Philip:
This rule won't hit on the phishing email I was discussing. It doesn't use
a mouseover. It uses a nested a tag to hide to real link. Thanks to
Kenneth Porter, here's my original post:
http://thread.gmane.org/gmane.comp.jakarta.tomcat.user/127749
P.S. I didn't post it to the tomcat group, I posted it to the Apache
SpamAssassin Users list. Something somewhere is skewed!
Regards,
KAM
rawbody __L_PHISH /<[aA] [hH][rR][eE][fF]=.*
(onMouseOver|onMouseMouse)="window\.status=/
meta L_PHISH (__CTYPE_HTML && __L_PHISH)
describe L_PHISH Test for PHISH overwriting the status bar
score L_PHISH 6.0
and it seems to work well enough...
If anyone wants to drop the score down to 0.01 and tell me how
many hits they get on a high volume site, I'd be fascinated to
know how well it performs elsewhere.
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
