[Mimedefang] [OT] Fw: Interesting Phishing Trick
Kevin A. McGrail
kmcgrail at pccc.com
Fri Mar 17 12:59:27 EST 2006
David:
After testing and researching this rule for a few days, I found it has
pretty high FPs almost always on legitimate advertisements and mailing lists
as well as aggregated news reports. A lot of them seem to use url
shortening techniques ala tinyurl that cause this issue to rear it's head.
I don't think this is a good rule.
Regards,
KAM
----- Original Message -----
From: "David F. Skoll" <dfs at roaringpenguin.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Thursday, March 09, 2006 9:25 PM
Subject: Re: [Mimedefang] [OT] Fw: Interesting Phishing Trick
> Philip Prindeville wrote:
>
> > * sometimes someone will send out HTML that will look like:
> > <a href="http://www.foo.com/...">http://www.bar.com/...</a>
>
> We've had a fair bit of luck with a variant of this:
>
> # Catch common phishing sequence
> full HTTP_CLAIMS_HTTPS
/<a[^>]{0,190}http:[^>]{0,190}>[^<]{0,190}https:/is
> describe HTTP_CLAIMS_HTTPS HTTP link claiming to be HTTPS -- Phish
> score HTTP_CLAIMS_HTTPS 5
>
> That's an HTTP link whose text claims to be an HTTPS link, like this:
>
> <a href="http://1.2.3.4/fake/.ebay.dll">https://secure.ebay.com</a>
>
> You can see our catches at:
>
> http://www.roaringpenguin.com/canit/showtrap.php?status=spam&r=HTTP_CLAIMS
>
> (login demo/demo)
>
> Of course, our Bayes data nails most phishing scams now too...
>
> Regards,
>
> David.
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID. You may ignore it.
>
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
More information about the MIMEDefang
mailing list