Re: .edu email phishing

[Dave Koontz <dkoontz () MBC EDU>]

Remember, the signatures them self don't block messages, sounds like
your MTA is somehow configured to do so based upon scan results.
Typically, these are used to increase the spam weight  score of a given
message.  Combined with other rules like AWL, Bayesian and whitelists
should pose no problem.  I've never once missed a message here as a
result nor been removed from any lists.  A couple of my spam assassin
rules are:

meta CLAMAV_SANE (CLAMAV && __CLAMAV_SANE)
describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures
score CLAMAV_SANE 5.0

meta CLAMAV_MBL (CLAMAV && __CLAMAV_MBL)
describe CLAMAV_MBL Malware found by ClamAV MBL signatures
score CLAMAV_MBL 3.0

meta CLAMAV_MSRBL (CLAMAV && __CLAMAV_MSRBL)
describe CLAMAV_MSRBL SPAM found by ClamAV MRSBL signatures
score CLAMAV_MSRBL 2.0


Mike Iglesias wrote:
> Dave Koontz wrote:
> > Tim, if you are running Barracuda (Spam Assassin) with ClamAV, check
> > out Sane Security's Phishing and Scam signatures.  They do a great
> > job of catching these phishing messages and most of the others out
> > there (like eBay, banks, etc.)   Just schedule an update to run
> > periodically.
> >
> > http://www.sanesecurity.co.uk/clamav/downloads.htm
>
> We've started using these signatures recently, and they are working.
> They work a little *too* well, and have caused some of us to be
> dropped from some mailing lists (like this one) because people are
> posting the phishing email messages that have been sent to their
> campuses to the list (which I'm not complaining about), the Sane
> Security rules catch them, and the email is rejected during delivery.
> After some number of delivery failures, Listserv drops you from the
> list.  So either subscribe using an email address that doesn't get run
> thru the rules or exempt this list (and any others that might have
> sample phishing email posted to them) from rule checking.