Fwd: Re: tons of forged bills in german

Wed, 22 Jan 2014 10:11:08 -0800

Dear list, as I didn't get an answer on the users list - maybe it is too advanced? - I want to ask here: 

-------- Original-Nachricht --------
Betreff:        Re: tons of forged bills in german
Datum:  Tue, 21 Jan 2014 09:50:13 +0100
Von:    Michael Monnerie <lists.michael.monne...@is.it-management.at>
An:     us...@spamassassin.apache.org



Am 20.01.2014 09:54, schrieb Michael Monnerie:


Dear list, since this week there are tons of very good forged bills that 
look like real, from big companies like telekom, vodafone, etc. They 
look like the original, and just the link in the middle, where it says 
"download your bill here", goes to a site containing trojans.



I'd like to write rules for the ZMI_GERMAN ruleset, what would be the 
best to capture such forgeries? I thought of something like

__VODAFONEgood1 /this is a text from the vodafone bill/
__VODAFONEgood2 /this is another real text from the vodafone bill/
__VODAFONE_URI m{(?:http://|)(?:www\.|)vodafone.de}


meta VODAFONEgood (__VODAFONEgood1 && __VODAFONEgood2) >=2 /* of course 
there should be more than 2 rules in our set*/


and here I'd need to check for URIs *other than* Vodafone:
meta VODAFONEforged VODAFONEgood && any_uri_except __VODAFONE_URI


I want to say "if there is a bill claiming to be from vodafone, then 
there MUST NOT be any link to anything else than https?://vodafone.de". 
Any idea how I could check for this? Is this possible?



So I want to catch a real-looking vodafone bill that has any URI to
another domain. Also, as Vodafone uses SPF, I'd like to check if I hit
VODAFONEgood && !SPF signature in the mail.

this is complicated since you belive phishes only have this domain as 
sender, url and envelope can match, and this would be great if thay 
do, but its hard to figure out for spamassassin with domains is 
forged or not based on this

I mean: if there's a mail whose context says it's a bill from 
Vodafone, then it should be from Vodafone and have a correct SPF 
signature.


  Can we check this?

--
mit freundlichen Grüssen,
Michael Monnerie, Ing. BSc, Tel: +43 660 415 6531

Protéger.at Internet Services Austria

Web:http://protéger.at  undhttp://proteger.at  
Facebookhttps://facebook.com/protegerat

Mitglied im it-management Netzwerkhttp://it-management.at

























					Reply via email to