[...] How bout this rule?
Simpler,dumber, but should do the trick: -------------------------------------------- header PAYPAL_RECEIVED Received =~ /paypal\.com/i describe PAYPAL_RECEIVED Received from a paypal site score PAYPAL_RECEIVED .01
#from header PAYPAL_FROM From =~ /paypal\.com/i describe PAYPAL_FROM Sent from paypal address score PAYPAL_FROM 0.1
meta PAYPAL_SPOOF (!PAYPAL_RECEIVED && PAYPAL_FROM) describe PAYPAL_SPOOF Mail pretending to be sent from paypal score PAYPAL_SPOOF 10 ------------------------------------------------
I've been having good luck with the following matching phishy messages. I do like your PAYPAL_RECEIVED check, and will incorporate that. I'm trying to build a list of commonly spoofed domains and build __LOCAL_URI_ rules for them, then test against common characteristics. I look for some common phrases, tests often hit by phishy messages, then combine via meta for a "smells phishy" score.
--- cut here --- cut here ---
# Anti-phishing tests
uri __LOCAL_URI_EBAY /ebay\.com/
uri __LOCAL_URI_PAYPAL /paypal\.com/
body __LOCAL_PHISHPHRASE /\b(verify|check).*your.*(information|account)\b/i
meta __LOCAL_PHISHY_SCORES (NORMAL_HTTP_TO_IP || HTTP_ESCAPED_HOST || HTTP_EXCESSIVE_ESCAPES || RAZOR2_CHECK || PYZOR_CHECK || HIDE_WIN_STATUS)
# Anything from legit sources shouldn't have phishy characteristics
meta LOCAL_PHISH_URI ((__LOCAL_URI_EBAY || __LOCAL_URI_PAYPAL) && __LOCAL_PHISHY_SCORES)
describe LOCAL_PHISH_URI Phishy URIs and SA scores
score LOCAL_PHISH_URI 0.01
# Anything with phishy phrasing and phishy scores is probably seafood meta LOCAL_PHISH_PHRASE (__LOCAL_PHISHPHRASE && __LOCAL_PHISHY_SCORES) describe LOCAL_PHISH_PHRASE Phishy phrases and SA scores score LOCAL_PHISH_PHRASE 0.01 --- cut here --- cut here ---
- Bob
