# Phishing spam rules # $Id: phishing.cf,v 1.2 2008-10-30 13:13:30-07 jhardin Exp jhardin $ # http://www.impsec.org/~jhardin/antispam/ describe PHISH_01 Phishing for account information body PHISH_01 /\b(?:safeguard|confirm|renew|update|verify|suspend|protect|secure|re-enroll)\s(?:your|the)\s(?:online|information|checking|(?:\w+\s)?(?:bank\s)?account|service|banking)/i score PHISH_01 0.5 describe PHISH_01s Phishing for account information header PHISH_01s Subject =~ /(?:safeguard|confirm|renew|update|verify|suspend|protect|secure|re-enroll)\syour\s(?:chase(?:\.com)?|online|information|checking|(?:\w+\s)?(?:bank\s)?account|banking)/i score PHISH_01s 0.5 describe PHISH_02s Phishing for account information header PHISH_02s Subject =~ /\byour\s(?:\w+\s)?account\srequires\simmediate/i score PHISH_02s 0.75 describe PHISH_03s Phishing for account information header PHISH_03s Subject =~ /\baccount\ssuspen(?:sion|ded)/i score PHISH_03s 0.25 describe PHISH_02 PayPal Phishing body PHISH_02 /\byour\sPayPal\saccount/i score PHISH_02 0.2 describe PHISH_03 Phishing body PHISH_03 /\bavoid\sunauthorized\scharges/i score PHISH_03 0.2 describe PHISH_04 PayPal Phishing uri PHISH_04 /images\.paypal\.com/i score PHISH_04 0.2 describe PHISH_05 Phishing for account information body PHISH_05 /\b(?:verified|bank|checking|your)\saccount/i score PHISH_05 0.1 describe PHISH_06 Phishing body PHISH_06 /\bKeep(?:ing)?\syour\sinformation\s(?:up\sto\sdate|current|secure)/i score PHISH_06 0.2 describe PHISH_07 PayPal Phishing rawbody PHISH_07 /http:\/\/(?:images|www)\.paypal\.com\/(?:cgi-bin|images)\//i score PHISH_07 0.2 describe PHISH_08 Phishing body PHISH_08 /\b(?:validate|disable|suspend|close|restrict|close|confirm(?:ed|ation)?|protect(?:ed|ion)?|verif(?:y|ied|ication)|(?:re)?activat(?:ion|ed)?|access|secur(?:e|ity))\s(?:(?:of|to)\s)?(?:the|your|our)\s(?:(?:current|personal|(?:\w+\s)?bank|checking)\s)?(?:account|identity|information|records)/i describe PHISH_09 Phishing body PHISH_09 /\b(?:account|access)\s(?:may|will)\sbe\s(?:subject\sto\s)?(?:temporary\s)?(?:close|restrict|disable|suspend|suspension)/i describe PHISH_10 Phishing body PHISH_10 /\b(?:suspend|disable|restrict|close|restore)\s(?:the|your|any|all)\s(?:\w+\s)?(?:account|access)/i describe PHISH_11 Malformed PayPal Phishing/Worm body PHISH_11 /^Content-Type:.{0,80}charset="[^"]+$/i describe PHISH_12 Malformed PayPal Phishing/Worm body PHISH_12 /\scontent="[^";]+;\scharset=[^"]/ describe PHISH_13 Phishing body PHISH_13 /\byour\s[^.,]{0,80}(?:accounts?|access)\s[^.,]{0,80}(?:no\slonger|not)\s[^.,]{0,80}available/i score PHISH_13 0.50 describe PHISH_14 Phishing body PHISH_14 /\b(?:account|service)[^.]{1,80}will\sbe[^.]{1,80}(?:deactivated|suspended|deleted)[^.]{1,80}(?:if\snot|unless)[^.]{1,80}(?:renew|update)[^.]{1,80}(?:immediately|right\saway)/i score PHISH_14 0.75 describe PHISH_15 Phishing body PHISH_15 /\bif\syou\sdont\s[^.]{1,80}(?:authenticate)[^.]{1,80}(?:account|service)[^.]{1,80}will\sbe[^.]{1,80}(?:deactivated|suspended|deleted)/i score PHISH_15 0.75 describe PHISH_16 Phishing body PHISH_16 /\baccount\sha[ds]\s(?:not\s)?been\s(?:recently\s)?compromised/i score PHISH_16 0.50 describe PHISH_17 Phishing body PHISH_17 /(?:account|service|profile)[^.]{1,80}(?:will\sbe|has\sbeen)[^.]{1,80}(?:deactivated|suspended|locked)/i score PHISH_17 0.25 describe PHISH_17s Phishing body PHISH_17s /\b(?:account|service|profile)[^.]{1,80}(?:will\sbe|has\sbeen)[^.]{1,80}(?:deactivated|suspended|locked)/i score PHISH_17s 0.75 describe PHISH_18 Phishing body PHISH_18 /\bbank\w{0,80}\s(?:account|service)\s[^.]{1,80}(?:fraudulent|information)/i score PHISH_18 0.25 describe PHISH_19 Phishing body PHISH_19 /\bindefinitely\ssuspended/i score PHISH_19 0.25 describe PHISH_20 Phishing body PHISH_20 /\bunauthorized\sthird\sparty/i score PHISH_20 0.25 describe PHISH_MANY Lots of phishing meta PHISH_MANY (PHISH_01 + PHISH_01s + PHISH_02 + PHISH_02s + PHISH_03 + PHISH_03s + PHISH_04 + PHISH_05 + PHISH_06 + PHISH_07 + PHISH_08 + PHISH_09 + PHISH_10 + PHISH_11 + PHISH_12 + PHISH_13 + PHISH_14 + PHISH_15 + PHISH_16 + PHISH_17 + PHISH_17s + PHISH_18 + PHISH_19 + PHISH_20) >= 4 score PHISH_MANY 2.00