I am trying to write a rule that helps catch phishing emails. These emails do NOT have any url spoofing in them. They are pure and simple social engineering.
I have started with the following theory to identify several factors that contribute to an email such as this which will be expanded if I can get this first ground work done. Basically, if you have a form in an email and ask for a credit card, etc. it's probably a phish. That's my theory. I almost think any <input> tags are likely to be a scam but I haven't researched that further to see if there are legitimate companies doing forms in their emails. However, I am having troubles getting the rules like name=password to match. My regexp below seems fine but just writing name=password in an email doesn't trigger the rule. Any insight would be appreciated as I imagine it's got to be something SpamAssassin specific with regexp's or just my brain overworked. Regards, KAM #COMBO rules to catch phishing expeditions #SWITCH TO __KAM_PHISH AFTER TESTING body KAM_PHISH_01 /<input /i describe KAM_PHISH_01 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_01 0.15 body KAM_PHISH_02 /credit card fail/i describe KAM_PHISH_02 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_02 0.15 body KAM_PHISH_03 /\bauthoriz/i describe KAM_PHISH_03 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_03 0.15 body KAM_PHISH_04 /\bname=cc/i describe KAM_PHISH_04 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_04 0.15 body KAM_PHISH_05 /\bname=cvv/i describe KAM_PHISH_05 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_05 0.15 body KAM_PHISH_06 /\bname=pin/i describe KAM_PHISH_06 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_06 0.15 body KAM_PHISH_07 /\bname=date/i describe KAM_PHISH_07 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_07 0.15 body KAM_PHISH_08 /\bname=year/i describe KAM_PHISH_08 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_08 0.15 body KAM_PHISH_09 /\bname=month/i describe KAM_PHISH_09 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_09 0.15 body KAM_PHISH_10 /\btype=submit/i describe KAM_PHISH_10 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_10 0.15 body KAM_PHISH_11 /\baccount management\b/i describe KAM_PHISH_11 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_11 0.15 body KAM_PHISH_12 /\bname=password/i describe KAM_PHISH_12 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_12 0.15 body KAM_PHISH_13 /<form.*action\=.*>/i describe KAM_PHISH_13 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_13 0.15 body KAM_PHISH_14 /\bname\=username/i describe KAM_PHISH_14 Partial Rule to try and Catch Phishing Emails score KAM_PHISH_14 0.15 meta KAM_combo_PHISH ((KAM_PHISH_01 + KAM_PHISH_02 + KAM_PHISH_03 + KAM_PHISH_04 + KAM_PHISH_05 + KAM_PHISH_06 + KAM_PHISH_07 + KAM_PHISH_08 + KAM_PHISH_09 + KAM_PHISH_10 + KAM_PHISH_11 + KAM_PHISH_12 + KAM_PHISH_13 + KAM_PHISH_14) > 6) describe KAM_combo_PHISH KAM - Phishing Expedition Email Probability High score KAM_combo_PHISH 1.0 #RAISE AFTER MORE TESTING Regards, KAM
