On Sun, 28 Feb 2010, LuKreme wrote:
> On 28-Feb-10 17:25, David B Funk wrote:
> > I'm seeing a spate of PayPal/bank phishes that use an html attachment
> > (base-64 encoded) as the vehicle for the payload.
>
> SPF!
>
> <runs; ducking, shucking, and weaving>
Actually I'm happy to utilize SPF when I can. But westernunion.com
doesn't publish SPF records.
And this -is- a case in point where SPF is relevant to SA. ;)
> > Is there any way to get SA to treat that attachment as text to feed to
> > the rule engine?
>
> Your best bet is to check if mail claiming to be from paypal is, in
> fact, from paypal. Without checking SPF, you can at least check if the
> server sending the mail is a paypal server using just header checks.
>
> If you search the archives for paypal ebay you should find a few
> solutions on how to deal with these.
I've got a number of PayPal specific rules, but these phishes are all
over the financial spectrum (banks, paypal, ebay, western-union, etc).
The clear-text verbage is vague enough to make writing FP-proof but
effective rules difficult. That's why I was hoping to be able to hit
against the HTML payload.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
