X-Note:========================
X-Note: This email was scanned for spam. [Details at
http://spamstats.madriveraccess.com]
X-Note: This email has been virus scanned by F-Prot,McAfee AV, and ClamAV.
X-Note: Please send abuse reports to [EMAIL PROTECTED]
X-Country-Chain:
X-Hello:
X-Note: SMTP Sender: [EMAIL PROTECTED]
X-Note: Sent from: [Revdns: mail.madriveraccess.com] [RemoteHostDomain:
declude.com] [IP: 12.152.254.4] [SenderHost: madriveraccess.com]
X-Note: Spam [v:2.0.6.16] tests: Whitelisted
X-Note: Total spam weight of this E-mail is 0.
X-Note: Scan time: 13:06:25 on 18 Feb 2006
X-Note: Queue name: D62201A570316B2A4.SMD
X-Note:========================
Hi Eric,
I did not see any responses so here at least is another way to do this.
To catch this style of phish I basically use a 3 filter design that Kami
shared awhile ago - your mileage will vary but in my setup what few
false positive I have caught I have another filter to cancel them out..
So for wells fargo I have:
#
filter_header_bankname.txt:
REVDNS END ENDSWITH .wellsfargo.com
HEADERS 0 CONTAINS @Wellsfargo.com
#
filter_body_bankname.txt:
TESTSFAILED END NOTCONTAINS filter_header_bankname.txt:
BODY 0 CONTAINS Wells Fargo
#
filter_body_words.txt
TESTSFAILED END NOTCONTAINS filter_body_bankname.txt:
BODY 0 CONTAINS Password
BODY 0 CONTAINS Protecting the security of your account
BODY 0 CONTAINS recently reviewed your account
BODY 0 CONTAINS regret to inform
BODY 0 CONTAINS restore your account access
BODY 0 CONTAINS security
BODY 0 CONTAINS suspension
etc....
Score the last filter in global.cfg -
-Nick
Erik wrote:
Help from you all:
We've setup the following individual filters for major banks that are
phising scams (and ebay.com)
Do you see any problems with using the following (we mark as SPAM at weight
70):
HEADERS END NOTCONTAINS wellsfargo.com
BODY 0 CONTAINS .wellsfargo.com
SUBJECT 30 CONTAINS account
REVDNS 50 NOTENDSWITH .wellsfargo.com
#Give weight back for users that forward or use reply for REAL email from
wellsfargo.com
SUBJECT -40 STARTSWITH re:
SUBJECT -40 STARTSWITH fwd:
SUBJECT -40 STARTSWITH fw:
Citibank uses different REVDNS from what we've noticed.
The envelope from is "generally" @citibank.com and the REVDNS is .ssmb.com
OR .citibank.com or .citicorp.com
How do you all deal with this?
Same with SearsCard.com... they are also Citibank and coming from ssmb.com
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
