[81686] in North American Network Operators' Group
Re: ISP phishing
daemon@ATHENA.MIT.EDU (Gadi Evron)
Thu Jun 23 10:41:55 2005
Date: Thu, 23 Jun 2005 16:41:17 +0200
From: Gadi Evron <ge@linuxbox.org>
To: Robert Boyle <robert@tellurian.com>
Cc: Gadi Evron <gadi@tehila.gov.il>, nanog@merit.edu
In-Reply-To: <6.2.1.2.2.20050623095147.0525cca0@mail.tellurian.com>
Errors-To: owner-nanog@merit.edu
Robert Boyle wrote:
>
> At 05:37 AM 6/23/2005, you wrote:
>
>> Hi guys. I notice a large increase in recent weeks of ISP directed
>> phishing - largely because of worms moving backward to using the user's
>> own domain for the spam, but not just in the from: address.
>>
>> I believe this started out as a "let's feel this out" or "wow, that
>> worked, let's phish ISP's directly too". I now have several reports
>> that point to this becoming a serious problem.
>>
>> Old with a spark of new, but definitely a problem.
>>
>> Anyone else dealing with this?
>
>
> Due to the huge number of variants in the wild, our AV software can't
> keep up (probably nobody's can). Instead, we enabled a global rule which
> blocks any email from accounts such as billing, root, postmaster,
> antivirus, abuse, security, etc. which don't originate from our
> management IP space where our people work. As a result, we have stopped
> these phishing scams for our users dead in their tracks.
>
> -Robert
We did as well, but we did not yet find a solution for legit bounces..
it naturally breaks that.
It's a temporary solution to what I see that is going to become very big.
