Hi;
Marc Perkel wrote:
> To catch this:
>
> In order to confirm you Web-Mail identity, you are to provide the
> following data;
<snip>
I have a generic phishing rule to reduce the incidence of customers
giving out their data. It could be easily modified to hit your example.
I got the basic idea from a post on here, so many thanks to that poster,
whoever they are :-)
Any improvements would be welcome.
This is site specific so change Example to your domain and watch out for
line wrapping.
## Some of these words overlap between tests, this is a feature
## hello there
body __SITE_PH_DEAR
/(\W|^)(Dear\s+(\W{0,2}Example(.com)?|Value|Customer|Account|E\-?mail
Account|Web\-?mail|user)|Att(entio)?n|Account User)/i
body __SITE_PH_START /(inform you)/i
## there is a problem with
body __SITE_PH_SERVICE
/(webmail|email|e-mail|account|mail|Internet|network|systems|database)/i
## we need your
body __SITE_PH_NAME
/((((Sur|Fore?|Christian|First|Last|User)\s*)?Names?)|AccessID)/i
body __SITE_PH_AGE /(Your\s+)?(age|date\s+(of\s+)?birth|DOB)/i
body __SITE_PH_EMAIL
/((your\s+(\w+\s+)?e\-?mail|E\-?mail\s+Address)|username|User
Name|login|logon|identity|id|reply\s+to)/i
## and especially
body __SITE_PH_PASS
/(Pass\s*word|Passwd|Pass\s*Phrase|Ident(ification)?|your\s+details)/i
## because we are fixing
body __SITE_PH_UPGRADE
/(upgrad(e|ing|ed)|updat(e|ing|ed)|security|sc?heduled|maintainence|maintenance|activation|data\s+base)/i
## obey or bad thing will happen
body __SITE_PH_BADTHING
/(error|interuption|failure|interupted|disruption|delet(e|ing)|de\-?activat(ed|ing|e)|remov(e|ed)|suspended|damage|shutting|terminat(e|i
ng|ed)|Technical\s+Support|un\-?authorised|in\-?active)/i
meta MYSITE_PHISH_M4 ((__SITE_PH_DEAR || __SITE_PH_START) &&
__SITE_PH_SERVICE && (__SITE_PH_NAME ||__SITE_PH_AGE || __SITE_PH_EMAIL)
&&__SITE_PH_PASS && __SIT
E_PH_UPGRADE && __SITE_PH_BADTHING)
score MYSITE_PHISH_M4 0.1
Seems to get a few hits on the mail below.
dbg: rules: ran body rule __SITE_PH_NAME ======> got hit: "First Name"
dbg: rules: ran body rule __SITE_PH_PASS ======> got hit: "ident"
dbg: rules: ran body rule __SITE_PH_SERVICE ======> got hit: "mail"
dbg: rules: ran body rule __SITE_PH_AGE ======> got hit: "Date of Birth"
dbg: rules: ran body rule __SITE_PH_EMAIL ======> got hit: "identity"
If you meta this with a network check like BOTNET, DCC, RAZOR etc you
can increase accuracy.
Rgds
N
Marc Perkel wrote:
> To catch this:
>
> In order to confirm you Web-Mail identity, you are to provide the
> following data;
>
>
> First Name: Last Name: Username/ID: Password: Date of Birth:
>
> Affirm your willingness and cooperation please, by replying me
> stating your FULL NAME, DATE OF BIRTH, TELEPHONE NUMBER, FAX NUMBER,
> and CONTACT ADDRESS.
>
>
> Feel Free To Call: +44 703-592-2805 Provide the following under
> listed information 1.Full Name:2.Full
> Address:3.Nationality:4.Age/Sex:5.Mobile Contact:6.Occupation:7.Job
> Description:
>
>
>
