Re: More on phishing
Philip Prindeville wrote: What about flagging HTML that has: a href=.* onMouseOver=window.status I.e. any links that attempt to intercept onMouseOver events and override the status window should be flagged as suspect... -Philip Actually, this seems to work: rawbody L_PHISH /[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)=window\.status=/ describe L_PHISHTest for PHISH overwrites the status bar score L_PHISH 6.0 I suppose I could beef it up with a test to see if __CTYPE_HTML was set at the same time... Not sure how case-sensitive JavaScript is to whether onmouseover is the same as onMouseOver... I'm not a JS-head. -Philip
Re: More on phishing
Philip Prindeville wrote: Actually, this seems to work: rawbody L_PHISH /[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)=window\.status=/ describe L_PHISHTest for PHISH overwrites the status bar score L_PHISH 6.0 I suppose I could beef it up with a test to see if __CTYPE_HTML was set at the same time... Not sure how case-sensitive JavaScript is to whether onmouseover is the same as onMouseOver... I'm not a JS-head. JavaScript is case sensitive, but HTML is not. (XHTML, however, is -- at least in theory.) In this syntax, onMouseOver is actually an HTML attribute of the A tag. The value of that attribute, however, contains JavaScript. So onMouseOver, ONMOUSEOVER, onmouseover are all equivalent, but window.status has to be in all lower case. Incidentally, I've never heard of onMouseMouse. Should that be onMouseMove? -- Kelson Vibber SpeedGate Communications www.speed.net
Re: More on phishing
Kelson wrote: Philip Prindeville wrote: Actually, this seems to work: rawbody L_PHISH /[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)=window\.status=/ describe L_PHISHTest for PHISH overwrites the status bar score L_PHISH 6.0 I suppose I could beef it up with a test to see if __CTYPE_HTML was set at the same time... Not sure how case-sensitive JavaScript is to whether onmouseover is the same as onMouseOver... I'm not a JS-head. JavaScript is case sensitive, but HTML is not. (XHTML, however, is -- at least in theory.) In this syntax, onMouseOver is actually an HTML attribute of the A tag. The value of that attribute, however, contains JavaScript. So onMouseOver, ONMOUSEOVER, onmouseover are all equivalent, but window.status has to be in all lower case. Incidentally, I've never heard of onMouseMouse. Should that be onMouseMove? Gah... Fat fingers. Yes, onMouseOver or onMouseMove. Although I've not seen spam containing onMouseMove, but looking at: http://www.w3.org/TR/html4/interact/scripts.html it would seem to be useful to protect against both. -Philip
Re: More on phishing
What about flagging HTML that has: a href=.* onMouseOver=window.status I.e. any links that attempt to intercept onMouseOver events and override the status window should be flagged as suspect... That would be nice, but spammers learned long ago (after I wrote rules for those things) that all you need to do is break the html over two lines and SA can't catch it, because rawbody can only work on one line at a time. Loren
Re: More on phishing
On Thu, Mar 09, 2006 at 09:38:57PM -0800, Loren Wilton wrote: That would be nice, but spammers learned long ago (after I wrote rules for those things) that all you need to do is break the html over two lines and SA can't catch it, because rawbody can only work on one line at a time. Just to cancel the misinformation a bit. SA *can* catch any of this stuff, it just may not be as easy as writing a RE rule. It's also worth noting that rawbody works differently in 3.2 so writing RE rules for this stuff will be possible/easier when it's released. -- Randomly Generated Tagline: If you take the plunge, return it by Tuesday. pgpM3IM6usaDw.pgp Description: PGP signature
