* Marc Perkel wrote (31/08/2005 18:38):
> Getting back to the original topic of this thread. I've improved my
> anti-phishing trick.
>
[...]
>
> My current List: - looking for more
[...]
> citibank.com
I don't think this one is correct. I got false positives in Spamassassin
when I first installed SARE rules because of SARE_FORGED_CITI being
scored at 104 points. The false positives were from citibank employees
writing business e-mail.
Here's the SARE anti-phishing rule for for Citibank (see
http://www.rulesemporium.com/rules/70_sare_spoof.cf for a non-munged
version). As you can see, it's not identical to your rule.
# Try to identify CITIBANK spoofs by looking for elements which should
always appear.
# If we have a From and an URL of one of these guys, we should also have
a received line to match!
header __RCVD_CITIBNK Received =~
/(?:citi(?:bank|cards|corp|bankcards)|acxiom|c2it)\.com/i
header __FROM_CITIBNK From =~ /citi(?:bank)?\.com/i
uri __URI_CITIBNK /citi(?:bank)?\.com/i
meta SARE_FORGED_CITI (__FROM_CITIBNK && __URI_CITIBNK &&
!__RCVD_CITIBNK)
describe SARE_FORGED_CITI Message appears to be forged, (citibank.com)
score SARE_FORGED_CITI 104.0
There's also nothing stopping Citibank (or anyone else) from changing
their servers, but that point has been made.
--
Chris
