[Esd-l] Back working on Phish sanitizing...

Smart,Dan SmartD at VMCMAIL.com
Fri Feb 18 11:06:02 PST 2005

OK, not so easy.  Looking at a few more, they are using oddball hostnames. 
This may be better done in SpamAssassin with scoring.

> -----Original Message-----
> From: esd-l-bounces at spconnect.com 
> [mailto:esd-l-bounces at spconnect.com] On Behalf Of Smart,Dan
> Sent: Friday, February 18, 2005 11:10 AM
> To: esd-l at spconnect.com
> Subject: [Esd-l] Back working on Phish sanitizing...
> John,
> I've gotten a few more cycles to spend on catching phish attacks.
> My thought is this.  Just about every phish I've been looking 
> at uses a IP address url for the hyperlink.  So, the filter I 
> was thinking of was:
> Search for
> /<a.*href=.*http:\/\/[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-
> 9][0-9]?[0-9]?
> \.[0-9][0-9]?[0-9]?/i
> Which is an IP address URL.  You could defang it by making 
> the URL type
> file: instead of http:.  Or maybe gopher:
> What do you think?
> <<Dan>>
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l

More information about the esd-l mailing list