* Marc Perkel wrote (31/08/2005 18:38): > Getting back to the original topic of this thread. I've improved my > anti-phishing trick. > [...] > > My current List: - looking for more
[...] > citibank.com I don't think this one is correct. I got false positives in Spamassassin when I first installed SARE rules because of SARE_FORGED_CITI being scored at 104 points. The false positives were from citibank employees writing business e-mail. Here's the SARE anti-phishing rule for for Citibank (see http://www.rulesemporium.com/rules/70_sare_spoof.cf for a non-munged version). As you can see, it's not identical to your rule. # Try to identify CITIBANK spoofs by looking for elements which should always appear. # If we have a From and an URL of one of these guys, we should also have a received line to match! header __RCVD_CITIBNK Received =~ /(?:citi(?:bank|cards|corp|bankcards)|acxiom|c2it)\.com/i header __FROM_CITIBNK From =~ /citi(?:bank)?\.com/i uri __URI_CITIBNK /citi(?:bank)?\.com/i meta SARE_FORGED_CITI (__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK) describe SARE_FORGED_CITI Message appears to be forged, (citibank.com) score SARE_FORGED_CITI 104.0 There's also nothing stopping Citibank (or anyone else) from changing their servers, but that point has been made. -- Chris -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
