On Tue, 2 Mar 2010, Chip M. wrote:
Since these started, they've had 19 of these phish:
1 "Bank of America"<supp...@boa.com>
1 "PayPaI"<upd...@paypai.com>
1 "Paypal Inc."<cust_s...@paypalsecurity.com>
1 "serv...@irs.gov"<serv...@irs.gov>
1 "serv...@paypal.com"<c>
1 "serv...@paypal.com"<secur...@act.embarqservices.net>
3 "serv...@paypal.com"<Security>
1 "U.S. Bancorp"<off...@usb.com>
1 "Wachovia"<supp...@wachovia.com>
1 "Wells Fargo Online"<ofsreponline.al...@wellsfargo.com>
1 Bank of America <memberserv...@bofa.com>
2 Bank of America <serv...@boa.com>
1 Bank of America<memberserv...@boa.com>
1 Internal Revenue Service<service.refun...@irss.com>
1 Western Union<memberserv...@poste.it>
1 Western Union<memberserv...@wumts.com>
In that same sample, I found only 3 hams with base64
application/octet-stream html attachments.
I've had all the component rules in my sandbox for a while, but I just
added one that combines the above two signs. Would you be willing to test
this and see how well it does in practice? Scores are appropriate for
experimental rules, rescore as you see fit, comments solicited.
I don't know why the OBFU_*_ATTACH rules aren't showing up in ruleqa, I've
had them in my sandbox for _months_...
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader OBFU_HTML_ATTACH Content-Type =~
m,application/octet-stream;.+\.html?\b,i
describe OBFU_HTML_ATTACH HTML attachment with non-text MIME type
mimeheader OBFU_TEXT_ATTACH Content-Type =~
m,application/octet-stream;.+\.txt\b,i
describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type
mimeheader OBFU_DOC_ATTACH Content-Type =~
m,application/octet-stream;.+\.(?:doc|rtf)\b,i
describe OBFU_DOC_ATTACH MS Document attachment with generic MIME type
score OBFU_DOC_ATTACH 0.25
mimeheader OBFU_PDF_ATTACH Content-Type =~
m,application/octet-stream;.+\.pdf\b,i
describe OBFU_PDF_ATTACH PDF attachment with generic MIME type
score OBFU_PDF_ATTACH 0.25
meta OBFU_ATTACH_MISSP FROM_MISSPACED && (OBFU_HTML_ATTACH ||
OBFU_TEXT_ATTACH || OBFU_DOC_ATTACH || OBFU_PDF_ATTACH)
describe OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
endif
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Taking my gun away because I *might* shoot someone is like cutting
my tongue out because I *might* yell "Fire!" in a crowded theater.
-- Peter Venetoklis
-----------------------------------------------------------------------
12 days until Albert Einstein's 131st Birthday