Dealing with phishing spam

Thomas Anderson tanderson at orderamidchaos.com
Fri Oct 8 14:51:04 CEST 2010 

The process works much faster and more accurately if you also use 
stripsearch with bogofilter...

http://orderamidchaos.com/bogofilter/stripsearch

Stripsearch investigates the body of your emails for evidence of 
spamvertized URLs by looking them up in a Realtime BlockList (RBL) such 
as surbl.org or spamhaus.org.  Any matching URLs are then replaced by 
the token SPAM-ADDRESS as a hook for statistical filters.  This serves 
the double purpose of making it less likely to click on a phishing scam 
or illegitimate unsubscribe link, and also making it more likely that 
the email will be flagged as spam.  This should especially help to 
classify those spams which consist of just a linked image and no text, 
or a phishing scam posing as a company with which you have regular 
correspondance such as, perhaps, eBay, PayPal, or your bank.

If a domain is not listed in a URIBL, a further test is performed on 
HTML emails.  The HREF link is compared to the content enclosed by the 
tag, and if there is a domain in the content and it does not match the 
domain of the link, then the token SCAM-ADDRESS is added to indicate 
that the address shown is not the address to which the link connects. 
There may be occasions where this is proper, but in most cases, this 
technique is used for phishing or fraud.

I've been using stripsearch for a few years now and phishing has not 
been a problem at all.  The tags give bogofilter the additional level of 
confidence that a phishing email is spam.  And even if bogofilter misses 
one and it comes in as ham, the tags alert me to the true nature of the 
email, preventing me from inadvertently clicking the phishing link.  And 
while it has helped me immensely, it has been even more helpful for my 
less savvy clients who would otherwise be rather unaware of when an 
email is a phishing scam.

Tom


On 10/8/2010 7:37 AM, David Relson wrote:
> Hello Lars,
>
> A great question!
>
> Short answer:  Bogofilter works well with phishing messages.
>
> Long answer follows ...
>
> Most words in bogofilter's wordlist have "neutral" scores, i.e.
> bogofilter's training has taught it that the words aren't significant
> when making the ham/spam determination.
>
> There will be some word differences between the real and the phishing
> messages.  With training bogofilter will learn which ones are
> significant, i.e. indicate ham/spam.
>
> When phishing message first start appearing, bogofilter typically will
> classify them as "ham" (because they seem real).  After training some
> of these as spam, bogofilter will start classifying them as "unsure".
> Further training shifts the classification to "spam".
>
> The process works (given some time and some training).
>
> HTH,
>
> David
>
> On Fri, 8 Oct 2010 08:22:22 +0200
> Lars Clausen wrote:
>
>> Hi Bogofilterers,
>>
>> Starting a few months ago, I've been getting a lot of phishing spam
>> that targets common sites like amazon, facebook, ebay and linkedin,
>> all of which I use. The mails are basically copies of what real
>> mails from those sites look like, and generally have a lot of text.
>> I'm worried that if I train them all as spam, real mail from those
>> sites will be marked as spam as well. What are peoples experiences
>> with handling phishing with bogofilter? Should something else be
>> used instead, and if so, what?
>>
>> Thanks,
>> -Lars
>>
>> _______________________________________________
>> Bogofilter mailing list
>> Bogofilter at bogofilter.org
>> http://www.bogofilter.org/mailman/listinfo/bogofilter
> _______________________________________________
> Bogofilter mailing list
> Bogofilter at bogofilter.org
> http://www.bogofilter.org/mailman/listinfo/bogofilter
>
>

More information about the Bogofilter mailing list