[Mimedefang] [OT] Fw: Interesting Phishing Trick

Kevin A. McGrail kmcgrail at pccc.com
Fri Mar 17 12:59:27 EST 2006


After testing and researching this rule for a few days, I found it has
pretty high FPs almost always on legitimate advertisements and mailing lists
as well as aggregated news reports.  A lot of them seem to use url
shortening techniques ala tinyurl that cause this issue to rear it's head.
I don't think this is a good rule.


----- Original Message ----- 
From: "David F. Skoll" <dfs at roaringpenguin.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Thursday, March 09, 2006 9:25 PM
Subject: Re: [Mimedefang] [OT] Fw: Interesting Phishing Trick

> Philip Prindeville wrote:
> > * sometimes someone will send out HTML that will look like:
> >   <a href="http://www.foo.com/...">http://www.bar.com/...</a>
> We've had a fair bit of luck with a variant of this:
> # Catch common phishing sequence
> describe HTTP_CLAIMS_HTTPS HTTP link claiming to be HTTPS -- Phish
> That's an HTTP link whose text claims to be an HTTPS link, like this:
> <a href="">https://secure.ebay.com</a>
> You can see our catches at:
> http://www.roaringpenguin.com/canit/showtrap.php?status=spam&r=HTTP_CLAIMS
> (login demo/demo)
> Of course, our Bayes data nails most phishing scams now too...
> Regards,
> David.
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID.  You may ignore it.
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list