RE: Incident Handling for phishing attemts

["Murda Mcloud" <murdamcloud () bigpond com>]

Does your course of action depend on what kind of legal action etc that you
may wish to take in the future? Image the drive that you had the phishing
emails on? Something like that, along forensic lines. Keep copies of logs
that might be pertinent?

Was it a very specific phish? Ie targeting someone or or some entity in your
organization? Try and work out how they got that info too, from an opsec
POV.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of sfmailsbm () gmail com
Sent: Friday, October 05, 2007 2:55 PM
To: security-basics () securityfocus com
Subject: Incident Handling for phishing attemts

Hi List,

Just wanted to get a few suggections on how we might handle a phishing
attempt?


Some actions I thing abt:

(a) Identify website, and contact owner/isp to take actions

(b) Determine source of mail, and try to identify sender /report to domain
ownner/isp


any other "technical" actions that can taken?


What about legal actions? 


Many many thanks

Ron