[Mimedefang] [OT] Fw: Interesting Phishing Trick

Philip Prindeville philipp_subx at redfish-solutions.com
Thu Mar 9 19:28:26 EST 2006

Joseph Brennan wrote:
> "Kevin A. McGrail" <kmcgrail at pccc.com> wrote:
>>However, this rule does trigger on the technique I sent.  I want to work
>>on the nested anchor idea as well but in the meantime, I'd like to hear
>>feedback on this trigger.  It seemed REALLY spammy to me.  Anyone get any
>>hits with this against their HAM or SPAM corpuses?
>>rawbody         KAM_PHISH1      /u style="cursor: pointer"/
>>describe        KAM_PHISH1      Test for PHISH that changes the cursor
>>score           KAM_PHISH1      0.01

I'm using:

rawbody __L_PHISH               /<[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)="window\.status=/
meta L_PHISH                    (__CTYPE_HTML && __L_PHISH)
describe L_PHISH                Test for PHISH overwriting the status bar
score L_PHISH                   6.0

and it seems to work well enough...

If anyone wants to drop the score down to 0.01 and tell me how
many hits they get on a high volume site, I'd be fascinated to
know how well it performs elsewhere.



More information about the MIMEDefang mailing list