hamann.w wrote: > >>> >>> >>> Hello, >>> >>> We are getting a fair amount of very targetted phish attempts to our >>> userbase. Since we are relatively small, I don't think any of the >>> URIBLs >>> really help (or phishtank or other lists) since we're not a large bank >>> or >>> paypal or anything like that. >>> >>> I did see some gentleman make a rather valiant attempt at listing all >>> the >>> common phrases here: >>> > > > Hi, > > I would not feel inclined to update a filter every day .... so the > question is: what do > these things have in common? >
The message is always short, always mentions "webmail", "upgrade", "update", "your information" and then a link to an offsite URL. The list of words in the linked ruleset is pretty much on target for the type of phrases they include. Older variations did not link to a form, but instead simply asked the user to reply with their email and password (which, sadly always worked on a few of our users). hamann.w wrote: > > It seems somebody wants your users to complete a form .... where would the > form be sent to? > A valid domain, or just some ip address > Usually a valid, legitimate domain. Obviously a hacked site where they have installed a form that collects the login info. They used to hotlink our css and images until I started serving up a "different" version. Now they host the images and css with the form. Here's the latest example: http://broomesol.com/upgrade.webmail.bway.net/main_login.htm Compare to our actual webmail login: https://webmail.bway.net/ Thanks, Charles hamann.w wrote: > > > Regards > Wolfgang > > a fellow qmail user :) > > -- View this message in context: http://old.nabble.com/Better-phish-detection-tp33478328p33478504.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
