Phish detection (was Re: [Mimedefang] for mcafee lovers)

James Ebright jebright at esisnet.com
Wed Mar 23 09:58:47 EST 2005


The other phishing it does not catch are the ones where the end users hosts
file has been altered to point secure.ebay.com to a different IP. The only
reliable way to catch those I have seen is to compare the originating relayed
server with a list of known good ones... which is a kludge as this breaks
every time one of the banks, etc changes an IP or adds a server... etc. DCC
and SURBL are useless againts these as the URLs and the emails are
esseentially legit and will take the user to the correct place if their hosts
file is not munged.

Jim

On Tue, 22 Mar 2005 17:37:09 -0500, David F. Skoll wrote

> The Mailscanner guy has a fairly effective heuristic that really
> should be plugged into SpamAssassin.  He looks for something like this:
> 
> <a href="http://bogus.site.com/.cgi/ebay/cgi">https://secure.ebay.com</a>
> 
> Got that?  If the URL *text* in the hyperlink doesn't match
> the URL in the HREF parameter (modulo some canonicalization and
> other munging), flag as a phish.
> 


--
EsisNet.com Webmail Client




More information about the MIMEDefang mailing list