I’m starting to be impressed by the (almost) sophistication of phishing attempts. The latest one in my inbox today contained a message from someone purporting to have bought an item via eBay that they hadn’t received and unless they heard back they were going to complain to eBay and then the police — I can quite see some nervous seller who thinks there might be a mistake in the system clicking on the “log in to eBay message center” link (which of course doesn’t go to eBay at all) to try to rectify it.
Mind you, the spam filters are also starting to become sophisticated — my ISP adds headers to the email marking potential spam and this one tripped a number of meters, adding up to quite a lot of red flags. Some of them are, on their own, quite legitimate of course, but not all:
1.0 FROM_ENDS_IN_NUMS
From: ends in numbers
1.3 RCVD_NUMERIC_HELO
Received: contains a numeric HELO
1.0 MSGID_SPAM_CAPS
Message-ID =~ /^\s*< ?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
0.1 HTML_TAG_EXISTS_TBODY
BODY: HTML has "tbody" tag
0.4 HTML_70_80
BODY: Message is 70% to 80% HTML
0.1 HTML_FONTCOLOR_BLUE
BODY: HTML font color is blue
0.7 MIME_HTML_ONLY
BODY: Message only has text/html MIME parts
0.2 HTML_MESSAGE
BODY: HTML included in message
0.3 HTML_FONT_BIG
BODY: HTML has a big font
1.1 MIME_HTML_NO_CHARSET
RAW: Message text in HTML without charset
0.2 MIME_QP_LONG_LINE
RAW: Quoted-printable line longer than 76 chars
0.4 NORMAL_HTTP_TO_IP
URI: Uses a dotted-decimal IP address in URL
0.1 FORGED_HOTMAIL_RCVD2
hotmail.com 'From' address, but no 'Received:'
3.0 FORGED_MUA_OUTLOOK
Forged mail pretending to be from MS Outlook
0.6 MISSING_MIMEOLE
Message has X-MSMail-Priority, but no X-MimeOLE
1.1 FORGED_OUTLOOK_HTML
Outlook can't send HTML message only
1.1 MIME_HTML_ONLY_MULTI
Multipart message only has text/html MIME parts
1.1 FORGED_OUTLOOK_TAGS
Outlook can't send HTML in this format
3.0 SARE_MSGID_YAHOO
Message-ID is forged, (yahoo.com)
1.1 HTML_MIME_NO_HTML_TAG
HTML-only message, but there is no HTML tag
After I saw this I promptly went and got the latest version of Pegasus Mail, which I use for my personal email. Pegasus has always had good anti-virus protection, has had decent spam filtering for some time, and shows the real URL that is being linked to on HTML emails, but it now advertises anti-phishing checks as well. It will be interesting to see how well they work in practise.