You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Dan <ka...@gmail.com> on 2005/01/13 00:40:10 UTC

phishing rule

I am trying to write a rule to catch phishing schemes of this nature:
<a href="123.123.123.123/login">http://legit-stie.com/login</a>

Is there anything wrong with this regexp?
/href=\"\d{1,3}(\.\d{1,3}){3}[^\"]*\"[^\>]*\>\s*http/

I realize that it is probably really error-prone, but that is why I am
throwing it out to this list.  Has anyone else tried to tackle this
with success?

Re: phishing rule

Posted by Kevin Peuhkurinen <ke...@hepcoe.com>.

Dan wrote:

>I am trying to write a rule to catch phishing schemes of this nature:
><a href="123.123.123.123/login">http://legit-stie.com/login</a>
>
>Is there anything wrong with this regexp?
>/href=\"\d{1,3}(\.\d{1,3}){3}[^\"]*\"[^\>]*\>\s*http/
>
>I realize that it is probably really error-prone, but that is why I am
>throwing it out to this list.  Has anyone else tried to tackle this
>with success?
>
>  
>
You don't need to use the 'match anything but' components.   It's also a 
generally accepted practice not use use * but rather to put in a 
restriction on the number of characters that can be matched.   Also note 
that this would have to be a rawbody test.

The following works for me in that it triggers on your example.   
However, most of the newer phishing emails I've seen use maps laid over 
legit hrefs.

rawbody MYPHISHTEST     
/href=\"\d{1,3}(\.\d{1,3}){3}.{0,20}\".{0,20}\>\s{0,5}http/i
score   MYPHISHTEST 0.1