OK, here's what I finally came up with and tested against the phish
email. The rule worked in identifying the misleading url but didn't
trigger when I put in various "legitimate looking" test user names
in front of the @. I tested against
[EMAIL PROTECTED]
[EMAIL PROTECTED]
using
#try to detect phishing schemes and penalize as spam
uri PHISHERMEN
/http:\/\/www\.(\w*?\.)*[a-zA-Z]{2,10}?[^\/\s]*?@/
describe PHISHERMEN probable web url disguised as
another url for phishing
score PHISHERMEN 3.0
This rule could use improvement; any regex gurus want to give some
hints? Specifically, I'd like to look for any "=" and/or "?" between
the fake domain (in this example www.fdic.gov) and the @. So the
regex would trigger on jumbles of characters simulating http GET
url's.
--
Kurt Yoder
Sport & Health network administrator
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
