Bug 4457 - Paypal phishing rules.
Summary: Paypal phishing rules.
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 3.0.3
Hardware: All All
: P5 enhancement
Target Milestone: 3.2.0
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-04 10:49 UTC by Craig McLean
Modified: 2006-03-06 21:03 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
paypal phishing ruleset text/plain None Craig McLean [NoCLA]
Updated paypal phishing rules text/plain None Craig McLean [NoCLA]
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Craig McLean 2005-07-04 10:49:05 UTC 
Attached will be rules to catch paypal "update your account" phishing spam which
will need masschecking. The originals were posted to the SA users list and FP'd
quite badly, these new ones should be much more reliable. However, I do not have
a good ham corpus to check against, so can't tell if they still misfire.
Comments and suggestions for improvement solicited. Thanks!
Comment 1 Craig McLean 2005-07-04 10:51:23 UTC 
Created attachment 2981 [details]
paypal phishing ruleset
Comment 2 Bob Menschel 2005-07-04 19:51:11 UTC 
Will schedule for mass-check as soon as the current pre-release scoring
mass-check runs are complete.  (Justin -- any idea whether the n.e.e.d.s.m.c
system will work for me if I set that flag in a bug entry? Hasn't yet; don't
know whether you've been able to fix that.)
Comment 3 Justin Mason 2005-07-05 10:32:31 UTC 
hi Bob --

nope, the automc stuff is turned off until post-3.1.0 as it needs some work :(
Comment 4 Craig McLean 2005-07-06 04:11:18 UTC 
Created attachment 2991 [details]
Updated paypal phishing rules

Updated to catch "update your identity" phrase in common paypal phishin spam.
Comment 5 Bob Menschel 2005-07-16 21:43:41 UTC 
Section 3 -- Frequencies Log
(First numeric frequencies, followed by percentage frequencies)

OVERALL%   SPAM%     HAM%     S/O    RANK  SCORE  NAME
 297183   139449   157734    0.469   0.00   0.00  (all messages)
     10        7        3    0.725   0.00   4.00  LOCAL_PP_UPD_BADADDR
    202      198        4    0.982   0.00   4.00  LOCAL_PP_UPD_BADURL

OVERALL%   SPAM%     HAM%     S/O    RANK   SCORE  NAME
 297183   139449   157734    0.469   0.00    0.00  (all messages)
100.000  46.9236  53.0764    0.469   0.00    0.00  (all messages as %)
  0.003   0.0050   0.0019    0.725   0.00    4.00  LOCAL_PP_UPD_BADADDR
  0.068   0.1420   0.0025    0.982   0.00    4.00  LOCAL_PP_UPD_BADURL

The BADURL ham hits were a Nov 2002 newsletter from paypal, Jan 2003, Jan 2004,
Mar 2004.  

The BADADDR ham hits were all June 2005 mailing list administrative emails to
list owner to confirm a new subscription request, for lists at ibiblio.org.

You may want to work with Fred, who maintains
http://www.rulesemporium.com/rules.htm#spoof (email address inside the rules
file) -- merge your ideas and see if the two of you can improve the performance
of these rules.
Comment 6 Theo Van Dinter 2006-03-07 05:03:41 UTC 
I put this in my sandbox for testing.

Committed revision 383781.