[Esd-l] Back working on Phish sanitizing...
Smart,Dan
SmartD at VMCMAIL.com
Fri Feb 18 11:06:02 PST 2005
OK, not so easy. Looking at a few more, they are using oddball hostnames.
This may be better done in SpamAssassin with scoring.
> -----Original Message-----
> From: esd-l-bounces at spconnect.com
> [mailto:esd-l-bounces at spconnect.com] On Behalf Of Smart,Dan
> Sent: Friday, February 18, 2005 11:10 AM
> To: esd-l at spconnect.com
> Subject: [Esd-l] Back working on Phish sanitizing...
>
> John,
> I've gotten a few more cycles to spend on catching phish attacks.
>
> My thought is this. Just about every phish I've been looking
> at uses a IP address url for the hyperlink. So, the filter I
> was thinking of was:
>
> Search for
> /<a.*href=.*http:\/\/[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-
> 9][0-9]?[0-9]?
> \.[0-9][0-9]?[0-9]?/i
> Which is an IP address URL. You could defang it by making
> the URL type
> file: instead of http:. Or maybe gopher:
>
> What do you think?
>
> <<Dan>>
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
More information about the esd-l
mailing list