On Fri, 27 Apr 2018, Sebastian Arcus wrote:
On 27/04/18 10:49, Sebastian Arcus wrote:
I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in
the body of emails:
Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ======>
got hit: "http://get.adobe.com"
Would it be possible to add some exception to this rule - as many
legitimate emails containing invoice attachments in pdf include the above
url in the body.
It also appears to not like some DHL url's for some reason:
Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD ======> got
hit: "https://mybill.dhl.com"
my{mumble}.mumble.com is targeted. I'll think about that one; the rule
isn't scored highly and I could see that helping out to detect DHL
phishing.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
the Internal Revenue Service has an "impressive history ... of
storing [data] carelessly, leaking data through every possible
conduit, and hiring employees who appear to only marginally prefer
a career in tax collection over knocking over liquor stores."
-- Reason's J.D. Tuccille
-----------------------------------------------------------------------
4 days until May Day - Remember 110 million people murdered by Communism