Re: [exim] Anti Phishing Trick - Latest Version

Pàgina inicial
Delete this message
Reply to this message
Autor: Chris Lear
Data:  
A: exim-users
Assumpte: Re: [exim] Anti Phishing Trick - Latest Version
* Marc Perkel wrote (31/08/2005 18:38):
> Getting back to the original topic of this thread. I've improved my
> anti-phishing trick.
>

[...]
>
> My current List: - looking for more


[...]

> citibank.com


I don't think this one is correct. I got false positives in Spamassassin
when I first installed SARE rules because of SARE_FORGED_CITI being
scored at 104 points. The false positives were from citibank employees
writing business e-mail.
Here's the SARE anti-phishing rule for for Citibank (see
http://www.rulesemporium.com/rules/70_sare_spoof.cf for a non-munged
version). As you can see, it's not identical to your rule.

# Try to identify CITIBANK spoofs by looking for elements which should
always appear.
# If we have a From and an URL of one of these guys, we should also have
a received line to match!
header   __RCVD_CITIBNK        Received =~
/(?:citi(?:bank|cards|corp|bankcards)|acxiom|c2it)\.com/i
header   __FROM_CITIBNK        From =~ /citi(?:bank)?\.com/i
uri      __URI_CITIBNK        /citi(?:bank)?\.com/i
meta     SARE_FORGED_CITI    (__FROM_CITIBNK && __URI_CITIBNK &&
!__RCVD_CITIBNK)
describe SARE_FORGED_CITI    Message appears to be forged, (citibank.com)
score    SARE_FORGED_CITI    104.0



There's also nothing stopping Citibank (or anyone else) from changing
their servers, but that point has been made.

--
Chris