>> two bits of sa related code i've written, neither of them are what >> i'd particularly call "polished", but if you feel like firing them >> up, i'd love to hear your feedback: >> >> Phisher: >> http://www.faisal.com/software/phisher/ >> This is a plugin that does nothing more complicated than check for >> the case of something like <a href="http://scam.ru";>www.paypal.com</ >> a>. I've run it on and off since August of last year, although most >> of the time was not after 3.1.1 (which is why I only claim it works >> on 3.1). I don't have a suggested score for it (would love feedback >> there). I ran it at .1 mostly to see how much it triggered and fp'd >> (not much, as it turns out. I know this has been a problem in the >> past, so I'm wondering if the normalization code helps there, or I've >> just been lucky). As noted, this has some rewrite bits coming when I >> get some time. >> >>
I have suggested something like this a few times. and used to hear concerns about valid links not necessarily the same. These can be put into two groups: one would have links to a "related" server, like cgi.bigcompany.com The other one is totally unrelated ,,, say a marketing company has set up a redirector to count how often each link is visited. For the first case I would like to suggest: if the names do not match, chech if the IPs are in the same /24 Well, for the other one ..... I would not want to read these mails even if they are not phish An additional comment about phish: I get a lot of stuff that does not even make it to SA scanning because I do not appear as a recipient. One can probably safely assume that paypal, or any bank, would not send a verification message to 100 recipients at once with a bcc list .... could serve as a meta rule to triple the score for phish Wolfgang Hamann
