Kelson Vibber wrote:Have you looked at the 99_FVGT_Spoof.cf ruleset posted at http://www.merchantsoverseas.com/wwwroot/gorilla/rules.htm ?
They're great rules. I'm just approaching it from a slightly different angle, namely using other "smells like phish" characteristics such as commonly-hit default rules. I'd like to find a combination that can detect phishy stuff from NON-expected domains as well. Existing, commonly forged domains are one characteristic, but there are other fingerprints as well. I'm really after a "I'm not who I say I am" rule, which the forged rule in the set you referenced starts on.
Interesting, I JUST posted a rule on a new thread "Paypal/Ebay spoof spam" on this topic. I took what is perhaps a simplistic (perhaps overly so) approach of checking the headers From and Return-Path.
I'd love to hear comments, especially since it is my first attempt at writing a SA rule.
--
"Hain't we got all the fools in town on our side? And hain't that a big enough majority in any town?" - Huckleberry Finn
