Spam Filtering: March 2005 Archives
I finally took the plunge today and got milter-ahead working. I had been meaning to do something about it for ages, but didn't have a spare redhat machine to test it on.
What does it do?
The concept behind the milter is very simple.
At the start of the SMTP transaction the milter connects with the destination mail server to see if the recipient is valid. If the recipient is valid or the mail server accepts mail for it (which is not always the same thing) then the SMTP transaction continues. If, on the other hand, the destination mail server rejects the recipient then the transaction stops there.
It also caches the results, so you don't have to make a connection for each and every mail.
Why is this useful?
If you are using a gateway for multiple mail servers the milter reduces load and bandwidth on both the gateway and the receiving mail server.
Some "older" domains can get hit with dictionary attacks several times a day, so the milter can reduce the load on your MailScanner processes significantly.
Bank of Ireland's online banking service, 365 online, has been targetted in one of the latest rounds of phishing attacks.
Compared to other attacks, such as the paypal one I mentioned recently, this one is quite rudimentary, but could be effective against some people.
The initial email uses the BOI logo and phone number and calls upon users to login immediately as there has been "a security breach":
The email links to what looks vaguely like the real BOI site:
Where users are asked to provide their PIN etc.
Of course the address bar gives it away:
While another page they put up is full of grammatical errors and cultural faux pas:
Note the incorrect plural of the nouns and the request for a Zip code.
The site being used by the scammers is hosted by an Italian ISP.
Update:
BOI have made an announcement about this phishing attack and the Italian site has been taken offline.
I got a rather amusing email from their IT department telling me what I already knew. I might post it later.
The email links to what looks vaguely like the real BOI site:
Where users are asked to provide their PIN etc.
Of course the address bar gives it away:
While another page they put up is full of grammatical errors and cultural faux pas:
Note the incorrect plural of the nouns and the request for a Zip code.
The site being used by the scammers is hosted by an Italian ISP.
Update:
BOI have made an announcement about this phishing attack and the Italian site has been taken offline.
I got a rather amusing email from their IT department telling me what I already knew. I might post it later.
Martin pointed me at a rather handy set of scripts for generating the regex for spam assassin custom rules:
CMOScript
I haven't had any success with the custom rule I was trying to generate, but that's more likely due to me than the scripts :)
We seem to get one or two of these emails a week, possibly more.
They are usually very well crafted and unless you actually read (and understand) mail headers it is easy to see how someone could be duped by them.
The one we got this morning is below:
It looks and feels like a genuine Paypal email, until you look at the headers or the HTML source.
The scammers have, of course, gone to great lengths to make sure that a cursory glance will not reveal anything "strange", so they use a mouseover link in the email to display what looks like a genuine link to the paypal site.
So what happens if you are duped into visiting this site?
In this instance the site was called paypol.biz
After you get past the front page you are asked to agree to a number of legal statements and then passed onto this page:
where they ask you not only for your credit card details, but also your bank details, social security number and more. With this kind of detail the scammer would have little difficulty in gaining access to your credit card and other sources of funds.
It looks and feels like a genuine Paypal email, until you look at the headers or the HTML source.
The scammers have, of course, gone to great lengths to make sure that a cursory glance will not reveal anything "strange", so they use a mouseover link in the email to display what looks like a genuine link to the paypal site.
So what happens if you are duped into visiting this site?
In this instance the site was called paypol.biz
After you get past the front page you are asked to agree to a number of legal statements and then passed onto this page:
where they ask you not only for your credit card details, but also your bank details, social security number and more. With this kind of detail the scammer would have little difficulty in gaining access to your credit card and other sources of funds.
