BODY15 PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/))
This is a regular expression. This is a little more complicated than a
straight filter but essentially I am looking for any URL that has a .com in
the middle and then ends with a different domain extension. It will match on
DOMAIN NAME then (end
of line OR / character)
Andrew.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Tuesday, May 15, 2007 2:31 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Phishing
BODY 15 PCRE
What are people doing for phishing scams? We seem to be
getting quite a few and was wondering what people do.
Running declude 3.1.0 Imail 8.05 as a gateway. I
have McAffee, f-prot Clamwin as scanners.
Thanks.
I heard some talk about clamdev ? or something like
that -- did not
Roger,
Are you using the SANS phish signatures? Since we started using we have
seen virtually zero get through.
Darrell
---
fpReview - The quick way to reviewing false positives.
http://www.invariantsystems.com
Schmeits, Roger writes:
What are
,
RogerGesendet: Dienstag, 6. Juni 2006 15:22An:
declude.junkmail@declude.comBetreff: [Declude.JunkMail]
phishing
What are people doing for phishing
scams? We seem to be getting quite a few and was wondering what people do.
Running declude 3.1.0
Imail 8.05 as a gateway. I
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] phishing
Roger,
Are you using the SANS phish signatures? Since we started using we
have
seen virtually zero get through.
Darrell
---
fpReview - The quick way to reviewing false positives.
http
, June 06, 2006 9:32 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] phishing
Roger,
Are you using the SANS phish signatures? Since we started using we
have
seen virtually zero get through.
Darrell
---
fpReview - The quick way
Hi,
I do not understand how this is being displayed in IE.
I got a phishing e-mail reported to me and I went to check it out.
This is the HTML text
P class=Estilo6To log into your account and verify your account
activity,
click here: BRA
to:
[EMAIL PROTECTED]
and
[EMAIL PROTECTED]
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Thursday, May 12, 2005 1:17 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Phishing Question
Goran,
It's probably DHTML being used to fake an address bar in a window that
doesn't have one, or it is placing a fake address bar on top of the real
one. It might look real, but it isn't. It is safe to blacklist
haukelid.com, and that's all that you need to do about it.
Matt
Goran
Subject: [Declude.JunkMail] Phishing Question
Hi,
I do not understand how this is being displayed in IE.
I got a phishing e-mail reported to me and I went to check it out.
This is the HTML text
P class=Estilo6To log into your account and verify your account
activity,
click here: BRA
One slight correction here. The domain haukelid.com doesn't belong to
the phisher. This is an active site that was likely just simply hacked
and then the PHP code was placed on it...it's a pretty ingenious way to
get a clean address.
Matt
Goran Jovanovic wrote:
Hi,
I do not understand how
PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Matt
Sent: Thursday, May 12, 2005 4:33 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Phishing Question
One slight correction here. The domain
In the current german computer magazine c't an article talks about phishing
with cyrillic char-sets.
It's possible to combine IDN-Domain names supported by Opera, Firefox and MS
Explorer (IE only with plugin) and cyrillic char-sets to show up an URL
absolutely like the original one.
More info's
We're running JM+Sniffer and still having some problems with phishes.
Here's the headers of a message that passed through and didn't trip a
single test. Our user got 140 of these in a period of a few hours. He
always seems to be on the front end of these things.
I'm running spf so it didn't fail
occasional phish, but they are pretty rare.
- Original Message -
From: David Sullivan [EMAIL PROTECTED]
To: Declude.JunkMail@declude.com
Sent: Wednesday, February 16, 2005 1:23 PM
Subject: [Declude.JunkMail] Phishing
We're running JM+Sniffer and still having some problems with phishes
Hello Scott,
Wednesday, February 16, 2005, 2:52:43 PM, you wrote:
SF 1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656
SF in January. It's a beast on your CPU utilization as almost every mail will
SF need to be virus scanned.
I already run PRESCAN OFF but I'm only
Hi;
Phishing.. still
alive
http://221.139.2.111/citifi/
Regards,
Kami
email:
===
Dear
Customer:Recently there have been a large number of cyber attacks
pointing our database servers. In order to safeguard your account, we require
you to sign on immediately. This
http://61.139.77.18/service/html/bin/log/
The above is still
alive.
Regards,
Kami
Message:
==
Subject:
[36~]James William from Wellsfargo.com - submfkDate: Sat, 2 Oct 2004
11:50:12 -0500Mime-Version: 1.0Content-Type: text/html;
charset=us-asciiMessage-Id: [EMAIL
dead now
- Original Message -
From:
Kami Razvan
To: [EMAIL PROTECTED]
Sent: Monday, October 04, 2004 6:05
AM
Subject: [Declude.JunkMail] phishing-
live
Hi;
Phishing.. still
alive
http://221.139.2.111/citifi/
Regards,
Kami
email
Hi;
This site is still
active: http://211.174.62.133/verify/index.php
Regards,
Kami
Here is the
body:
X-Note: Spam
Score: 1023 [BLOCKED ON 20+ DELETED ON 60+]X-Note: Scan Time: 05:42:25
on 07/02/2004X-Note: Spool File: D2de8053702661acc.SMDX-Note: Server
Name:
: [EMAIL PROTECTED]
WWW: http://www.twu.ca/technology
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Tuesday, June 08, 2004 2:23 PM
To: Kami Razvan
Subject: Re: [Declude.JunkMail] Phishing attempt- site is live
We've had this one
Hi;
The site is live..
a definite phishing attempt.
http://200.97.91.210/citi/"Activate
Regards,
Kami
===
Received: from
82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143] by
foroosh.com (SMTPD32-8.11) id A0842A350272; Tue, 08 Jun 2004 14:08:04
Hi;
Sorry the last one
I sent apparently does not go to the URL.
Here is the
URL:
http://200.97.91.210/citi/
Regards,
Kami
We've had this one in Sniffer for a while.
They were originally going after Sun Trust:
Rule ID - 99546
Created - 2004-03-22
From Source - http://200.97.91.
Rule Type - Numbered Link
Origin - Spam Trap
Original Rule Name - suntrust phishing
Current Strength - 2.68760205
_M
On Tuesday, June 8,
: [Declude.JunkMail] Phishing attempt- site is live
When I went to http://200.97.91.210/citi/ I get a page not found??
Goran Jovanovic
The LAN Shoppe
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail
Hi;
The following is
the body of an email that was caught by the Fraud spamdomain test we have.
The link is still active.
I am adding a body
filter on: web-da-best.com
Here is the
body:
..nbsp;body bgcolor=3D#ffdiv
align=3D"left"TABLE width=3D520 cellpadding=3D0
Follow up to last
email:
Hi;
The following is
the site:
http://www.citicorp-verification.com/cgibin/citifi/scripts/home/Verify.htm
Filter on:
citicorp-verification
the site is live
and kicking..
href="">https://www.accountonline.com/Register?siteId=CB"FONT
Hi;
Just received an
email in our spam mailbox.
Filter: pumpkinpieshow.com
Here is the
body:
X-RBL-Warning:
BADHEADERS: This E-mail was sent from a broken mail client
[8014000e].X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No
content unique to legitimate E-mail
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Phishing attempt- CitiBank
Hi;
Just received an email in our spam mailbox.
Filter: pumpkinpieshow.com
Here is the body:
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
[8014000e].
X-RBL-Warning: IPNOTINMX:
X-RBL
, April 24, 2004 12:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank
Thanks.
I also added .citibankonline.com: without the quotes to the filter.
(Note
the colon.)
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message
] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Saturday, April 24, 2004 9:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank
John,
Do you have a filter that searches for URLs in the BODY and that is what
you added
Not knowing enough about the way WHOIS works, could a test be set up that
would heavily weight any e-mails that come from a New domain? This
would really help the pill/porn pushers
It's something that we would like to do, but automated WHOIS lookups are a
Bad Thing. Domain registrars
lto:[EMAIL PROTECTED]
On Behalf Of Colbeck, AndrewSent: Saturday, April 03, 2004
7:17 PMTo: '[EMAIL PROTECTED]'Subject: RE:
[Declude.JunkMail] Phishing?
The DNS and web
server for this domain were on dynamic-range hosts and have already been shut
down. The WHOIS registration is a little
Hi;
I just received
the following in our info account. I believe it is a phishing
attempt.
Attached is the
actual email.
The
source:
BODYpimg
src="" width="296" height="51"/ppDear
user!/ppWe are informing you that today, the amount of
$719.00 AUD has been drawn
Razvan
To: [EMAIL PROTECTED]
Sent: Saturday, April 03, 2004 1:17
PM
Subject: [Declude.JunkMail]
Phishing?
Hi;
I just received
the following in our info account. I believe it is a phishing
attempt.
Attached is the
actual email.
The
source
We got a copy of this in our system also. Norton detects a virus when
you visit the page.
Matt
Kami Razvan wrote:
Hi;
I
just received the following in our info account. I believe it is a
phishing attempt.
Attached
is the actual email.
The
source:
: Saturday, April 03, 2004
10:18 AMTo: [EMAIL PROTECTED]Subject:
[Declude.JunkMail] Phishing?
Hi;
I just received
the following in our info account. I believe it is a phishing
attempt.
Attached is the
actual email.
The
source:
BODYpimg
, February 22, 2004 10:52 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] phishing scam
Below is what I could figure out how to retrieve from Outlook -- I hate
Outlook. I've never figured out how to get a real 'exact' copy of what was
delivered back out of it the way you can when using any MUA
On Sun, 22 Feb 2004 22:51:34 -0800
John Tolmachoff \(Lists\) said something about RE: [Declude.JunkMail] phishing scam:
I hate Outlook. I've never figured out how to get a real 'exact' copy
of what was delivered back out of it the way you can when using any MUA
that stores in mbox
Gerald,
There is a great little COM addin available at
http://www.xintercept.com/pkpeek.htm, I use it to open mail/examine headers
all the time.
Fritz
Frederick P. Squib, Jr.
Network Operations/Mail Administrator
Citizens Telephone Company of Kecksburg
http://www.wpa.net
() ascii ribbon
Got bounced from the list because the DNS pointing to my phorce1.net mail
servers went away. When it didn't come back after 18 hours of me raising
he** I got the DNS admin at the company I work for to set me up on out name
servers so I'd have more control in the future. sigh
Got a VERY clever
Below is what I could figure out how to retrieve from Outlook -- I hate
Outlook. I've never figured out how to get a real 'exact' copy of what was
delivered back out of it the way you can when using any MUA that stores in
mbox or maildir format.
Ever try searching the MS KB for view headers?
43 matches
Mail list logo