Is there a WANTS_MY_INFO rule?

[Marc Perkel <ma...@perkel.com>]

To catch this:

In order to confirm you Web-Mail identity, you are to provide the
following data;


First Name:
Last Name:
Username/ID:
Password:
Date of Birth:

Affirm your willingness and cooperation please, by replying me stating
your FULL NAME, DATE OF BIRTH, TELEPHONE NUMBER, FAX NUMBER, and CONTACT
ADDRESS.


Feel Free To Call: +44 703-592-2805 Provide the following under listed 
information 1.Full Name:2.Full Address:3.Nationality:4.Age/Sex:5.Mobile 
Contact:6.Occupation:7.Job Description:

Re: Is there a WANTS_MY_INFO rule?

[neil <ne...@supanet.net.uk>]

Hi;
Marc Perkel wrote:
> To catch this:
>
> In order to confirm you Web-Mail identity, you are to provide the
> following data;
<snip>

   I have a generic phishing rule to reduce the incidence of customers
giving out their data. It could be easily modified to hit your example.
I got the basic idea from a post on here, so many thanks to that poster,
whoever they are :-)

Any improvements would be welcome.

This is site specific so change Example to your domain and watch out for
line wrapping.

 ## Some of these words overlap between tests, this is a feature
 ## hello there
 body __SITE_PH_DEAR
/(\W|^)(Dear\s+(\W{0,2}Example(.com)?|Value|Customer|Account|E\-?mail
Account|Web\-?mail|user)|Att(entio)?n|Account User)/i
 body __SITE_PH_START /(inform you)/i
 ## there is a problem with
 body __SITE_PH_SERVICE
/(webmail|email|e-mail|account|mail|Internet|network|systems|database)/i
 ## we need your
 body __SITE_PH_NAME
/((((Sur|Fore?|Christian|First|Last|User)\s*)?Names?)|AccessID)/i
 body __SITE_PH_AGE /(Your\s+)?(age|date\s+(of\s+)?birth|DOB)/i
 body __SITE_PH_EMAIL
/((your\s+(\w+\s+)?e\-?mail|E\-?mail\s+Address)|username|User
Name|login|logon|identity|id|reply\s+to)/i
 ## and especially
 body __SITE_PH_PASS
/(Pass\s*word|Passwd|Pass\s*Phrase|Ident(ification)?|your\s+details)/i
 ## because we are fixing
 body __SITE_PH_UPGRADE
/(upgrad(e|ing|ed)|updat(e|ing|ed)|security|sc?heduled|maintainence|maintenance|activation|data\s+base)/i
 ## obey or bad thing will happen
 body __SITE_PH_BADTHING
/(error|interuption|failure|interupted|disruption|delet(e|ing)|de\-?activat(ed|ing|e)|remov(e|ed)|suspended|damage|shutting|terminat(e|i
 ng|ed)|Technical\s+Support|un\-?authorised|in\-?active)/i

 meta  MYSITE_PHISH_M4 ((__SITE_PH_DEAR || __SITE_PH_START) &&
__SITE_PH_SERVICE && (__SITE_PH_NAME ||__SITE_PH_AGE || __SITE_PH_EMAIL)
&&__SITE_PH_PASS && __SIT
 E_PH_UPGRADE && __SITE_PH_BADTHING)

 score MYSITE_PHISH_M4 0.1

Seems to get a few hits on the mail below.
dbg: rules: ran body rule __SITE_PH_NAME ======> got hit: "First Name"
dbg: rules: ran body rule __SITE_PH_PASS ======> got hit: "ident"
dbg: rules: ran body rule __SITE_PH_SERVICE ======> got hit: "mail"
dbg: rules: ran body rule __SITE_PH_AGE ======> got hit: "Date of Birth"
dbg: rules: ran body rule __SITE_PH_EMAIL ======> got hit: "identity"


If you meta this with a network check like BOTNET, DCC, RAZOR etc you
can increase accuracy.

Rgds
N


Marc Perkel wrote:
> To catch this:
> 
> In order to confirm you Web-Mail identity, you are to provide the 
> following data;
> 
> 
> First Name: Last Name: Username/ID: Password: Date of Birth:
> 
> Affirm your willingness and cooperation please, by replying me
> stating your FULL NAME, DATE OF BIRTH, TELEPHONE NUMBER, FAX NUMBER,
> and CONTACT ADDRESS.
> 
> 
> Feel Free To Call: +44 703-592-2805 Provide the following under
> listed information 1.Full Name:2.Full
> Address:3.Nationality:4.Age/Sex:5.Mobile Contact:6.Occupation:7.Job
> Description:
> 
> 
> 

Re: Is there a WANTS_MY_INFO rule?

[MySQL Student <my...@gmail.com>]

Hi,

> In order to confirm you Web-Mail identity, you are to provide the
> following data;
>
> First Name:
> Last Name:
> Username/ID:
> Password:
> Date of Birth:

Try John Hardin's fillform:

http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/?sortby=date

Regards,
Alex