Phish detection (was Re: [Mimedefang] for mcafee lovers)
David F. Skoll
dfs at roaringpenguin.com
Tue Mar 22 17:37:09 EST 2005
Kevin A. McGrail wrote:
> How can you content differentiate
> between a "real" and a phish without something like SURBL?
The Mailscanner guy has a fairly effective heuristic that really
should be plugged into SpamAssassin. He looks for something like this:
<a href="http://bogus.site.com/.cgi/ebay/cgi">https://secure.ebay.com</a>
Got that? If the URL *text* in the hyperlink doesn't match
the URL in the HREF parameter (modulo some canonicalization and
other munging), flag as a phish.
Dead simple algorithm, and I'd guess it catches about 75% of phishing
attempts. The ones it doesn't catch are the ones where the
URL looks like this:
<a href="http://bogus.site.com/.cgi/ebay/cgi">Click Here</a>
and that's where SURBL can help.
Regards,
David.
More information about the MIMEDefang
mailing list