Anti-Phishing and Spear-Phishing Version 2

Update 11 October 2009: This has now been moved to Please check there for all future information and updates to this package.

Update 20 September 2009:
The Google-hosted data file has been moved to SourceForge, so I have updated the URL it downloads it from. You need to update your script to the new version 2.05.

Update 16 June 2009:
I have changed the rule structures to make them considerably faster than the old ones. Download the updated script from the link below.

I have acquired a new reliable feed of email addresses used in phishing attacks. These addresses have all been checked by real people, and they come from a very reliable and well-known source.

The new data file is provided by means of DNS and an Anycast network, which makes it pretty resilient to attack. The previous spear-phishing data is gathered from the project hosted by Google in the traditional way, that hasn’t changed.

I have updated my script so that it fetches both sets of data. It makes use of a temporary directory under /var/cache, which is configurable at the start of the script, and which needs to be writable by the user the scripts runs as (normally just ‘root’ so this doesn’t present any problem at all to most people).

You can
download version 2.05 of the script.

If you are not using MailScanner with this script, you will need to comment out or delete the line that mentions “service MailScanner reload” about 1/3 of the way down the script (search and ye shall find!).

For more explanation of this whole problem and the way this script works, please refer back to
my earlier article.