You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Kevin A. McGrail" <km...@pccc.com> on 2006/03/09 16:05:15 UTC

[OT] Fw: Interesting Phishing Trick

I ran the rule below through the NightlyMassCheck with a 0 HAM hit and a 0 
SPAM hit on those corpuses so the technique might not be very prevalent.

However, this rule does trigger on the technique I sent.  I want to work on 
the nested anchor idea as well but in the meantime, I'd like to hear 
feedback on this trigger.  It seemed REALLY spammy to me.  Anyone get any 
hits with this against their HAM or SPAM corpuses?

#PHISHING TEST
rawbody         KAM_PHISH1      /u style="cursor: pointer"/
describe        KAM_PHISH1      Test for PHISH that changes the cursor
score           KAM_PHISH1      0.01

Regards,
KAM

> Is there an SA rule that checks for nested anchors? (Either in 3.1 or 
> SARE.) Any signs of this idiom in ham corpuses?

Re: [OT] Fw: Interesting Phishing Trick

Posted by Theo Van Dinter <fe...@apache.org>.

On Thu, Mar 09, 2006 at 10:05:15AM -0500, Kevin A. McGrail wrote:
> However, this rule does trigger on the technique I sent.  I want to work on 
> the nested anchor idea as well but in the meantime, I'd like to hear 
> feedback on this trigger.  It seemed REALLY spammy to me.  Anyone get any 
> hits with this against their HAM or SPAM corpuses?

I have no hits for that.  Interestingly, my spamtraps have no mention of
cursor:, but my personal spam corpus has a ton of "CURSOR: hand".

-- 
Randomly Generated Tagline:
"The frame comes in your choice of colors, so long as your choice is black."
         - From Amazon.com about the Ceiva picture frame