The other phishing it does not catch are the ones where the end users hosts file has been altered to point secure.ebay.com to a different IP. The only reliable way to catch those I have seen is to compare the originating relayed server with a list of known good ones... which is a kludge as this breaks every time one of the banks, etc changes an IP or adds a server... etc. DCC and SURBL are useless againts these as the URLs and the emails are esseentially legit and will take the user to the correct place if their hosts file is not munged.
Jim On Tue, 22 Mar 2005 17:37:09 -0500, David F. Skoll wrote > The Mailscanner guy has a fairly effective heuristic that really > should be plugged into SpamAssassin. He looks for something like this: > > <a href="http://bogus.site.com/.cgi/ebay/cgi";>https://secure.ebay.com</a> > > Got that? If the URL *text* in the hyperlink doesn't match > the URL in the HREF parameter (modulo some canonicalization and > other munging), flag as a phish. > -- EsisNet.com Webmail Client _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
