Threaded Mode | Linear Mode

Siamesecat · Jun. 15, 2004, 07:01 AM

How would one filter the latest phish style which is supposed to work on even Mozilla browsers? Apparently the format is:
http://[trusted_site]%2F%20%20%20.[malicious_site]/
It would be necessary to remove any number of space codes from this.

***sidki3003*** · Jun. 15, 2004, 08:41 AM

Do you have a real example URL?

Shea · Jun. 15, 2004, 02:57 PM

Link Test

It doesn't seem to work on the forums here, I typed:

http://74.53.146.215%2F%20%20%20.www.unitethecows.com

PS - Both sites are clean.

***ProxRocks*** · Jun. 15, 2004, 03:25 PM

My un-prefix filter blocks those (with a slight problem with the link title)...

Code:

Name = "Un-Prefix Multi URL Links [Key=^Shift] {unknown origin} (modified) [add]"

Active = TRUE

Multi = TRUE

URL = "($TYPE(htm)|$TYPE(js))(^$TST(keyword=*.redpref.*))(^$KEYCHK(^S))(^$LST(Secure))"

Bounds = "<a\s*</a>"

Limit = 512

Match = "<a\s"

"\2href="

"("

"("|)\0(^javascript:)"

""

"&$AV("

"("

"????????*[^a-z0-9]"

""

"("

"((http|ftp)(s|)://)\4"

"|URL=(^(http|ftp)(s|)://)$SET(4=http://)"

"|www.$SET(4=http://www.)"

")"

")+{1,*}([^\&]+)\1*([\&]+)\7*([^\&]+[^a-z0-9]+[^\&]+)\8*"

""

")"

""

")\6"

"\3>\5</a>"

Replace = "<a title='Link Prefix Removed: \6' class="prefixed" \2href=\0\4\1\7\8\0 \3>\5</a>"

***Kye-U*** · Jun. 15, 2004, 07:56 PM

I have no problem here... I have Mozilla Firefox [unsure]

Siamesecat · Jun. 16, 2004, 06:19 AM

When I try Shea's example, I get an error message. My browser is trying to find something on the first host, not the second. Just because spaces are in the URL, why would the browser go to the second host?

Siamesecat · Jun. 16, 2004, 06:20 AM

When I try Shea's example, I get an error message. My browser is trying to find something on the first host, not the second. Just because spaces are in the URL, why would the browser go to the second host?

***ProxRocks*** · Jun. 16, 2004, 10:45 AM

That's what "phishing" is - a "method" to "trick" the browser into going to that second host... I'm not sure if a fully patched IE prevents this or not... All of the "latest" config sets prevent it if you use JD or sidki configs...

Try a Google search on "internet browser phishing" and see what comes up...

Shea · Jun. 16, 2004, 03:54 PM

In my example I also said it DIDNT WORK. I was just testing it here on the forums.

Last time didn't hpguru make some test pages? Maybe he'd do it again if we can get him back to the forums here.

Jaded_Goth · Jul. 16, 2004, 10:12 PM

News of yet another phishing scam,here:

http://spamwatch.codefish.net.au/modules.p...article&sid=142

Pretty nice site,that.I hadn't been then before-followed a link from SANS.