You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dan <ka...@gmail.com> on 2005/01/13 00:40:10 UTC
phishing rule
I am trying to write a rule to catch phishing schemes of this nature:
<a href="123.123.123.123/login">http://legit-stie.com/login</a>
Is there anything wrong with this regexp?
/href=\"\d{1,3}(\.\d{1,3}){3}[^\"]*\"[^\>]*\>\s*http/
I realize that it is probably really error-prone, but that is why I am
throwing it out to this list. Has anyone else tried to tackle this
with success?
Re: phishing rule
Posted by Kevin Peuhkurinen <ke...@hepcoe.com>.
Dan wrote:
>I am trying to write a rule to catch phishing schemes of this nature:
><a href="123.123.123.123/login">http://legit-stie.com/login</a>
>
>Is there anything wrong with this regexp?
>/href=\"\d{1,3}(\.\d{1,3}){3}[^\"]*\"[^\>]*\>\s*http/
>
>I realize that it is probably really error-prone, but that is why I am
>throwing it out to this list. Has anyone else tried to tackle this
>with success?
>
>
>
You don't need to use the 'match anything but' components. It's also a
generally accepted practice not use use * but rather to put in a
restriction on the number of characters that can be matched. Also note
that this would have to be a rawbody test.
The following works for me in that it triggers on your example.
However, most of the newer phishing emails I've seen use maps laid over
legit hrefs.
rawbody MYPHISHTEST
/href=\"\d{1,3}(\.\d{1,3}){3}.{0,20}\".{0,20}\>\s{0,5}http/i
score MYPHISHTEST 0.1