I ran the rule below through the NightlyMassCheck with a 0 HAM hit and a 0
SPAM hit on those corpuses so the technique might not be very prevalent.
However, this rule does trigger on the technique I sent. I want to work on
the nested anchor idea as well but in the meantime, I'd like to hear
feedback on this trigger. It seemed REALLY spammy to me. Anyone get any
hits with this against their HAM or SPAM corpuses?
#PHISHING TEST
rawbody KAM_PHISH1 /u style="cursor: pointer"/
describe KAM_PHISH1 Test for PHISH that changes the cursor
score KAM_PHISH1 0.01
Regards,
KAM
Is there an SA rule that checks for nested anchors? (Either in 3.1 or
SARE.) Any signs of this idiom in ham corpuses?
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
