Another mailing list pointed out the new ie exploit. What would be the SA code to detect/block such and exploit in email. Here's an untested potentially cpu intensive rule to detect this, I am not reccomending this rule, but looking for an improved version of it.
uri KAM_URIPARSE /^[^\/]*\%0[01][^\/]*\@/ From: "Kevin A. McGrail" <[EMAIL PROTECTED]> WARNING: There is documentation of a scam in this document. Read the document, don't feel the need to click on things! Not to alarm everyone, but I feel that there is a bug/scam that more people need to know about that I found out about last week. This bug causes some browsers, notably Internet Explorer but ALSO AFFECTING NETSCAPE AND MOZILLA TO SOME EXTENT, to parse web links incorrectly and allow a person to nearly perfectly cover up the fact that they are redirecting you to a different link. I believe this bug should be identifiable in SpamAssassin but I have seen a few different techniques and I am not 100% sure what the bug is! Something akin to this (tested but I don't make a lot of rules): # This rule is to mark emails using the exploit of the URI parsing uri KAM_URIPARSE /\%01\@/i describe KAM_URIPARSE Attempted use of URI bug. Very high probability of fraud. score KAM_URIPARSE 7.00 This trick is so good, it even tricks popup blockers such as google's toolbar. As an example, using a link such as the one below will LOOK like you are going to paypal.com but in fact you are going to netcbc.net/paypal (this is a REAL fraud website so don't go using it). http://[EMAIL PROTECTED]/paypal/ I found out about this problem late last week and was hoping Microsoft would have it patched before I had to write this note. Unfortunately, it is still not patched to the best of my knowledge on December 19th over a week later. Additionally, on December 17th, I was forwarded a copy of one of the emails using this technique to fraudulently gather information. This technique called "Phishing" has been around for a while but this bug will make even expert users fall prey to this trick. I would recommend forwarding this information to people you feel can properly handle the information but I think this is going to very quickly become the largest scam tool on the internet. Regards, KAM ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
