Unfortunately, although many phishing mails would match this rule,
just as many ligitimate messages would as well. Check the archives.
http://www.nabble.com/Detecting-phishing-urls-t1027084.html#a2669493
On Sat, 17 Jun 2006 21:56:03 +0200
Yves Goergen <[EMAIL PROTECTED]> wrote:
Hello,
I'm running SpamAssassin on my Exim MTA and would like to add a rule
of
which I don't think it's built-in yet: Phishing mails commonly have
an
HTML link in them with a target like "http://12.34.56.78/..."; but a
label like "http[s]://somedomain/...". This case where the link
label is
a domain but the target is a numeric IP, and even worse the case,
where
the label has https: and the target only http:, I would like to
score a
high number of points. Is this already built-in? I couldn't see it
on
such a mail I received today.
How can I add this rule myself? The "rawbody" option only matches
line
by line, which doesn't help me because the link is split over
multiple
lines. What I need is something to match the entire message as one,
with
HTML kept intact but encoding (Quoted Printable...) resolved. I have
seen the HTTPS_IP_MISMATCH rule that leads me to a Perl function. I
don't understand Perl very well, and this specific function is way
too
complex for me. Also I don't know where to add my own Perl
functions.
The documentation doesn't tell me.
--
Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]>
http://beta.unclassified.de – My web laboratory.
