What Is ScamNailer?

Spear phishing is a technique used by spammers and scammers to try to get your email username and password. They send you an email, often claiming to be from your email provider or employer, in which they say that your account will be deleted unless you supply them with your username and password "for authentication" or some other similar ruse. They say you must reply to the message giving them this information, or send a message to a particular address giving them this information.

If they get your username and password, they then use your email account and email provider to send out millions of spam messages. Because the spam comes from a genuine email system (yours!) it will be accepted by most sites and will automatically pass many spam checks.

Implementation

ScamNailer takes 2 lists of addresses commonly used in these attacks. It also allows an additional list of addresses you can add to. From these, it generates a set of SpamAssassin rules that detect the presence of these addresses, which can be used in MailScanner or SpamAssassin to stop the spear-phishing attacks completely. If you use ClamAV but not SpamAssassin, you need to use ClamNailer instead.

Note: This uses far more than just the well-known list of phishing email addresses published on SourceForge (it used to be hosted on Googlecode). It also uses a very large list of addresses which have been discovered and manually checked by a large and very well-known corporation on the web, which you will definitely have heard of. Due to a fat Non-Disclosure Agreement I signed, I cannot tell you who they are. But they are very well trusted and you will have dealt with them at least once by now! This list is not used by any other open-source package.

It also looks for numbers at the end of the username bit of the address, and assumes that these are numbers which the scammers may change; so if it finds them, it replaces them with a pattern that will match any number instead. There's starting to be a lot of this about, as it's the easiest way for the scammers to try to defeat simple address lists targeted against them, while still being able to remember what addresses they have to check for replies from your dumb users. I thought I would make it a tiny bit harder for them...

It looks for any of these addresses appearing anywhere in the message, not just in the headers. So if you start talking to people about these addresses, don't be surprised when the messages get caught by the trap.

ClamAV Signatures

The ScamNailer database is now distributed as a ClamAV Signature file from

http://www.mailscanner.eu/scamnailer.ndb

This file is updated very frequently, but please do not download it more than once per hour!

It's Free

ScamNailer is completely free of charge, requiring no licence, installation or subscription fees. Free assistance is provided through mailing lists and instant support is available through a dedicated IRC channel, which is monitored 24 hours per day. A range of companies also provide commercial tailor-made support contracts. It is currently used by a very large selection of organisations around the world, from small companies and ISPs to the US Government and Military.

Copyright 2009 © Julian Field/ScamNailer