List Format
ADDRESS,TYPE,DATE
ADDRESS,TYPE,DATE
ADDRESS,TYPE,DATE
e.g.
accounthelpdesk@live.com,AC,20080327
windowsupgrades@microsoft.com,C,20080216
where:
ADDRESS: the full uid@domain email address that the phishing message is asking the user to reply to. An ADDRESS can only be listed once. Only one ADDRESS can be listed per line.
TYPE: the way the ADDRESS was used. Multiple types can be listed (e.g. 'ABCD' or 'AC' or 'B', etc)
- A: The ADDRESS was used in the Reply-To header.
- B: The ADDRESS was used in the From header.
- C: The content of the phishing message contained the ADDRESS.
- D: The content of the phishing message contained the ADDRESS and it was obfuscated.
- E: The ADDRESS (usually in the From header) might receive replies but it was not intended to receive the replies.
Note: unless otherwise specified, in order for the ADDRESS to qualify for each TYPE, it must have been intended to receive the replies.
DATE: the date that the ADDRESS was last seen used as the reply address in a phishing campaign. Only one DATE can be listed per line.
If a person on our campus replies to a phishing email and then their account is taken over to send SPAM, and we find this is happening the first things we do is to disable the account and flush the mail queues of the account's outgoing email. At that point in time is is worth while to send to this list the email address of the account from our campus? Likewise by that time is the reply-to email account in the original phishing email still useful to be added to the list?
The Reply-To of the original phish message is worthwhile. These addresses sometimes remain valid for quite some time.
Send contributions to anti-phishing-email-reply-discuss (at) googlegroups.com
(just so all the necessary info is on one page)
So to update or add a new one, just forward the suspicious email to "anti-phishing-email-reply-discuss (at) googlegroups.com " ?