On 27/04/18 16:22, John Hardin wrote:
On Fri, 27 Apr 2018, Sebastian Arcus wrote:
On 27/04/18 10:49, Sebastian Arcus wrote:
I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com
in the body of emails:
Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD
======> got hit: "http://get.adobe.com";
Would it be possible to add some exception to this rule - as many
legitimate emails containing invoice attachments in pdf include the
above url in the body.
It also appears to not like some DHL url's for some reason:
Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD
======> got hit: "https://mybill.dhl.com";
my{mumble}.mumble.com is targeted. I'll think about that one; the rule
isn't scored highly and I could see that helping out to detect DHL
phishing.
If it is detecting DHL phishing is good - but if it is triggering on
both legitimate DHL emails and phishing emails, I'm not sure it is that
useful?
