[Dshield] Phishing solution (was: Re: Microsoft Security Advisory Notification (902333))

Chris Brenton cbrenton at chrisbrenton.org
Wed Jun 22 10:37:20 GMT 2005

On Wed, 2005-06-22 at 00:15, Al Reust wrote:
> Browser Windows Without Indications of Their Origins may be Used in 
> Phishing Attempts
> Published: June 21, 2005

Found a pretty cool phishing solution that installs right on the mail
gateway in case folks are interested. Its called MailScanner and you can
read up on it/download it here:

The tool does everything from strip HTML to integration with your virus
scanner of choice. It also detects phishing attempts. You can read up on
how they do it here:

but in short they compare the URL to the printed text to see if they
jive. If they do not, its labeled as phishing and sent to /dev/null if
you choose. There is even a whitelist feature so you can add in the
domains that do this but are not necessarily evil (like

Here's a snippet of what I had in my logs last night:

Found ip-based phishing fraud from in j5JJb2n8010869 : 1
Found phishing fraud from ctyd.com.mx claiming to be www.paypal.com in
j5KE5sPQ022706 : 1 Time(s)
Viruses marked as silent: ClamAV: msg-21092-14.html contains
HTML.Phishing.Pay-43  : 1 Time(s)

Needless to say I have zero phishing problems since installing this
tool. The spam stuff via Spamassassin integration is also cool as they
define a two tier scoring process, something I've done via manual tweaks
for years. For example I have my system setup as followed:

< 3 points = not spam
3-12.9 points = might be spam. Add "{SPAM} to the subject line and let
it though
>=13 points = Its spam, send it to /dev/null

Since setting up this system I only five or less spam messages a day
make it to my mail client (out of 100+). I've only had one message get
through without the {spam} label that should have had it.


More information about the list mailing list