Philip Tucker said:
> I've noticied in a lot of these phishing messages they will have
> links hiding the real URL behind a fake but genuine looking URL,
> like the following:
>
> <a
> href="http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495&usersoption=Securit
> yUpdate&[EMAIL PROTECTED]/~gotiere/verified_by_
> visa.htm">http://www.visa.com</a>
>
> Have any spamassassin rules been written to match links with a URL
> in the display text ("http://www.visa.com"; in this example) in which
> the domains differ ("www.visa.com" vs "63.247.87.138")?
This one seems to work for me:
#try to detect phishing schemes and penalize as spam
uri PHISHERMEN /http:\/\/www\.(\w*?\.)*[a-zA-Z]{2,10}?[^\/\s]*?@/
describe PHISHERMEN probable web url disguised as another url for
phishing
score PHISHERMEN 3.0
--
Kurt Yoder
Sport & Health network administrator
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
