Michael sent me a link to Sanesecurity's Phishing and Scam Signatures for the excellent Clam anti virus toolkit which I have tentatively applied to our installation. The results are phenomenal, and we are dropping useless PDF files and other scam attachments at quite a good rate. The first day shows:
190 Email.Stk.Gen592.Sanesecurity.07071801.pdf 172 Email.Stk.Gen628.Sanesecurity.07080703 149 Email.Stk.Gen606.Sanesecurity.07080101.pdf 131 Email.Stk.Gen592.Sanesecurity.07071801.pdf 26 MSRBL-Images/0-0-wfTb 13 MSRBL-Images/0-0-wfTb 3 Html.Phishing.Auction.Gen209.Sanesecurity.06072501 1 MSRBL-SPAM.SpamBlowBack.URL.753 1 MSRBL-Images/3-0-_Hw 1 MSRBL-Images/0-0-wfma 1 MSRBL-Images/0-0-wfWq 1 Email.Stk.Gen621.Sanesecurity.07080603 1 Email.Img.Gen140.Sanesecurity.07080501
The site has a few scripts which can be used to download the required files periodically (don't overdo it: every four or five hours should be more than enough). The script I use sets file permissions and does syslog logging, which is practical. Even though this has been in use for only a day, I can highly recommend these signatures; not a false positive detected yet.