|Main Archive Page > Month Archives > spamassassin-users archives|
On 12/03/12 17:02, David B Funk wrote:
> On Mon, 12 Mar 2012, Paul Russell wrote:
>> On 3/10/2012 16:43, Ned Slider wrote:
>>> This one is easy enough - if the latter is the only valid url that
>>> should ever appear in an email, create a meta rule that looks for a
>>> url containing bway.net (or even just bway or webmail or login etc),
>>> but isn't https://webmail.bway.net/.
>>> Create meta rules for the common words you have identified. Link
>>> these with a rule such as __HAS_ANY_URI or some of your webmail based
>>> URI rules above.
>>> What other rules commonly hit - are they sent from freemail accounts?
>>> Do they hit any DNSBL's?
>> It's not that simple. If it were, the problem would not have been
>> ongoing for at least 4 years.
> Technically what Ned said is correct "This one is easy enough".
> Yes THIS ONE (emphasis mine) is easy enough, but for some of us these
> kind of spear-phishing attacks are an ever mutating problem and some
> are damned clever.
Exactly, if you only provide one snippet of an example you don't give us
much to work with so the best we can do is suggest a rule that will
catch that one very narrow example :-/
Give us a tarball of (preferably unredacted) examples to work with - you
must have hundreds collected over the last 4 years.