Custom URI phishing rule

[Ned Slider <ne...@unixmail.co.uk>]

Hi List,

I've noticed a lot of phishing spam tries to obfuscate the URI with the 
following form:

http://www.mybank.com.phish.cn

and I've been thinking about trying to write a generic rule to detect 
this approach.

I haven't had much success yet for dot com's, but UK domains seem pretty 
easy. I can't think of a valid reason to see .co.uk.whatever in a URI 
(.uk.com and .uk.net are valid, but not preceded by .co), so this rule 
seems to work pretty well for UK phishing (banks etc):

uri	LOCAL_URI_PHISH_UK	m{https?://.{1,40}\.co\.uk\.\w}i

Likewise, this approach could easily be expanded to include government 
and academic domains, .gov.uk and .ac.uk, respectively.

uri	LOCAL_URI_PHISH_UK	m{https?://.{1,40}\.(ac|co|gov)\.uk\.\w}i

Feedback on these rules would be appreciated.

For dot com's it gets a little more complicated as there are plenty of 
valid tld's that can follow .com (e.g, example.com.au, .com.br, .com.cn 
etc).

So could a dot com variant be as simple as checking for a minimum of 3 
word characters following .com.

uri	LOCAL_URI_PHISH	m{https?://.{1,40}\.com\.\w{3,}}i

But even then it wouldn't catch things like:

http://www.mybank.com.x.y.z.phish.cn so it may be necessary to parse the 
full domain string and match the 2 or 3 letter tld on the end:

uri	LOCAL_URI_PHISH	m{https?://.{1,40}\.com\..{1,60}\.[a-z]{2,3}\b}i

but maybe this is now too relaxed and may generate FPs?

BTW, some of these phishing domains can be *really* long as in this 
recent example of a google adwords phishing attempt (obfuscated by me, 
was com68 not example.ru):

http://adwords.google.com.session-39233324133776181464.82036896558794093384.example.ru

Any thoughts?