[Mimedefang] [OT] Fw: Interesting Phishing Trick
philipp_subx at redfish-solutions.com
Thu Mar 9 19:28:26 EST 2006
Joseph Brennan wrote:
> "Kevin A. McGrail" <kmcgrail at pccc.com> wrote:
>>However, this rule does trigger on the technique I sent. I want to work
>>on the nested anchor idea as well but in the meantime, I'd like to hear
>>feedback on this trigger. It seemed REALLY spammy to me. Anyone get any
>>hits with this against their HAM or SPAM corpuses?
>># PHISHING TEST
>>rawbody KAM_PHISH1 /u style="cursor: pointer"/
>>describe KAM_PHISH1 Test for PHISH that changes the cursor
>>score KAM_PHISH1 0.01
rawbody __L_PHISH /<[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)="window\.status=/
meta L_PHISH (__CTYPE_HTML && __L_PHISH)
describe L_PHISH Test for PHISH overwriting the status bar
score L_PHISH 6.0
and it seems to work well enough...
If anyone wants to drop the score down to 0.01 and tell me how
many hits they get on a high volume site, I'd be fascinated to
know how well it performs elsewhere.
More information about the MIMEDefang