How can I use filtering to warn my users about phishing attempts against their accounts?

Issue

How can I use filtering to warn my users about phishing attempts against their accounts?

Solution

One method is to use filtering to add a disclaimer to any mail message with words or phrases such as "date of birth", "password", "Social Security number", etc. in it. You can do that with a Mirapoint filter, in combination with the Message Set command. However, you will need to create the filter at the command-line, not through the Administrative Suite.

First, create the message. You must use the filter.disclaimer group for this message so that it can be used in the disclaimer filter action, as shown:

mirapoint.example.edu> message set en_US.iso-8859-1 filter.disclaimer.passmessage

Enter message (including headers), finish with a '.' on a line by itself:

======================

NOTICE: University IT staff will never ask for your password,

Social Security Number, or other sensitive information in email.

If you receive a message claiming to be from a staff member asking

for such information, please forward it to abuse@example.edu for

our security team to deal with.

======================

.

OK Completed

mirapoint.example.edu>

Next, create the filter or filters. The various options for how to get disclaimers to display as intended in HTML email, how to customize messages for different character sets, etc. are beyond the scope of this article, but here are a pair of example filters that use the message set above:

mirapoint.example.edu> filter add "(domain=any)" "pass1" disclaimer "(message=filter.disclaimer.passmessage)(position=top)(name=password-warning.txt)" anyof continue

:body contains "date of birth"

:body contains "password"

:body contains "Social Security Number"

:body contains "PASSW0RD"

.

OK Completed

mirapoint.example.edu>

filter add "(domain=any)" "pass2" disclaimer "(message=filter.disclaimer.passmessage)(position=top)(name=password-warning.txt)" anyof continue

Subject regexmatches "password|account suspend|account disable"

.

OK Completed

mirapoint.example.edu>

A small, but probably increasing, fraction of the spam stream is encoded in non-text formats, which these filters will not match. To work around this problem, use :bodydecoded includes(compare=nocase) instead of :body contains in the filters above.