Re: Better phish detection

On 12/03/12 17:02, David B Funk wrote:
> On Mon, 12 Mar 2012, Paul Russell wrote:
>
>> On 3/10/2012 16:43, Ned Slider wrote:
>>>
>>> This one is easy enough - if the latter is the only valid url that
>>> should ever appear in an email, create a meta rule that looks for a
>>> url containing bway.net (or even just bway or webmail or login etc),
>>> but isn't https://webmail.bway.net/.
>>>
>>> Create meta rules for the common words you have identified. Link
>>> these with a rule such as __HAS_ANY_URI or some of your webmail based
>>> URI rules above.
>>>
>>> What other rules commonly hit - are they sent from freemail accounts?
>>> Do they hit any DNSBL's?
>>
>> It's not that simple. If it were, the problem would not have been
>> ongoing for at least 4 years.
>
> Technically what Ned said is correct "This one is easy enough".
> Yes THIS ONE (emphasis mine) is easy enough, but for some of us these
> kind of spear-phishing attacks are an ever mutating problem and some
> are damned clever.
>

Exactly, if you only provide one snippet of an example you don't give us
much to work with so the best we can do is suggest a rule that will
catch that one very narrow example :-/

Give us a tarball of (preferably unredacted) examples to work with - you
must have hundreds collected over the last 4 years.

• This message: [ Message body ]
• Next message: Kevin A. McGrail: "Re: Feedback on wl.mailspike.net"
• Previous message: RW: "Re: Non-western Bayes (was Re: Help with blocking Chinese Spam)"
• In reply to: David B Funk: "Re: Better phish detection"
• Next in thread: sporkman: "Re: Better phish detection"
• Reply: sporkman: "Re: Better phish detection"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]