Kelson Vibber wrote:
Have you looked at the 99_FVGT_Spoof.cf ruleset posted at http://www.merchantsoverseas.com/wwwroot/gorilla/rules.htm ?
They're great rules. I'm just approaching it from a slightly different angle, namely using other "smells like phish" characteristics such as commonly-hit default rules. I'd like to find a combination that can detect phishy stuff from NON-expected domains as well. Existing, commonly forged domains are one characteristic, but there are other fingerprints as well. I'm really after a "I'm not who I say I am" rule, which the forged rule in the set you referenced starts on.
I'm still doing very early testing (thus the low scores assigned), but have had good luck so far. The approaches are certainly complementary, so there's no reason not to combine or use both independently.
It sounds like you might want to work with those rules as well. (But note that citibank sends mail through citicorp.com servers, not just citibank.com, so you'll need to change/disable that rule if it hasn't been updated yet!)
I'm going to add more domains, definitely. The 'gorilla' set is far more complete. Received rules are a for-sure as well.
Also, checking /ebay\.com/ will trigger on anything that combines a word ending in e with "bay" (I saw this on a log entry about a message from someplace called azurebay.com, although I suspect that was spam as well.) You should probably check on /\bebay.com\b/i instead.
That will only match on " ebay.com " though, right? I'm interested in any occurence of ebay.com, embedded in URLs as well (i.e. http://blah.ebay.com/fasel/) Perhaps:
[/.:]ebay\.com[/ ]
?
Mis-matched URL/description detection would be good as well. Hmm.. someone posted one of those recently I think.
- Bob
