Re: [SAtalk] rule to catch phishermen?

[Matt Kettler]

At 02:39 PM 1/26/04 -0500, Kurt Yoder wrote:
snip
body PHISHERMEN /http:\/\/(\w*?\.)+[a-zA-Z]{2,10}?[^/\s]*?@/
score PHISHERMEN 5.0
snip

Don't use the body ruletype.. SA removes all HTML tags before running body.

Use uri instead of body.

It also seems you're just going to catch any URL which has a username 
involved, but it's tough for me to follow that regex without caffeine...

Why not just look for the malware codes directly? (ie: the %01)



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] rule to catch phishermen?

[Kurt Yoder]

OK, here's what I finally came up with and tested against the phish
email. The rule worked in identifying the misleading url but didn't
trigger when I put in various legitimate looking test user names
in front of the @. I tested against

[EMAIL PROTECTED]
[EMAIL PROTECTED]

using

#try to detect phishing schemes and penalize as spam
uri PHISHERMEN 
/http:\/\/www\.(\w*?\.)*[a-zA-Z]{2,10}?[^\/\s]*?@/
describePHISHERMEN  probable web url disguised as
another url for phishing
score   PHISHERMEN  3.0

This rule could use improvement; any regex gurus want to give some
hints? Specifically, I'd like to look for any = and/or ? between
the fake domain (in this example www.fdic.gov) and the @. So the
regex would trigger on jumbles of characters simulating http GET
url's.

-- 
Kurt Yoder
Sport  Health network administrator



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] rule to catch phishermen?

[Kurt Yoder]

Hi fellow assassins...

I recently received an FDIC phish scam mail (tagged as spam by SA
which is good) with this embedded url:

a href=3Dhttp://[EMAIL PROTECTED]:3180/index.htmhtt=
p://www.fdic.gov/idverify/cgi-bin/index.htm/a

This seems like it could be a pattern worth tagging for many points.
Almost no legitimate mail will include a url with a misleading
destination like this, right? So what kind of rule will catch this?
Here's my first attempt:

body PHISHERMEN /http:\/\/(\w*?\.)+[a-zA-Z]{2,10}?[^/\s]*?@/
score PHISHERMEN 5.0

I don't know if I wrote it right; I'm not a regex genius. Here's
what I'm trying to do:

http://

non-greedily followed by any number of alphanumeric characters

followed by .

the previous two expressions should repeat at least once

non-greedily followed by between two and ten alpha characters (the
faked top level domain)

followed by any characters other than spaces or /

followed by @



So, can you regex and Spamassassin geniuses provide feedback on my
rule? Will it work to catch these phishermen? Will it avoid tagging
legitimate url's?

Thanks

-- 
Kurt Yoder
Sport  Health network administrator



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] rule to catch phishermen?

[Kurt Yoder]

Hi fellow assassins...

I recently received an FDIC phish scam mail (tagged as spam by SA
which is good) with this embedded url:

a href=3Dhttp://www.fdic.gov=01
(inserting this into the middle of the url so the list malware
scanner doesn't reject it)
@211.191.98.216:3180/index.htmhtt=
p://www.fdic.gov/idverify/cgi-bin/index.htm/a

This seems like it could be a pattern worth tagging for many points.
Almost no legitimate mail will include a url with a misleading
destination like this, right? So what kind of rule will catch this?
Here's my first attempt:

body PHISHERMEN /http:\/\/(\w*?\.)+[a-zA-Z]{2,10}?[^/\s]*?@/
score PHISHERMEN 5.0

I don't know if I wrote it right; I'm not a regex genius. Here's
what I'm trying to do:

http://

non-greedily followed by any number of alphanumeric characters

followed by .

the previous two expressions should repeat at least once

non-greedily followed by between two and ten alpha characters (the
faked top level domain)

followed by any characters other than spaces or /

followed by @



So, can you regex and Spamassassin geniuses provide feedback on my
rule? Will it work to catch these phishermen? Will it avoid tagging
legitimate url's?

Thanks


-- 
Kurt Yoder
Sport  Health network administrator



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk