> #hsbc.co.uk
>> hsbc.com
>> #lloydstsb.co.uk
>> lloydstsb.com
>> #natwest.com
>> #natwest.co.uk
>> #nwolb.com
>> paypal.com
>> rbs.com
>> #rbs.co.uk
>> #rbsdigital.com
>> #rbsdigital.co.uk
>> #sainsburysonline.com
>> #ybonline.co.uk
>>
>> I have log entries like:
>>
>> 2008-10-30 11:53:39 H=dns01.labmoreira.com.mx (mail.labmoreira.com)
>> [201.134.16.230] F=<onlineservices@???> rejected
>> RCPT <USER1@???>: DENIED BANK PHISHING from:
>> onlineservices@??? @ 201.134.16.230
>>
>> 2008-10-30 11:53:40 H=(221-128-205-92.static.exatt.net)
>> [221.128.206.156] F=<customer_support-num-095pc@???> rejected
>> RCPT <USER2@???>: DENIED BANK PHISHING from:
>> customer_support-num-095pc@??? @ 221.128.206.156
>> 2
>> 008-10-30 11:53:40 H=bb121-6-53-48.singnet.com.sg (lloydstsb.com)
>> [121.6.53.48] F=<onlinesupport_ref_832ppn@???> rejected RCPT
>> <USER3@???>: DENIED BANK PHISHING from:
>> onlinesupport_ref_832ppn@??? @ 121.6.53.48
>>
>> (I have replaced recipients USER name and DOMAIN for privacy.)
>>
>>
>>
>>
>
>
>