[Mimedefang] [OT] Fw: Interesting Phishing Trick
Joseph Brennan
brennan at columbia.edu
Thu Mar 9 15:31:05 EST 2006
"Kevin A. McGrail" <kmcgrail at pccc.com> wrote:
> However, this rule does trigger on the technique I sent. I want to work
> on the nested anchor idea as well but in the meantime, I'd like to hear
> feedback on this trigger. It seemed REALLY spammy to me. Anyone get any
> hits with this against their HAM or SPAM corpuses?
>
># PHISHING TEST
> rawbody KAM_PHISH1 /u style="cursor: pointer"/
> describe KAM_PHISH1 Test for PHISH that changes the cursor
> score KAM_PHISH1 0.01
Something sent with Incredimail! has this in it (originally one line)
<TD id=INCREDITEXTREGION style="FONT-SIZE: 18pt; CURSOR: auto"
vAlign=top width="100%">
Something in Spanish that was reported as spam had this (again,
originally one line):
<table title='' onselectstart='return false;' style='cursor:hand;
display:inline' border=0 width='100' cellpadding=0 cellspacing=0>
That's five days of reported spam, 1,920 messages.
>> Is there an SA rule that checks for nested anchors? (Either in 3.1 or
>> SARE.) Any signs of this idiom in ham corpuses?
I must have missed this original message. Was there an example?
I've been working on an MD subroutine using HTML::TokeParser.
It goes into 'state' when it comes to an <a> tag, and checks what
comes from there up to the next </a>. I had not thought of needing
to nest them. Or is it just a test of bad html to come across <a>
when you're already in an <a>?
Joseph Brennan
Columbia University Information Technology
More information about the MIMEDefang
mailing list