Am 18.01.2014 19:02, schrieb Benny Pedersen:
They look like the original, and just the link in the middle, where it
says "download your bill here", goes to a site containing trojans.
+1
i have seen some that contain a html attachment, this is now blocked
in my own clamav rule
Problem is, the link always changes, so you permanently run after it.
Currently all those messages I saw have a link to a .ru (russian) site,
but that could change quickly I guess.
and here I'd need to check for URIs *other than* Vodafone:
meta VODAFONEforged VODAFONEgood && any_uri_except __VODAFONE_URI
is it linked to http:// not to https:// ?, if users want to pay on
http:// tell them :=)
phishes mostly go to http:// pages, not to https:// i wonder why
That should not matter. I want to say "if there is a bill claiming to be
from vodafone, then there MUST NOT be any link to anything else than
https?://vodafone.de". Any idea how I could check for this?
So I want to catch a real-looking vodafone bill that has any URI to
another domain. Also, as Vodafone uses SPF, I'd like to check if I hit
VODAFONEgood && !SPF signature in the mail.
this is complicated since you belive phishes only have this domain as
sender, url and envelope can match, and this would be great if thay
do, but its hard to figure out for spamassassin with domains is forged
or not based on this
I mean: if there's a mail whose context says it's a bill from Vodafone,
then it should be from Vodafone and have a correct SPF signature.
The problem with all this is, that there are MANY companies, so does
someone have a better idea?
i need samples to help, or just wait to see one here
I just sent some pastebin as an answer on Axb's mail.
