[Mimedefang] OT: SA Rule Question
Kevin A. McGrail
kmcgrail at pccc.com
Thu Feb 5 16:19:11 EST 2004
SpamAssassin's list is moved to apache's mailing list server and I'm not
receiving it properly so please excuse my writing here but there is enough
crossover that I am hoping it will not be pointless.
In any case, I am trying to write a rule that helps catch phishing emails.
I have started with the following:
#COMBO rules to catch phishing expeditions
#SWITCH TO __KAM_PHISH AFTER TESTING
body KAM_PHISH_01 /<input /i
describe KAM_PHISH_01 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_01 0.15
body KAM_PHISH_02 /credit card fail/i
describe KAM_PHISH_02 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_02 0.15
body KAM_PHISH_03 /\bauthoriz/i
describe KAM_PHISH_03 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_03 0.15
body KAM_PHISH_04 /\bname=cc/i
describe KAM_PHISH_04 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_04 0.15
body KAM_PHISH_05 /\bname=cvv/i
describe KAM_PHISH_05 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_05 0.15
body KAM_PHISH_06 /\bname=pin/i
describe KAM_PHISH_06 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_06 0.15
body KAM_PHISH_07 /\bname=date/i
describe KAM_PHISH_07 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_07 0.15
body KAM_PHISH_08 /\bname=year/i
describe KAM_PHISH_08 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_08 0.15
body KAM_PHISH_09 /\bname=month/i
describe KAM_PHISH_09 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_09 0.15
body KAM_PHISH_10 /\btype=submit/i
describe KAM_PHISH_10 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_10 0.15
body KAM_PHISH_11 /\baccount management\b/i
describe KAM_PHISH_11 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_11 0.15
body KAM_PHISH_12 /\bname=password/i
describe KAM_PHISH_12 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_12 0.15
body KAM_PHISH_13 /<form.*action\=.*>/i
describe KAM_PHISH_13 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_13 0.15
body KAM_PHISH_14 /\bname\=username/i
describe KAM_PHISH_14 Partial Rule to try and Catch Phishing
Emails
score KAM_PHISH_14 0.15
meta KAM_combo_PHISH ((KAM_PHISH_01 + KAM_PHISH_02 +
KAM_PHISH_03 + KAM_PHISH_04 + KAM_PHISH_05 + KAM_PHISH_06 + KAM_PHISH_07 +
KAM_PHISH_08 + KAM_PHISH_09 + KAM_PHISH_10 + KAM_PHISH_11 + KAM_PHISH_12 +
KAM_PHISH_13 + KAM_PHISH_14) > 6)
describe KAM_combo_PHISH KAM - Phishing Expedition Email
Probability High
score KAM_combo_PHISH 1.0 #RAISE AFTER MORE TESTING
I am having troubles getting the rules like name=password to match. Any
insight?
Regards,
KAM
More information about the MIMEDefang
mailing list