On Mon, 19 Jul 2004 21:23:28 -0500 (CDT), David B Funk <[EMAIL PROTECTED]> wrote: > What are the chances that legitmate eBay, CitiBank, PayPal messages > will contain a URI that uses an IP address rather than proper host names? > (or contain a link to a ".biz", ".info", etc site)
Good question - I would say incredibly low - it doesn't make for good scalability if you're emailing it out to lots of customers, nor is it good branding. > Just make up a meta rule that says 'if From == (eBay|CitiBank|PayPal)' && > ( NORMAL_HTTP_TO_IP || BIZ_TLD ) then PHISH!! Please share! - sharing is caring :) FWIW - I manage the phishing SURBL data source, if you or anyone else has a good feed of these emails I am always interested in the data. We're currently adding quite a lot of addresses each week, however I am certain we're not getting them all! -- Regards, David Hooton
