That's a tough one. I have never had this certain problem, but when we start having phishing problems or malware problems for that matter I really tighten up the content filter. If I haven't unblocked the website and the content filter doesn't have it in it's definitions as ok, it get's blocked. You have to do a lot of unblocking, but imo it is better than having to fix a lot of these kinds of problems. I also tighten up the firewall to block a lot of foreign IP's. Another thing that I implemented was snort and it notifies me if someone visits anyone on the Spamhaus DROP list or any of the RBN IP's. I would bet money you can easily create a snort signature that would alert you if a website your user is visiting has the similar content as your webmail login website and is not your webmail server. |