Matt Kettler said:
> At 02:39 PM 1/26/04 -0500, Kurt Yoder wrote:
> <snip>
>
>>body PHISHERMEN /http:\/\/(\w*?\.)+[a-zA-Z]{2,10}?[^/\s]*?@/
>>score PHISHERMEN 5.0
> <snip>
>
> Don't use the body ruletype.. SA removes all HTML tags before
> running body.
>
> Use uri instead of body.
OK. Maybe I'll just put it in place and see what happens.
> It also seems you're just going to catch any URL which has a
> username
> involved, but it's tough for me to follow that regex without
> caffeine...
>
> Why not just look for the malware codes directly? (ie: the %01)
I can't think of any obvious characteristic outside the
[EMAIL PROTECTED] I *could* start it with www,
since phishers are probably more likely to put a www on the front to
have a greater chance of "phooling" people. Maybe I'll try it with
this rule first:
uri PHISHERMEN /http:\/\/www\.(\w*?\.)*[a-zA-Z]{2,10}?[^/\s]*?@/
--
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
