David: After testing and researching this rule for a few days, I found it has pretty high FPs almost always on legitimate advertisements and mailing lists as well as aggregated news reports. A lot of them seem to use url shortening techniques ala tinyurl that cause this issue to rear it's head. I don't think this is a good rule.
Regards, KAM ----- Original Message ----- From: "David F. Skoll" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Thursday, March 09, 2006 9:25 PM Subject: Re: [Mimedefang] [OT] Fw: Interesting Phishing Trick > Philip Prindeville wrote: > > > * sometimes someone will send out HTML that will look like: > > <a href="http://www.foo.com/...";>http://www.bar.com/...</a> > > We've had a fair bit of luck with a variant of this: > > # Catch common phishing sequence > full HTTP_CLAIMS_HTTPS /<a[^>]{0,190}http:[^>]{0,190}>[^<]{0,190}https:/is > describe HTTP_CLAIMS_HTTPS HTTP link claiming to be HTTPS -- Phish > score HTTP_CLAIMS_HTTPS 5 > > That's an HTTP link whose text claims to be an HTTPS link, like this: > > <a href="http://1.2.3.4/fake/.ebay.dll";>https://secure.ebay.com</a> > > You can see our catches at: > > http://www.roaringpenguin.com/canit/showtrap.php?status=spam&r=HTTP_CLAIMS > > (login demo/demo) > > Of course, our Bayes data nails most phishing scams now too... > > Regards, > > David. > _______________________________________________ > NOTE: If there is a disclaimer or other legal boilerplate in the above > message, it is NULL AND VOID. You may ignore it. > > Visit http://www.mimedefang.org and http://www.roaringpenguin.com > MIMEDefang mailing list [email protected] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang > _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
