-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (Note: CC: changed to users@spamassassin.apache.org - @incubator.apache.org address is deprecated).
Sander Holthaus - Orange XL wrote: [snip] | But couldn't some 'simple' rules fix this? One metafilter that looks for | valid links (images, href's, email-addresses) to ebay, amazon, banks, | etc. and another meta-rule that looks for links that point to non-ebay, | non-amazon, non-bank links. A phisers will always need to point the | users to a site that is under his control and it shouldn't be too hard | to recognize this site. I've been using the attached for a while to catch paypal phishing scams, and am in the process of modifying it to catch ebay account scams too. Caveat: It's never FPd for me but there is plenty of potential there. Anyway, feel free to use/adapt/whatever to suit. Kind Regards, Craig. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDEvKjMDDagS2VwJ4RArUWAKDU1UZss3lF3joOxT+CZg1o2izfXQCglmt7 9owI38Yw6sPtLuhj9Cw/5Rs= =W+hS -----END PGP SIGNATURE-----
# # Rules to catch PayPal phishing attempts. # # Checks for common paypal "update your account" phrases, or "unauthorised # access" phrases. Confirms that the mail came from @paypal and contains # only paypal.com links, otherwise throws scores. # # Craig McLean - 2005/05/22 header __LOCAL_PP_ISFROMPP From:addr =~ /[EMAIL PROTECTED]/i header __LOCAL_PP_S_UPD Subject: =~ m'(?:confirm|update) (?:your|the) (?:billing)?(?:records?|information|account)'i header __LOCAL_PP_S_AUT Subject: =~ m'unauthori[sz]ed access'i body __LOCAL_PP_B_UPD m'(?:confirm|updated?|verify|restore) (?:your|the) (?:account|current|billing|personal)? ?(?:records?|information|account|identity|access|data)'i body __LOCAL_PP_B_ATT m'one or more attempts'i body __LOCAL_PP_B_ACT m'unusual activity'i uri __LOCAL_PP_PPCGIURL m'https?://www\.paypal\.com/([A-Za-z0-9-_]+/)?cgi-bin/webscr\?'i uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!(paypal)\.com)(?:[A-Za-z0-9-_\.]+)'i meta LOCAL_PP_UPD_BADURL (__LOCAL_PP_ISFROMPP && ((__LOCAL_PP_S_AUT || __LOCAL_PP_B_ATT || __LOCAL_PP_B_ACT || __LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) || __LOCAL_PP_PPCGIURL) && __LOCAL_PP_NONPPURL) meta LOCAL_PP_UPD_BADADDR (!__LOCAL_PP_ISFROMPP && ((__LOCAL_PP_S_AUT || __LOCAL_PP_B_ATT || __LOCAL_PP_B_ACT || __LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) && __LOCAL_PP_PPCGIURL)) describe LOCAL_PP_UPD_BADURL paypal/ebay account update, but has bad URL describe LOCAL_PP_UPD_BADADDR paypal/ebay account update, but from bad email score LOCAL_PP_UPD_BADURL 4 score LOCAL_PP_UPD_BADADDR 4
