[prev in list] [next in list] [prev in thread] [next in thread] 

List:       spamassassin-devel
Subject:    Re: Detecting Phishers is not working.
From:       "Fred" <tech2 () i-is ! com>
Date:       2004-07-31 19:47:05
Message-ID: 000c01c47737$283adf30$0906010a () iis ! com
[Download RAW message or body]

Loren Wilton wrote:
> SARE has some phishing rules for various things.  I just sent a
> handful more out for test last night, but as it happens none of them
> were ebay specific, since I don't seem to get a lot of ebay phishing
> mails.

We have a set of rules for phishing but it's called spoof on our site (and
the ruleset name).  These rules do include spoofs against ebay, this was my
first target when I created these rules.

http://www.rulesemporium.com/rules/70_sare_spoof.cf


# Try to identify EBAY spoofs by looking for elements which should always
appear.
# If we have a From and an URL of one of these guys, we should also have a
received line to match!
header   __RCVD_EBAY        Received =~ /(?:email)?[^\s@]ebay\.com/i
header   __FROM_EBAY        From =~ /\@(?:email)?ebay\.com/i
uri      __URI_EBAY     /ebay\.com/i
meta     SARE_FORGED_EBAY   (__FROM_EBAY && __URI_EBAY && !__RCVD_EBAY)
describe SARE_FORGED_EBAY   Message appears to be forged, (ebay.com)
score    SARE_FORGED_EBAY   102.0


The rule is not 100% effective but it works for the majority of these spams.


This set is targetting spoofs from: ebay, paypal, usbank, and citibank
Also looking for spoofed message id's from aol, msn, hotmail, yahoo, excite
and others.

[prev in list] [next in list] [prev in thread] [next in thread]