You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Lucas Albers <ad...@cs.montana.edu> on 2004/07/06 19:46:04 UTC

phishing rules

Are their currently phishing rules in sare for:
paypal,usbank,and citibank, the top 3 phishing spoof domains?

If their are not, here are some:
http://bugzilla.spamassassin.org/show_bug.cgi?id=3570

It would be nice to have anti-phishing rules for all the top financial
sites, as an interim until they deploy spf.

-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana

Re: phishing rules

Posted by Lucas Albers <ad...@cs.montana.edu>.

Kelson Vibber said:
> The SARE spoof rules are working well here:
>
> http://www.rulesemporium.com/rules/70_sare_spoof.cf

I was not aware of them and I just upgraded to them.
Now the bugzilla entry points to the sare rules.

-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana

Re: phishing rules

Posted by Kelson Vibber <ke...@speed.net>.

At 10:46 AM 7/6/2004, Lucas Albers wrote:
>Are their currently phishing rules in sare for:
>paypal,usbank,and citibank, the top 3 phishing spoof domains?

The SARE spoof rules are working well here:

http://www.rulesemporium.com/rules/70_sare_spoof.cf


Kelson Vibber
SpeedGate Communications <www.speed.net>

Re: phishing rules

Posted by Jesse Houwing <j....@rulesemporium.com>.

Todd Schuldt wrote:

>I had a bunch of US Bank ones get through today, isn't there a sare rule
>markup somewhere that detects the IE url exploit method that all these use?
>
>** Bad Guy ip address removed **
><p><font color="#DD0000"><a
>href="http://0.0.0.0/.USBank/RequestRouter/">https://www4.usbank.com/interne
>tBanking/RequestRouter?requestCmdId=DisplayLoginPage</a></font></p>
>  
>
Could you send me one of those messages? Then I could have a look...

Jesse

RE: phishing rules

Posted by Todd Schuldt <ts...@ised.org>.

I had a bunch of US Bank ones get through today, isn't there a sare rule
markup somewhere that detects the IE url exploit method that all these use?

** Bad Guy ip address removed **
<p><font color="#DD0000"><a
href="http://0.0.0.0/.USBank/RequestRouter/">https://www4.usbank.com/interne
tBanking/RequestRouter?requestCmdId=DisplayLoginPage</a></font></p>


> -----Original Message-----
> From: Lucas Albers [mailto:admin@cs.montana.edu]
> Sent: Tuesday, July 06, 2004 12:46 PM
> To: spamassassin-users@incubator.apache.org
> Subject: phishing rules
> 
> Are their currently phishing rules in sare for:
> paypal,usbank,and citibank, the top 3 phishing spoof domains?
> 
> If their are not, here are some:
> http://bugzilla.spamassassin.org/show_bug.cgi?id=3570
> 
> It would be nice to have anti-phishing rules for all the top financial
> sites, as an interim until they deploy spf.
> 
> --
> Luke Computer Science System Administrator
> Security Administrator,College of Engineering
> Montana State University-Bozeman,Montana
>

Re: New subject/sender 6.7.9.6, similar to the $122342 subject/sender msg's

Posted by Kelson Vibber <ke...@speed.net>.

On Tuesday 06 July 2004 11:37 am, Greg D - N V Host wrote:
> I finally started seeing the $31234 subject emails disappearing...  Now I
> am seeing these:
>
> From: 6.9.7.6
>
> Subject: 2.1.5.2
>
> Has anyone else seen these "yet" ?   =-\
>
> If anyone has rules for this, I'd like to check them out.

I've seen just one, and it scored 13.6.  Admittedly that includes both 
ws.surbl.org and sc.surbl.org, but it hit all three of Razor, Pyzor and DCC, 
which is enough to push it over 5.0.

P.S. To start a new topic, please just post a new message - don't reply to 
another one.  When you reply to a message it includes threading information 
that better mail and news readers use to group messages together.  If someone 
is using a program that recognizes that info, and has chosen to ignore the 
thread on phishing, they'll never notice this post.

-- 
Kelson Vibber
SpeedGate Communications, <www.speed.net>

New subject/sender 6.7.9.6, similar to the $122342 subject/sender msg's

Posted by Greg D - N V Host <gr...@nvhost.com>.

Greetings all,

I finally started seeing the $31234 subject emails disappearing...  Now I am seeing these:

From: 6.9.7.6

Subject: 2.1.5.2

Has anyone else seen these "yet" ?   =-\

If anyone has rules for this, I'd like to check them out.

Thanks,

G

-----Original Message-----
From: Lucas Albers [mailto:admin@cs.montana.edu]
Sent: Tuesday, July 06, 2004 1:46 PM
To: spamassassin-users@incubator.apache.org
Subject: phishing rules

Are their currently phishing rules in sare for:
paypal,usbank,and citibank, the top 3 phishing spoof domains?

If their are not, here are some:
http://bugzilla.spamassassin.org/show_bug.cgi?id=3570

It would be nice to have anti-phishing rules for all the top financial
sites, as an interim until they deploy spf.

-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana