How would one filter the latest phish style which is supposed to work on even Mozilla browsers? Apparently the format is:
http://[trusted_site]%2F%20%20%20.[malicious_site]/
It would be necessary to remove any number of space codes from this.
Do you have a real example URL?
My un-prefix filter blocks those (with a slight problem with the link title)...
Code:
Name = "Un-Prefix Multi URL Links [Key=^Shift] {unknown origin} (modified) [add]"
Active = TRUE
Multi = TRUE
URL = "($TYPE(htm)|$TYPE(js))(^$TST(keyword=*.redpref.*))(^$KEYCHK(^S))(^$LST(Secure))"
Bounds = "<a\s*</a>"
Limit = 512
Match = "<a\s"
"\2href="
"("
"("|)\0(^javascript:)"
""
"&$AV("
"("
"????????*[^a-z0-9]"
""
"("
"((http|ftp)(s|)://)\4"
"|URL=(^(http|ftp)(s|)://)$SET(4=http://)"
"|www.$SET(4=http://www.)"
")"
")+{1,*}([^\&]+)\1*([\&]+)\7*([^\&]+[^a-z0-9]+[^\&]+)\8*"
""
")"
""
")\6"
"\3>\5</a>"
Replace = "<a title='Link Prefix Removed: \6' class="prefixed" \2href=\0\4\1\7\8\0 \3>\5</a>"
I have no problem here... I have Mozilla Firefox [unsure]
When I try Shea's example, I get an error message. My browser is trying to find something on the first host, not the second. Just because spaces are in the URL, why would the browser go to the second host?
When I try Shea's example, I get an error message. My browser is trying to find something on the first host, not the second. Just because spaces are in the URL, why would the browser go to the second host?
That's what "phishing" is - a "method" to "trick" the browser into going to that second host... I'm not sure if a fully patched IE prevents this or not... All of the "latest" config sets prevent it if you use JD or sidki configs...
Try a Google search on "internet browser phishing" and see what comes up...
In my example I also said it DIDNT WORK. I was just testing it here on the forums.
Last time didn't hpguru make some test pages? Maybe he'd do it again if we can get him back to the forums here.