You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2004/07/06 19:45:12 UTC

[Bug 3570] New: anti phishing rule sets

http://bugzilla.spamassassin.org/show_bug.cgi?id=3570

           Summary: anti phishing rule sets
           Product: Spamassassin
           Version: SVN Trunk (Latest Devel Version)
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Rules
        AssignedTo: spamassassin-dev@incubator.apache.org
        ReportedBy: admin@cs.montana.edu


These are the top 3 domains used for phishing per anti-phishign working group 
analysis.
Here are three rules to detec phishing attempts:


"The Anti-Phishing Working Group says 95% of all fraudulent E-mail scams
use spoofed, or forged "From" addresses."

http://www.informationweek.com/shared/printableArticle.jhtml?articleID=22102466

# Try to identify CITIBANK spoofs by looking for elements which should always 
appear.
#header__RCVD_CITIBNK   Received =~ /
(?:citibank|citicards|citicorp|acxiom|citibankcards|c2it)\.com/i
#header__FROM_CITIBNK   From =~ /citibank\.com/i
#uri__URI_CITIBNK       /citibank\.com/i
#meta FORGED_CITIBNK    (__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK)
#score FORGED_CITIBNK   110.0

# Try to identify PAYPAL spoofs by looking for elements which should always 
appear.
header        __RCVD_PAYPAL        Received =~ /paypal\.com/i
header        __FROM_PAYPAL        From =~ /paypal\.com/i
uri        __URI_PAYPAL        /paypal\.com/i
# If we have a From and an URL of one of these guys, we should also have a 
received line to match!
meta        FORGED_PAYPAL        (__FROM_PAYPAL && __URI_PAYPAL && !
__RCVD_PAYPAL)
describe    FORGED_PAYPAL       Paypal phish attempt
score   FORGED_PAYPAL 15

# Try to identify USBANK spoofs by looking for elements which should always 
appear.
header        __RCVD_USBANK        Received =~ /usbank\.com/i
header        __FROM_USBANK        From =~ /usbank\.com/i
uri        __URI_USBANK        /usbank\.com/i

# If we have a From and an URL of one of these guys, we should also have a 
received line to match!
meta        FORGED_USBANK        (__FROM_USBANK && __URI_USBANK && !
__RCVD_USBANK)
describe    FORGED_USBANK       usbank phish attempt
score   FORGED_USBANK 15



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.