On Mon, 19 Jul 2004, Albert Whale wrote:
> OK so the message didn't trigger as SPAM. I need to figure out how to
> detect the Phisher, and ALWAYS trigger the SPAM sensor.
>
> Perhaps it's not the SURBL Test. But as in the following example, the
> first half of this http reference is not even close to the displayed
> URL, thus the nature of the Phisher:
>
> <a target="_blank"
> href="http://211.202.3.208/event_1201/popup.files/.eBay/eBayISAPI.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=";>
>
> http://scgi.ebay.com/verify_id=ebay&fraud alert id code=00937614</a>
>
> Is this programmable in SPAM Assassin?
What are the chances that legitmate eBay, CitiBank, PayPal messages
will contain a URI that uses an IP address rather than proper host names?
(or contain a link to a ".biz", ".info", etc site)
Just make up a meta rule that says 'if From == (eBay|CitiBank|PayPal)' &&
( NORMAL_HTTP_TO_IP || BIZ_TLD ) then PHISH!!
If details are desired, I can share mine.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
