Kami, Thank you for the files; this is great! We can use this and customize for us.
Thank you, Erik -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Monday, February 20, 2006 10:40 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Banks (and Ebay) Phising Filters Erik: We have a set of filters as follows: - Phish_Body_bankName.txt - Phish_Body_words.txt - Phish_Header_Bankname.txt - Phish_TestsFailed.txt Hope it is not a problem to send zip files (3k) to the list. [PHISH.EXCEPTION.PAYPAL] filter C:\IMail\Declude\Filters\Phish_Exception_PayPal.txt x 0 0 [PHISH.HEADER.BANKNAME] filter C:\IMail\Declude\Filters\Phish_HEADER_BankName.txt x 0 0 [PHISH.BODY.BANKNAME] filter C:\IMail\Declude\Filters\Phish_Body_BankName.txt x 0 0 [PHISH.BODY.WORDS] filter C:\IMail\Declude\Filters\Phish_Body_Words.txt x 0 0 [PHISH.ATTEMPT] filter C:\IMail\Declude\Filters\Phish_TestsFailed.txt x 1000 0 I reroute any weight of 1000 and more to the admin account for review with PHISH in the subject. WEIGHT-REDIRECT-FRAUD-S SUBJECT [PHISH: %WEIGHT%] WEIGHT-REDIRECT-FRAUD-R ROUTETO [EMAIL PROTECTED] So far we have not had any false positives.. A few happened when people were using ebay response to ask seller options. So we wrote an exception filter. It works like a charm. We are seeing now clean IP's and new tactics .. Like using: @secure-chase.com Our filters were looking for @chase.com - so this is a new set of changes I am making as I am seeing them. Hope this helps. Regards, - Kami -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Friday, February 17, 2006 6:32 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Banks (and Ebay) Phising Filters Help from you all: We've setup the following individual filters for major banks that are phising scams (and ebay.com) Do you see any problems with using the following (we mark as SPAM at weight 70): HEADERS END NOTCONTAINS wellsfargo.com BODY 0 CONTAINS .wellsfargo.com SUBJECT 30 CONTAINS account REVDNS 50 NOTENDSWITH .wellsfargo.com #Give weight back for users that forward or use reply for REAL email from wellsfargo.com SUBJECT -40 STARTSWITH re: SUBJECT -40 STARTSWITH fwd: SUBJECT -40 STARTSWITH fw: Citibank uses different REVDNS from what we've noticed. The envelope from is "generally" @citibank.com and the REVDNS is .ssmb.com OR .citibank.com or .citicorp.com How do you all deal with this? Same with SearsCard.com... they are also Citibank and coming from ssmb.com --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
