[Mimedefang] [OT] Fw: Interesting Phishing Trick
Kevin A. McGrail
kmcgrail at pccc.com
Thu Mar 9 20:18:17 EST 2006
Philip:
This rule won't hit on the phishing email I was discussing. It doesn't use
a mouseover. It uses a nested a tag to hide to real link. Thanks to
Kenneth Porter, here's my original post:
http://thread.gmane.org/gmane.comp.jakarta.tomcat.user/127749
P.S. I didn't post it to the tomcat group, I posted it to the Apache
SpamAssassin Users list. Something somewhere is skewed!
Regards,
KAM
> rawbody __L_PHISH /<[aA] [hH][rR][eE][fF]=.*
> (onMouseOver|onMouseMouse)="window\.status=/
> meta L_PHISH (__CTYPE_HTML && __L_PHISH)
> describe L_PHISH Test for PHISH overwriting the status bar
> score L_PHISH 6.0
>
>
> and it seems to work well enough...
>
> If anyone wants to drop the score down to 0.01 and tell me how
> many hits they get on a high volume site, I'd be fascinated to
> know how well it performs elsewhere.
More information about the MIMEDefang
mailing list