[Mimedefang] OT: SA Rule Question

Kevin A. McGrail kmcgrail at pccc.com
Thu Feb 5 16:19:11 EST 2004 

SpamAssassin's list is moved to apache's mailing list server and I'm not
receiving it properly so please excuse my writing here but there is enough
crossover that I am hoping it will not be pointless.

In any case, I am trying to write a rule that helps catch phishing emails.
I have started with the following:

#COMBO rules to catch phishing expeditions
#SWITCH TO __KAM_PHISH AFTER TESTING
body            KAM_PHISH_01    /<input /i
describe        KAM_PHISH_01    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_01    0.15

body            KAM_PHISH_02    /credit card fail/i
describe        KAM_PHISH_02    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_02    0.15

body            KAM_PHISH_03    /\bauthoriz/i
describe        KAM_PHISH_03    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_03    0.15

body            KAM_PHISH_04    /\bname=cc/i
describe        KAM_PHISH_04    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_04    0.15

body            KAM_PHISH_05    /\bname=cvv/i
describe        KAM_PHISH_05    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_05    0.15

body            KAM_PHISH_06    /\bname=pin/i
describe        KAM_PHISH_06    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_06    0.15

body            KAM_PHISH_07    /\bname=date/i
describe        KAM_PHISH_07    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_07    0.15

body            KAM_PHISH_08    /\bname=year/i
describe        KAM_PHISH_08    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_08    0.15

body            KAM_PHISH_09    /\bname=month/i
describe        KAM_PHISH_09    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_09    0.15

body            KAM_PHISH_10    /\btype=submit/i
describe        KAM_PHISH_10    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_10    0.15

body            KAM_PHISH_11    /\baccount management\b/i
describe        KAM_PHISH_11    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_11    0.15

body            KAM_PHISH_12    /\bname=password/i
describe        KAM_PHISH_12    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_12    0.15

body            KAM_PHISH_13    /<form.*action\=.*>/i
describe        KAM_PHISH_13    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_13    0.15

body            KAM_PHISH_14    /\bname\=username/i
describe        KAM_PHISH_14    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_14    0.15

meta            KAM_combo_PHISH   ((KAM_PHISH_01 + KAM_PHISH_02 +
KAM_PHISH_03 + KAM_PHISH_04 + KAM_PHISH_05 + KAM_PHISH_06 + KAM_PHISH_07 +
KAM_PHISH_08 + KAM_PHISH_09 + KAM_PHISH_10 + KAM_PHISH_11 + KAM_PHISH_12 +
KAM_PHISH_13 + KAM_PHISH_14) > 6)
describe        KAM_combo_PHISH   KAM - Phishing Expedition Email
Probability High
score           KAM_combo_PHISH   1.0 #RAISE AFTER MORE TESTING


I am having troubles getting the rules like name=password to match.  Any
insight?

Regards,
KAM

More information about the MIMEDefang mailing list