Without my so much as glancing at the potential false positives, this is a treasure trove or actual phishing URLs:
http://www.phishtank.com/phish_archive.php A glance at which tells me that another useful PCRE would be to (pseudo code follows): IPADDRESS then (/ character) then stuff including DOMAIN NAME then (end of line OR / character) Andrew. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of David Barker > Sent: Tuesday, May 15, 2007 2:31 PM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] Phishing > > BODY 15 PCRE (http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/)) > > This is a regular expression. This is a little more > complicated than a straight filter but essentially I am > looking for any URL that has a .com in the middle and then > ends with a different domain extension. It will match on > this: > > http://session-2825275860.nationalcity.com.juuje.io/ > > If you had to do a standard filter I would do something like: > > BODY 5 CONTAINS http://session- > BODY 10 CONTAINS .io/ > > Some examples of matches (not sure of the levels on FP's yet) > > 05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter > FILTER-PHISH : > http://session-401758.nationalcity.com.bigj.at/ > > 05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter > FILTER-PHISH : > http://interactsession-64236.regions.com.usersetup.cn/ > > 05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter > FILTER-PHISH : > http://interactsession-0330189132.regions.com.usersetup.tw/ > > 05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter > FILTER-PHISH : > http://session-10067.nationalcity.com.portfast.cn/ > > 05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter > FILTER-PHISH : > http://interactsession-644893.regions.com.usersetup.io/ > > 05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter > FILTER-PHISH : > http://session-8434556.nationalcity.com.05server.cn/ > > David Barker > VP Operations | Declude > Your Email Security is our business > O: 978.499.2933 x7007 > F: 978.988.1311 > E: [EMAIL PROTECTED] > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
