[Esd-l] Back working on Phish sanitizing...
Smart,Dan
SmartD at VMCMAIL.com
Fri Feb 18 09:10:10 PST 2005
John,
I've gotten a few more cycles to spend on catching phish attacks.
My thought is this. Just about every phish I've been looking at uses a IP
address url for the hyperlink. So, the filter I was thinking of was:
Search for
/<a.*href=.*http:\/\/[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?
\.[0-9][0-9]?[0-9]?/i
Which is an IP address URL. You could defang it by making the URL type
file: instead of http:. Or maybe gopher:
What do you think?
<<Dan>>
More information about the esd-l
mailing list