Without my so much as glancing at the potential false positives, this is
a treasure trove or actual phishing URLs:
http://www.phishtank.com/phish_archive.php
A glance at which tells me that another useful PCRE would be to (pseudo
code follows):
IPADDRESS then (/ character) then stuff including
Roger,
Are you using the SANS phish signatures? Since we started using we have
seen virtually zero get through.
Darrell
---
fpReview - The quick way to reviewing false positives.
http://www.invariantsystems.com
Schmeits, Roger writes:
What are
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] phishing
Roger,
Are you using the SANS phish signatures? Since we started using we
have
seen virtually zero get through.
Darrell
---
fpReview - The quick way to reviewing false positives.
http
, June 06, 2006 9:32 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] phishing
Roger,
Are you using the SANS phish signatures? Since we started using we
have
seen virtually zero get through.
Darrell
---
fpReview - The quick way
You're seeing a full-size browser window, with a graphic that is the
fake bar, and a form that is designed to look like the address bar.
In other words, they're using fake graphic elements to make you think
you're at the right site.
Yes, block the site.
Also, send a copy of the original spam
Goran,
It's probably DHTML being used to fake an address bar in a window that
doesn't have one, or it is placing a fake address bar on top of the real
one. It might look real, but it isn't. It is safe to blacklist
haukelid.com, and that's all that you need to do about it.
Matt
Goran
Whoops, slip of the finger, there. That second email address should
have been:
[EMAIL PROTECTED]
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Thursday, May 12, 2005 1:17 PM
To: Declude.JunkMail@declude.com
One slight correction here. The domain haukelid.com doesn't belong to
the phisher. This is an active site that was likely just simply hacked
and then the PHP code was placed on it...it's a pretty ingenious way to
get a clean address.
Matt
Goran Jovanovic wrote:
Hi,
I do not understand how
PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Matt
Sent: Thursday, May 12, 2005 4:33 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Phishing Question
One slight correction here. The domain
I use two things to 2 things use to combat phish.
1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656
in January. It's a beast on your CPU utilization as almost every mail will
need to be virus scanned.
2. A MINWEIGHTTOFAIL filter that means the filter must match 4 or
dead now
- Original Message -
From:
Kami Razvan
To: [EMAIL PROTECTED]
Sent: Monday, October 04, 2004 6:05
AM
Subject: [Declude.JunkMail] phishing-
live
Hi;
Phishing.. still
alive
http://221.139.2.111/citifi/
Regards,
Kami
email:
: [EMAIL PROTECTED]
WWW: http://www.twu.ca/technology
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Tuesday, June 08, 2004 2:23 PM
To: Kami Razvan
Subject: Re: [Declude.JunkMail] Phishing attempt- site is live
We've had this one
We've had this one in Sniffer for a while.
They were originally going after Sun Trust:
Rule ID - 99546
Created - 2004-03-22
From Source - http://200.97.91.
Rule Type - Numbered Link
Origin - Spam Trap
Original Rule Name - suntrust phishing
Current Strength - 2.68760205
_M
On Tuesday, June 8,
: [Declude.JunkMail] Phishing attempt- site is live
When I went to http://200.97.91.210/citi/ I get a page not found??
Goran Jovanovic
The LAN Shoppe
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail
Thanks.
I also added .citibankonline.com: without the quotes to the filter. (Note
the colon.)
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
Sent: Saturday, April 24, 2004 8:43 AM
, April 24, 2004 12:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank
Thanks.
I also added .citibankonline.com: without the quotes to the filter.
(Note
the colon.)
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message
] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Saturday, April 24, 2004 9:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank
John,
Do you have a filter that searches for URLs in the BODY and that is what
you added
Not knowing enough about the way WHOIS works, could a test be set up that
would heavily weight any e-mails that come from a New domain? This
would really help the pill/porn pushers
It's something that we would like to do, but automated WHOIS lookups are a
Bad Thing. Domain registrars
lto:[EMAIL PROTECTED]
On Behalf Of Colbeck, AndrewSent: Saturday, April 03, 2004
7:17 PMTo: '[EMAIL PROTECTED]'Subject: RE:
[Declude.JunkMail] Phishing?
The DNS and web
server for this domain were on dynamic-range hosts and have already been shut
down. The WHOIS registration is a little
Hi Rami-
I think you can safely conclude that when the link
showsa well-formed URL to the viewer and has a different address in the
link that there's something phishy going on.
I wonder if anybody's written something to detect
this?
-Dave
- Original Message -
From:
Kami
We got a copy of this in our system also. Norton detects a virus when
you visit the page.
Matt
Kami Razvan wrote:
Hi;
I
just received the following in our info account. I believe it is a
phishing attempt.
Attached
is the actual email.
The
source:
Title: Message
The DNS and web
server for this domain were on dynamic-range hosts and have already been shut
down. The WHOIS registration is a little more than a week old.
Googling thenet-abuse groupsturns up:
, February 22, 2004 10:52 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] phishing scam
Below is what I could figure out how to retrieve from Outlook -- I hate
Outlook. I've never figured out how to get a real 'exact' copy of what was
delivered back out of it the way you can when using any MUA
On Sun, 22 Feb 2004 22:51:34 -0800
John Tolmachoff \(Lists\) said something about RE: [Declude.JunkMail] phishing scam:
I hate Outlook. I've never figured out how to get a real 'exact' copy
of what was delivered back out of it the way you can when using any MUA
that stores in mbox
Gerald,
There is a great little COM addin available at
http://www.xintercept.com/pkpeek.htm, I use it to open mail/examine headers
all the time.
Fritz
Frederick P. Squib, Jr.
Network Operations/Mail Administrator
Citizens Telephone Company of Kecksburg
http://www.wpa.net
() ascii ribbon
Below is what I could figure out how to retrieve from Outlook -- I hate
Outlook. I've never figured out how to get a real 'exact' copy of what was
delivered back out of it the way you can when using any MUA that stores in
mbox or maildir format.
Ever try searching the MS KB for view headers?
26 matches
Mail list logo