On 12/03/12 17:02, David B Funk wrote:
On Mon, 12 Mar 2012, Paul Russell wrote:
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that
should ever appear in an email, create a meta rule that looks for a
url containing bway.net (or even just bway or webmail or login etc),
but isn't https://webmail.bway.net/.
Create meta rules for the common words you have identified. Link
these with a rule such as __HAS_ANY_URI or some of your webmail based
URI rules above.
What other rules commonly hit - are they sent from freemail accounts?
Do they hit any DNSBL's?
It's not that simple. If it were, the problem would not have been
ongoing for at least 4 years.
Technically what Ned said is correct "This one is easy enough".
Yes THIS ONE (emphasis mine) is easy enough, but for some of us these
kind of spear-phishing attacks are an ever mutating problem and some
are damned clever.
Exactly, if you only provide one snippet of an example you don't give us
much to work with so the best we can do is suggest a rule that will
catch that one very narrow example :-/
Give us a tarball of (preferably unredacted) examples to work with - you
must have hundreds collected over the last 4 years.
