They have and API at phishtank It would be great to get it integrated into declude or INVURIBL.
Kevin > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Colbeck, Andrew > Sent: Tuesday, May 15, 2007 3:24 PM > To: [email protected] > Subject: RE: [Declude.JunkMail] Phishing > > Without my so much as glancing at the potential false positives, this > is > a treasure trove or actual phishing URLs: > > http://www.phishtank.com/phish_archive.php > > A glance at which tells me that another useful PCRE would be to (pseudo > code follows): > > IPADDRESS then (/ character) then stuff including DOMAIN NAME then (end > of line OR / character) > > Andrew. > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of David Barker > > Sent: Tuesday, May 15, 2007 2:31 PM > > To: [email protected] > > Subject: [Declude.JunkMail] Phishing > > > > BODY 15 PCRE (http://.{3,60}(\.com\.).{3,60}?(\.[a- > z]{2,4}/)) > > > > This is a regular expression. This is a little more > > complicated than a straight filter but essentially I am > > looking for any URL that has a .com in the middle and then > > ends with a different domain extension. It will match on > > this: > > > > http://session-2825275860.nationalcity.com.juuje.io/ > > > > If you had to do a standard filter I would do something like: > > > > BODY 5 CONTAINS http://session- > > BODY 10 CONTAINS .io/ > > > > Some examples of matches (not sure of the levels on FP's yet) > > > > 05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter > > FILTER-PHISH : > > http://session-401758.nationalcity.com.bigj.at/ > > > > 05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter > > FILTER-PHISH : > > http://interactsession-64236.regions.com.usersetup.cn/ > > > > 05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter > > FILTER-PHISH : > > http://interactsession-0330189132.regions.com.usersetup.tw/ > > > > 05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter > > FILTER-PHISH : > > http://session-10067.nationalcity.com.portfast.cn/ > > > > 05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter > > FILTER-PHISH : > > http://interactsession-644893.regions.com.usersetup.io/ > > > > 05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter > > FILTER-PHISH : > > http://session-8434556.nationalcity.com.05server.cn/ > > > > David Barker > > VP Operations | Declude > > Your Email Security is our business > > O: 978.499.2933 x7007 > > F: 978.988.1311 > > E: [EMAIL PROTECTED] > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be > > found at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
