[Mimedefang] [OT] Fw: Interesting Phishing Trick
David F. Skoll
dfs at roaringpenguin.com
Thu Mar 9 19:41:14 EST 2006
Philip Prindeville wrote:
> /<[aA] [hH][rR][eE][fF]=.* (onMouseOver|onMouseMouse)="window\.status=/
You might want to change that regexp to something like:
/<a[^>]{1,200}href\s{0,10}=.{0,200}(onmouseover|onmousemouse)\s{0,10}=\s{0,10}"window\.status\s{0,10}=/i
You probably don't want to use the '*' quantifier in a SpamAssassin
rule regexp; it can exhibit very long execution time on long messages.
You might also want to not get sidetracked by people who add spaces to
throw you off. And you may as well make the whole thing
case-insensitive. Finally, you'd want to match something like
<a title="foo" href="bar" onMouseOver="..."> which the original regexp
would miss.
Regards,
David.
More information about the MIMEDefang
mailing list