Re: [SAtalk] rule to catch phishermen?
At 02:39 PM 1/26/04 -0500, Kurt Yoder wrote: snip body PHISHERMEN /http:\/\/(\w*?\.)+[a-zA-Z]{2,10}?[^/\s]*?@/ score PHISHERMEN 5.0 snip Don't use the body ruletype.. SA removes all HTML tags before running body. Use uri instead of body. It also seems you're just going to catch any URL which has a username involved, but it's tough for me to follow that regex without caffeine... Why not just look for the malware codes directly? (ie: the %01) --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] rule to catch phishermen?
OK, here's what I finally came up with and tested against the phish email. The rule worked in identifying the misleading url but didn't trigger when I put in various legitimate looking test user names in front of the @. I tested against [EMAIL PROTECTED] [EMAIL PROTECTED] using #try to detect phishing schemes and penalize as spam uri PHISHERMEN /http:\/\/www\.(\w*?\.)*[a-zA-Z]{2,10}?[^\/\s]*?@/ describePHISHERMEN probable web url disguised as another url for phishing score PHISHERMEN 3.0 This rule could use improvement; any regex gurus want to give some hints? Specifically, I'd like to look for any = and/or ? between the fake domain (in this example www.fdic.gov) and the @. So the regex would trigger on jumbles of characters simulating http GET url's. -- Kurt Yoder Sport Health network administrator --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] rule to catch phishermen?
Hi fellow assassins... I recently received an FDIC phish scam mail (tagged as spam by SA which is good) with this embedded url: a href=3Dhttp://[EMAIL PROTECTED]:3180/index.htmhtt= p://www.fdic.gov/idverify/cgi-bin/index.htm/a This seems like it could be a pattern worth tagging for many points. Almost no legitimate mail will include a url with a misleading destination like this, right? So what kind of rule will catch this? Here's my first attempt: body PHISHERMEN /http:\/\/(\w*?\.)+[a-zA-Z]{2,10}?[^/\s]*?@/ score PHISHERMEN 5.0 I don't know if I wrote it right; I'm not a regex genius. Here's what I'm trying to do: http:// non-greedily followed by any number of alphanumeric characters followed by . the previous two expressions should repeat at least once non-greedily followed by between two and ten alpha characters (the faked top level domain) followed by any characters other than spaces or / followed by @ So, can you regex and Spamassassin geniuses provide feedback on my rule? Will it work to catch these phishermen? Will it avoid tagging legitimate url's? Thanks -- Kurt Yoder Sport Health network administrator --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] rule to catch phishermen?
Hi fellow assassins... I recently received an FDIC phish scam mail (tagged as spam by SA which is good) with this embedded url: a href=3Dhttp://www.fdic.gov=01 (inserting this into the middle of the url so the list malware scanner doesn't reject it) @211.191.98.216:3180/index.htmhtt= p://www.fdic.gov/idverify/cgi-bin/index.htm/a This seems like it could be a pattern worth tagging for many points. Almost no legitimate mail will include a url with a misleading destination like this, right? So what kind of rule will catch this? Here's my first attempt: body PHISHERMEN /http:\/\/(\w*?\.)+[a-zA-Z]{2,10}?[^/\s]*?@/ score PHISHERMEN 5.0 I don't know if I wrote it right; I'm not a regex genius. Here's what I'm trying to do: http:// non-greedily followed by any number of alphanumeric characters followed by . the previous two expressions should repeat at least once non-greedily followed by between two and ten alpha characters (the faked top level domain) followed by any characters other than spaces or / followed by @ So, can you regex and Spamassassin geniuses provide feedback on my rule? Will it work to catch these phishermen? Will it avoid tagging legitimate url's? Thanks -- Kurt Yoder Sport Health network administrator --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk