Daniel Quinlan said: > I tried writing such a rule before phishing became common (just trying > to match spam) and it was not a great success due to false positives on > legitimate mail, but I think the idea has merit. At worst, it could be > restricted to commonly phished sites like paypal. >
Daniel, How bout this rule? Simpler,dumber, but should do the trick: -------------------------------------------- header PAYPAL_RECEIVED Received =~ /paypal\.com/i describe PAYPAL_RECEIVED Received from a paypal site score PAYPAL_RECEIVED .01 #from header PAYPAL_FROM From =~ /paypal\.com/i describe PAYPAL_FROM Sent from paypal address score PAYPAL_FROM 0.1 meta PAYPAL_SPOOF (!PAYPAL_RECEIVED && PAYPAL_FROM) describe PAYPAL_SPOOF Mail pretending to be sent from paypal score PAYPAL_SPOOF 10 ------------------------------------------------ -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana
