Marc Perkel wrote:
> That's where I got my list from - thanks for the link. I just took the
> ones with the biggest scores and put them in for my test. And - I'm
> catching a few. My trick doesn't depend on signatures. I figure that
> real email from these major institutions will come from a server that
> has a reverse DNS with their domain name in it. I will probably expand
> the list.
The test I had thought of, which would be better suited in SA than Exim,
is to check the links. If the text inside an A HREF tag perports to be from a
common phishing target match it agains the URL the tag defines. If the tag
URL does not match the domain inside the tag, score it wayyyyyy up.
But, hey, Clamav is catching 'em. I've actually seen a decrease lately
and wondered where it had been coming from when a different message prompted
me to look for those domains in my logs. :D
--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
PGP Key: 8B6E99C5 | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------
