On 11-May-2009, at 03:11, Ned Slider wrote:
My thinking is that combined as a meta with a few simple keywords/ phrases (eg, alert, security, account suspended etc) it might make a very effective rule against bank phish.
The only thing that needs to be done to prevent bank phish is to check the sending host against the bank name or check the mail for auth. If they don't match, score 1000. There's no need to get into the body of the message at all. bankofamerica.com is not sending phishing spam.
This does require a list of banks, but something like this should work (cribbed from Dave Pooser)
whitelist_auth *...@paypal.com whitelist_auth *...@bankamerica.com header FROM_PAYPAL Received =~ /from ....@paypal\.com/ score FROM_PAYPAL 100 header FROM_BOA Received =~ /from ....@bankofamerica\.com/ score FROM_BOA 100 etc. -- From deep inside the tears that I'm forced to cry From deep inside the pain I--I chose to hide
