[Mimedefang] [OT] Fw: Interesting Phishing Trick

[Philip Prindeville]

Joseph Brennan wrote:
> "Kevin A. McGrail" <kmcgrail at pccc.com> wrote:
> 
>>However, this rule does trigger on the technique I sent.  I want to work
>>on the nested anchor idea as well but in the meantime, I'd like to hear
>>feedback on this trigger.  It seemed REALLY spammy to me.  Anyone get any
>>hits with this against their HAM or SPAM corpuses?
>>
>># PHISHING TEST
>>rawbody         KAM_PHISH1      /u style="cursor: pointer"/
>>describe        KAM_PHISH1      Test for PHISH that changes the cursor
>>score           KAM_PHISH1      0.01

I'm using:

rawbody __L_PHISH               /<[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)="window\.status=/
meta L_PHISH                    (__CTYPE_HTML && __L_PHISH)
describe L_PHISH                Test for PHISH overwriting the status bar
score L_PHISH                   6.0


and it seems to work well enough...

If anyone wants to drop the score down to 0.01 and tell me how
many hits they get on a high volume site, I'd be fascinated to
know how well it performs elsewhere.

Thanks,

-Philip