[120047] in North American Network Operators' Group
Re: SPF Configurations
daemon@ATHENA.MIT.EDU (Tony Finch)
Tue Dec 8 13:43:05 2009
Date: Tue, 8 Dec 2009 18:42:19 +0000
From: Tony Finch <dot@dotat.at>
To: Michael Holstein <michael.holstein@csuohio.edu>
In-Reply-To: <4B1E98A4.3080009@csuohio.edu>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, 8 Dec 2009, Michael Holstein wrote:
>
> > 3. Spammers abusing your webmail and/or remote message submission service
> > using phished credentials.
>
> I'll admit .. this has happened a few times too. Usually we see the
> incoming phish attempt and configure an outbound block for RE: (same
> subject) and it never fails .. we catch at least one person that
> responds. We've seriously considered sending our own phishing emails
> with a link that automatically disables anyone's account if they click it.
In addition to rate-limiting, you can get some assistance
from the anti-phishing email reply blacklist (see
http://code.google.com/p/anti-phishing-email-reply/) which
is included in the Sanesecurity ClamAV add-on databases (see
http://sanesecurity.co.uk/databases.htm). Even if it's too late
to block the incoming phish it can be useful to block your users'
replies. There's also "Kochi" which analyses email for phishing-
related patterns, including detecting messages that contain users'
passwords (see http://oss.lboro.ac.uk/kochi1.html). There's a fair
amount of discussion of this kind of thing on the hied-emailadmin list
(see https://listserv.nd.edu/cgi-bin/wa?A0=HIED-EMAILADMIN).
> Our volume is 1.5-2m msg/day, and I'd say we catch ~95% of it .. but
> when a batch gets through and a third of our students have mail
> forwarded to Yahoo, from Yahoo's point-of-view, they just got 10,000
> spam from our IPs.
Ah, you have rather more forwarding than we do.
> Anyone know how to do this in Domino off-hand? (without sending IBM a
> fat check) .. if so, I'd love to hear about it so I can tell our Lotus
> admins.
Put a Unix mailer between it and the real world :-) I think Exim's rate
limiting facility is excellent, but then I wrote it :-)
Tony.
--
<fanf@exim.org> <dot@dotat.at> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
