You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2004/07/06 19:45:12 UTC
[Bug 3570] New: anti phishing rule sets
http://bugzilla.spamassassin.org/show_bug.cgi?id=3570
Summary: anti phishing rule sets
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Platform: Other
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Rules
AssignedTo: spamassassin-dev@incubator.apache.org
ReportedBy: admin@cs.montana.edu
These are the top 3 domains used for phishing per anti-phishign working group
analysis.
Here are three rules to detec phishing attempts:
"The Anti-Phishing Working Group says 95% of all fraudulent E-mail scams
use spoofed, or forged "From" addresses."
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=22102466
# Try to identify CITIBANK spoofs by looking for elements which should always
appear.
#header__RCVD_CITIBNK Received =~ /
(?:citibank|citicards|citicorp|acxiom|citibankcards|c2it)\.com/i
#header__FROM_CITIBNK From =~ /citibank\.com/i
#uri__URI_CITIBNK /citibank\.com/i
#meta FORGED_CITIBNK (__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK)
#score FORGED_CITIBNK 110.0
# Try to identify PAYPAL spoofs by looking for elements which should always
appear.
header __RCVD_PAYPAL Received =~ /paypal\.com/i
header __FROM_PAYPAL From =~ /paypal\.com/i
uri __URI_PAYPAL /paypal\.com/i
# If we have a From and an URL of one of these guys, we should also have a
received line to match!
meta FORGED_PAYPAL (__FROM_PAYPAL && __URI_PAYPAL && !
__RCVD_PAYPAL)
describe FORGED_PAYPAL Paypal phish attempt
score FORGED_PAYPAL 15
# Try to identify USBANK spoofs by looking for elements which should always
appear.
header __RCVD_USBANK Received =~ /usbank\.com/i
header __FROM_USBANK From =~ /usbank\.com/i
uri __URI_USBANK /usbank\.com/i
# If we have a From and an URL of one of these guys, we should also have a
received line to match!
meta FORGED_USBANK (__FROM_USBANK && __URI_USBANK && !
__RCVD_USBANK)
describe FORGED_USBANK usbank phish attempt
score FORGED_USBANK 15
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.