Bug 5937 - TVD_PH_SUBJ_ACCOUNTS_POST should include 'update' and case for 'comfirm'
Summary: TVD_PH_SUBJ_ACCOUNTS_POST should include 'update' and case for 'comfirm'
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 3.2.5
Hardware: Other All
: P5 enhancement
Target Milestone: 3.3.0
Assignee: SpamAssassin Developer Mailing List
Depends on:
Reported: 2008-07-06 21:15 UTC by Arwin Tugade
Modified: 2009-09-03 14:26 UTC (History)
1 user (show)

Attachment Type Modified Status Actions Submitter/CLA Status

Note You need to log in before you can comment on or make changes to this bug.
Description Arwin Tugade 2008-07-06 21:15:42 UTC
To whom it may concern,

There have been some spear phishing attacks with the subject "Update Your Webmail Account" and the current regex for TVD_PH_SUBJ_ACCOUNTS_POST does not pick it up.

I've also seen some spear phishing come through with the subject "Comfirm Your Edu Webmail Account".

Perhaps this rule below.

header TVD_PH_SUBJ_ACCOUNTS_POST        Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|update|report|notif(?:y|ication)|suspen(?:d|ded|sion)|co(?:n|m)firm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i

Comment 1 Justin Mason 2009-08-31 16:06:26 UTC
if we want to change this for 3.3.0, it needs to be in SVN by this Thursday; see bug 6155.
Comment 2 Justin Mason 2009-09-03 14:26:43 UTC
now in:

: 62...; svn commit -m "bug 5937: add some additional Subject patterns for anti-phishing rule TVD_PH_SUBJ_ACCOUNTS_POST"
Sending        rulesrc/sandbox/felicity/70_phishing.cf
Transmitting file data .
Committed revision 811131.