Hi fellow assassins... I recently received an FDIC phish scam mail (tagged as spam by SA which is good) with this embedded url:
<a href=3D"http://www.fdic.gov=01 (inserting this into the middle of the url so the list malware scanner doesn't reject it) @211.191.98.216:3180/index.htm">htt= p://www.fdic.gov/idverify/cgi-bin/index.htm</a> This seems like it could be a pattern worth tagging for many points. Almost no legitimate mail will include a url with a misleading destination like this, right? So what kind of rule will catch this? Here's my first attempt: body PHISHERMEN /http:\/\/(\w*?\.)+[a-zA-Z]{2,10}?[^/\s]*?@/ score PHISHERMEN 5.0 I don't know if I wrote it right; I'm not a regex genius. Here's what I'm trying to do: http:// non-greedily followed by any number of alphanumeric characters followed by . the previous two expressions should repeat at least once non-greedily followed by between two and ten alpha characters (the faked top level domain) followed by any characters other than spaces or / followed by @ So, can you regex and Spamassassin geniuses provide feedback on my rule? Will it work to catch these phishermen? Will it avoid tagging legitimate url's? Thanks -- Kurt Yoder Sport & Health network administrator ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
