Search and Quarantine of Identified Phishing Emails
Problem reported by Sérgio Rocha - Today at 2:59 AM
Submitted
HI,

We are currently experiencing a period of exceptionally high phishing activity. Some of these campaigns are highly sophisticated, while others are relatively poor. Nevertheless, the lack of user attention is striking, and the number of victims is enormous.

We use the same email service as our customers, and every day we identify very dangerous phishing messages that have bypassed the security mechanisms. By reviewing the logs, we can also see that many of our customers have been targeted by the same campaigns.

Would it be very difficult to implement a mechanism to search for and automatically move identical phishing messages to the Junk folder? It might be possible to locate the messages using their Message IDs based on the sender and subject. In fact, searching by sender alone within a given time window should probably be sufficient to identify all copies of the same phishing email.

Thanks for your time.

SR
Douglas Foster Replied
This problem has been extensively discussed at this topic:

I developed a script to list all users with their account attributes, which is posted here
It includes some comments about the practical difficulties of converting it into a script to find and delete an unwanted message.   I will restate a few of them here:

  • Message ID will often be insufficient, because most spam is sent to one user at a time.  When that is the case, standards compliance requires each messages to have a unique message ID.   Spammers feel no obligation to be standards-compliant, but in this case I expect that they will be.   
  • Spam will often have randomizing elements in the subject text and may have randomizing elements in the email addresses, so your attribute matching will often need to use "contains <value>" rather than "equals <value>".   This adds to the performance problems inherent in searching a large number of messages in a large number of mailboxes.  
  • If you have a non-trivial number of mailboxes, searching every mailbox will impose an unacceptable burden on your mail server and will take unacceptably long to complete.   The concept only seems feasible when you have a list of targeted accounts, taken from data that has been captured by an inbound gateway system.
I confidently assume that the bad-message retrieval feature of Office365 requires exact accounts and probably exact message IDs, based on metadata captured by one of the very expensive inbound gateway services which implement this Office365 feature.   Of course, the fact that they support this feature proves that spending a lot of money does not get you reliable spam protection.

If  you are willing to quarantine doubtful messages, at the risk of delaying some wanted messages, then you can achieve approximately 100% spam protection without needing to perform bad message extraction.   That approach requires a good quarantine review interface, ongoing investment in quarantine review labor, and a sophisticated local structure for defining what messages you do and do not want.

Reply to Thread

Enter the verification text