[Mimedefang] [OT] Fw: Interesting Phishing Trick
David F. Skoll
dfs at roaringpenguin.com
Thu Mar 9 21:25:13 EST 2006
Philip Prindeville wrote:
> * sometimes someone will send out HTML that will look like:
> <a href="http://www.foo.com/...">http://www.bar.com/...</a>
We've had a fair bit of luck with a variant of this:
# Catch common phishing sequence
full HTTP_CLAIMS_HTTPS /<a[^>]{0,190}http:[^>]{0,190}>[^<]{0,190}https:/is
describe HTTP_CLAIMS_HTTPS HTTP link claiming to be HTTPS -- Phish
score HTTP_CLAIMS_HTTPS 5
That's an HTTP link whose text claims to be an HTTPS link, like this:
<a href="http://1.2.3.4/fake/.ebay.dll">https://secure.ebay.com</a>
You can see our catches at:
http://www.roaringpenguin.com/canit/showtrap.php?status=spam&r=HTTP_CLAIMS
(login demo/demo)
Of course, our Bayes data nails most phishing scams now too...
Regards,
David.
More information about the MIMEDefang
mailing list