[Mimedefang] [OT] Fw: Interesting Phishing Trick
Kevin A. McGrail
kmcgrail at pccc.com
Fri Mar 17 12:59:27 EST 2006
After testing and researching this rule for a few days, I found it has
pretty high FPs almost always on legitimate advertisements and mailing lists
as well as aggregated news reports. A lot of them seem to use url
shortening techniques ala tinyurl that cause this issue to rear it's head.
I don't think this is a good rule.
----- Original Message -----
From: "David F. Skoll" <dfs at roaringpenguin.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Thursday, March 09, 2006 9:25 PM
Subject: Re: [Mimedefang] [OT] Fw: Interesting Phishing Trick
> Philip Prindeville wrote:
> > * sometimes someone will send out HTML that will look like:
> > <a href="http://www.foo.com/...">http://www.bar.com/...</a>
> We've had a fair bit of luck with a variant of this:
> # Catch common phishing sequence
> full HTTP_CLAIMS_HTTPS
> describe HTTP_CLAIMS_HTTPS HTTP link claiming to be HTTPS -- Phish
> score HTTP_CLAIMS_HTTPS 5
> That's an HTTP link whose text claims to be an HTTPS link, like this:
> <a href="http://126.96.36.199/fake/.ebay.dll">https://secure.ebay.com</a>
> You can see our catches at:
> (login demo/demo)
> Of course, our Bayes data nails most phishing scams now too...
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID. You may ignore it.
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
More information about the MIMEDefang