Re: Response to phishing e-mails

[Andrew Daviel <advax () TRIUMF CA>]

On Fri, 31 Oct 2014, Nick Semenkovich wrote:

> > What we haven't done is implement DMARC and SPF hard fails.  DMARC has its
> > own problems, especially with regards to mailing lists.  In my opinion it is
> > a solution that causes more problems than it fixes.  SPF hardfail causes
> > similar issues in my opinion.


A little while ago I went through the exercise of upgrading Mailman to be 
DMARC-aware. As I recall the patch can do a DNS lookup and munge the 
sender address away from the real one, e.g.
"John Doe via xyzzy list <xyzzy-list () example com>"
instead of the original
"John Doe <jdoe () yahoo com>"
which would be bounced and possibly get him unsubscribed for having a 
bad address.

I also created a DMARC "none" record, and so get the automated reports 
from google, yahoo, hotmail etc. - which I really ought to write a handler 
for instead of just filing them all unread most of the time. I had 
previously signed up for hotmail notifications which can be a good alarm 
for a compromised account (as well as noise from any time someone clicks 
"this is junk" on a legit email months later)


I just belatedly read all the thread, thanks everyone; I liked the 
Microsoft paper about the costs of complex passwords etc.


As this is related, I'll just tag it on the end: I just read an 
interesting paper by Google which was in Techworld yesterday:
http://services.google.com/fh/files/blogs/google_hijacking_study_2014.pdf

That states that over 99% of phishing emails come from .edu domains.

It's also an interesting in-depth study of manual phishing. Apparently the 
attackers quite rapidly access accounts using submitted credentials, then 
assess the mailbox for banking information, adult photos etc. as well as 
contact information for further "Help, I've lost all my money to a mugger" 
scams.

--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager