Philip Prindeville wrote:
> * sometimes someone will send out HTML that will look like:
> <a href="http://www.foo.com/...";>http://www.bar.com/...</a>
We've had a fair bit of luck with a variant of this:
# Catch common phishing sequence
full HTTP_CLAIMS_HTTPS /<a[^>]{0,190}http:[^>]{0,190}>[^<]{0,190}https:/is
describe HTTP_CLAIMS_HTTPS HTTP link claiming to be HTTPS -- Phish
score HTTP_CLAIMS_HTTPS 5
That's an HTTP link whose text claims to be an HTTPS link, like this:
<a href="http://1.2.3.4/fake/.ebay.dll";>https://secure.ebay.com</a>
You can see our catches at:
http://www.roaringpenguin.com/canit/showtrap.php?status=spam&r=HTTP_CLAIMS
(login demo/demo)
Of course, our Bayes data nails most phishing scams now too...
Regards,
David.
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
