I've tested the rule:
uri URI_MYDOMAIN_PHISH
m;^https?://(?:[^./]+\.)*example\.com[^/?];i
is catching this sample newletter link:
Oct 29 09:38:50.368 [24608] dbg: rules: ran uri rule
URI_MYDOMAIN_PHISH == got hit: http://example.com;
Complete email body content in test of newsletter
On Wed, Oct 29, 2014 at 10:27 AM, francis picabia fpica...@gmail.com
wrote:
I've tested the rule:
uri URI_MYDOMAIN_PHISH
m;^https?://(?:[^./]+\.)*example\.com[^/?];i
is catching this sample newletter link:
Oct 29 09:38:50.368 [24608] dbg: rules: ran uri rule
URI_MYDOMAIN_PHISH
On Mon, Oct 27, 2014 at 4:55 PM, John Hardin jhar...@impsec.org wrote:
On Mon, 27 Oct 2014, francis picabia wrote:
uri URI_EXAMPLE_EXTRA m;^https?://(?:www\.)?example\.com[^/?];i
However another spoofed message was received today and the rule
did not capture it.
If I want to detect
On Tue, Oct 28, 2014 at 11:47 AM, francis picabia fpica...@gmail.com
wrote:
On Mon, Oct 27, 2014 at 4:55 PM, John Hardin jhar...@impsec.org wrote:
On Mon, 27 Oct 2014, francis picabia wrote:
uri URI_EXAMPLE_EXTRA m;^https?://(?:www\.)?example\.com[^/?];i
However another spoofed
On Fri, Sep 19, 2014 at 2:59 PM, John Hardin jhar...@impsec.org wrote:
On Fri, 19 Sep 2014, francis picabia wrote:
On Tue, Sep 16, 2014 at 5:27 PM, John Hardin jhar...@impsec.org wrote:
On Tue, 16 Sep 2014, francis picabia wrote:
Hello,
We just received the most authentic looking
On Mon, 27 Oct 2014, francis picabia wrote:
uri URI_EXAMPLE_EXTRA m;^https?://(?:www\.)?example\.com[^/?];i
However another spoofed message was received today and the rule
did not capture it.
If I want to detect something in the form of:
random_server.example.com.junk
I need to wildcard
On Tue, Sep 16, 2014 at 5:27 PM, John Hardin jhar...@impsec.org wrote:
On Tue, 16 Sep 2014, francis picabia wrote:
Hello,
We just received the most authentic looking phishing I've seen. It was
professionally written, included a nice signature in the style used by
people at my workplace,
Hello,
We just received the most authentic looking phishing I've seen.
It was professionally written, included a nice signature in the style
used by people at my workplace, and the target link was an exact
replica of an ezproxy website we run.
The URL domain was only different by a few letters.
On Tue, 16 Sep 2014, francis picabia wrote:
Hello,
We just received the most authentic looking phishing I've seen. It was
professionally written, included a nice signature in the style used by
people at my workplace, and the target link was an exact replica of an
ezproxy website we run.
