# PHISH URLS
#
#  Current patterns.
#
#  Updated and verified 4/16/06
#
# Actual Phish URLs

LOCALTAG=no

# Phish URLs April 2006
#
:0 B
* !--.*forwarded message --
* !^forwarded message:
* -1000^0
*  1100^0 (^|[^-_0-9a-z])http(:|%3a)//0x90(ÿ|\.|[=%]2E)0xa7(ÿ|\.|[=%]2E)0x91(ÿ|\.|[=%]2E)0x1a/(ÿ|\.|[=%]2E)PayPal(ÿ|\.|[=%]2E)com/
*  1100^0 (^|[^-_0-9a-z])href="http://mail(ÿ|\.|[=%]2E)ipmslasia(ÿ|\.|[=%]2E)com/ws/cgi5(ÿ|\.|[=%]2E)ebay(ÿ|\.|[=%]2E)com(ÿ|\.|[=%]2E).ws(ÿ|\.|[=%]2E)eBayISAPI(ÿ|\.|[=%]2E)dll(ÿ|\.|[=%]2E)SellHub2(ÿ|\.|[=%]2E)IdUserId/
*  1100^0 (^|[^-_0-9a-z])http://%77%77%77%2e%62%61%6e%61%6e%61%72%61%6d%61%2e%61%74/event/
*  1100^0 (^|[^-_0-9a-z])http://correo(ÿ|\.|[=%]2E)taxon(ÿ|\.|[=%]2E)es/PDF/
*  1100^0 (^|[^-_0-9a-z])http://uwcu(ÿ|\.|[=%]2E)alazhar-gaza(ÿ|\.|[=%]2E)edu/asp/CheckSession(ÿ|\.|[=%]2E)php([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^-_0-9a-z])http://www(ÿ|\.|[=%]2E)zapatina(ÿ|\.|[=%]2E)com/coppermine/albums/userpics/10001/
*  1100^0 (^|[^-_0-9a-z])http://1108302210:5800/
*  1100^0 (^|[^-_0-9a-z])http://fu-159-91(ÿ|\.|[=%]2E)edit(ÿ|\.|[=%]2E)ne(ÿ|\.|[=%]2E)jp/rainboard/JUNK/attach/www(ÿ|\.|[=%]2E)paypal(ÿ|\.|[=%]2E)com/
*  1100^0 (^|[^-_0-9a-z])http://www(ÿ|\.|[=%]2E)nxhop(ÿ|\.|[=%]2E)com:444/redirect/mbna/
*  1100^0 (^|[^-_0-9a-z])http(:|%3a)//gobest(ÿ|\.|[=%]2E)idv(ÿ|\.|[=%]2E)tw/~joy/(ÿ|\.|[=%]2E)online-id(ÿ|\.|[=%]2E)chase(ÿ|\.|[=%]2E)com/
*  1100^0 (^|[^-_0-9a-z])http://www(ÿ|\.|[=%]2E)soy-scentsations(ÿ|\.|[=%]2E)com/soy_STORE//images/(ÿ|\.|[=%]2E)soyscen(ÿ|\.|[=%]2E)paypals(ÿ|\.|[=%]2E)co1=
*  1100^0 (^|[^-_0-9a-z])http://ruhrgewerbe(ÿ|\.|[=%]2E)de/~fal/website3/irc/snd/
*  1100^0 (^|[^-_0-9a-z])http://ebaysecurely(ÿ|\.|[=%]2E)nm(ÿ|\.|[=%]2E)ru/
*  1100^0 (^|[^-_0-9a-z])http://adsl-068-016-101-060(ÿ|\.|[=%]2E)sip(ÿ|\.|[=%]2E)asm(ÿ|\.|[=%]2E)bellsouth(ÿ|\.|[=%]2E)net:81/chase/
*  1100^0 (^|[^-_0-9a-z])http://mujweb(ÿ|\.|[=%]2E)cz/www/signin(ÿ|\.|[=%]2E)ebayquestion(ÿ|\.|[=%]2E)com/
*  1100^0 (^|[^-_0-9a-z])http://ice(ÿ|\.|[=%]2E)snu(ÿ|\.|[=%]2E)ac(ÿ|\.|[=%]2E)kr:8000/ayepa/
*  1100^0 (^|[^-_0-9a-z])http://http://%77%77%77%2e%6b%6f%65%6c%6e%65%72%2d%77%69%72%74%65%2e%64%65/events/(ÿ|\.|[=%]2E)temp/https(ÿ|\.|[=%]2E)www(ÿ|\.|[=%]2E)paypal(ÿ|\.|[=%]2E)com/
*  1100^0 (^|[^-_0-9a-z])http://adsl-068-016-101-060(ÿ|\.|[=%]2E)sip(ÿ|\.|[=%]2E)asm(ÿ|\.|[=%]2E)bellsouth(ÿ|\.|[=%]2E)net:81/colappmgr/
*  1100^0 (^|[^-_0-9a-z])http://ebaysecurely(ÿ|\.|[=%]2E)nm(ÿ|\.|[=%]2E)ru/
*  1100^0 (^|[^-_0-9a-z])http://1024052828:4125/login/index(ÿ|\.|[=%]2E)php([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^-_0-9a-z])http://dsl-200-67-165-66(ÿ|\.|[=%]2E)prod-empresarial(ÿ|\.|[=%]2E)com(ÿ|\.|[=%]2E)mx/(ÿ|\.|[=%]2E)dll/link(ÿ|\.|[=%]2E)php([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^-_0-9a-z])http://ice(ÿ|\.|[=%]2E)snu(ÿ|\.|[=%]2E)ac(ÿ|\.|[=%]2E)kr:8000/ayepa/index(ÿ|\.|[=%]2E)php([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^-_0-9a-z])http://www(ÿ|\.|[=%]2E)national(ÿ|\.|[=%]2E)com(ÿ|\.|[=%]2E)au(ÿ|\.|[=%]2E)confpr(ÿ|\.|[=%]2E)st/
*  1100^0 (^|[^-_0-9a-z])http://www(ÿ|\.|[=%]2E)canwetalkaboutthis(ÿ|\.|[=%]2E)com/MB/album/albums/userpics/10167/thumb(ÿ|\.|[=%]2E)php([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^-_0-9a-z])http://dehoutwagen(ÿ|\.|[=%]2E)nl/foto/(ÿ|\.|[=%]2E)brk/Barclays06/ibank(ÿ|\.|[=%]2E)barclays(ÿ|\.|[=%]2E)co(ÿ|\.|[=%]2E)uk/
*  1100^0 (^|[^-_0-9a-z])http://www(ÿ|\.|[=%]2E)strikta(ÿ|\.|[=%]2E)net/members/index(ÿ|\.|[=%]2E)htm([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^-_0-9a-z])http://quebec-hse-ppp228713(ÿ|\.|[=%]2E)qc(ÿ|\.|[=%]2E).sympatico(ÿ|\.|[=%]2E)ca/signin(ÿ|\.|[=%]2E)ebay(ÿ|\.|[=%]2E)com/
*  1100^0 (^|[^-_0-9a-z])http://dns1(ÿ|\.|[=%]2E)marukaseiki(ÿ|\.|[=%]2E)co(ÿ|\.|[=%]2E)jp/~nakano/redirect(ÿ|\.|[=%]2E)html\?
*  1100^0 (^|[^-_0-9a-z])http://chaseonline(ÿ|\.|[=%]2E)chase(ÿ|\.|[=%]2E)com(ÿ|\.|[=%]2E)portlet(ÿ|\.|[=%]2E)nylcv(ÿ|\.|[=%]2E)com/colappmgr/
*  1100^0 (^|[^-_0-9a-z])http://adsl-216-63-175-34(ÿ|\.|[=%]2E)dsl(ÿ|\.|[=%]2E)elpstx(ÿ|\.|[=%]2E)swbell(ÿ|\.|[=%]2E)net:81/colappmgr/
*  1100^0 (^|[^-_0-9a-z])http://www(ÿ|\.|[=%]2E)dawva(ÿ|\.|[=%]2E)net/SSL/account(ÿ|\.|[=%]2E)htm([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^-_0-9a-z])http://www(ÿ|\.|[=%]2E)domainelacombe(ÿ|\.|[=%]2E)com/fr/img/(ÿ|\.|[=%]2E)brkl/Barclays06/ibank(ÿ|\.|[=%]2E)barclays(ÿ|\.|[=%]2E)co(ÿ|\.|[=%]2E)uk/olb/p/LoginMember(ÿ|\.|[=%]2E)do/
*  1100^0 (^|[^-_0-9a-z])http://adsl-068-016-101-060(ÿ|\.|[=%]2E)sip(ÿ|\.|[=%]2E)asm(ÿ|\.|[=%]2E)bellsouth(ÿ|\.|[=%]2E)net:81/mnb/
*  1100^0 (^|[^-_0-9a-z])http://mail(ÿ|\.|[=%]2E)mow-ffm(ÿ|\.|[=%]2E)de/(ÿ|\.|[=%]2E)dll/
*  1100^0 (^|[^-_0-9a-z])http://bestnote(ÿ|\.|[=%]2E)co(ÿ|\.|[=%]2E)kr/data/cash-online(ÿ|\.|[=%]2E)com/
*  1100^0 (^|[^-_0-9a-z])http://chase(ÿ|\.|[=%]2E)com(ÿ|\.|[=%]2E)cahsegogu(ÿ|\.|[=%]2E)com/start(ÿ|\.|[=%]2E)html([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^-_0-9a-z])http://citicards-billing-us-cards(ÿ|\.|[=%]2E)mesatitle(ÿ|\.|[=%]2E)com/
*  1100^0 (^|[^-_0-9a-z])http://www(ÿ|\.|[=%]2E)mycodes(ÿ|\.|[=%]2E)ca/~petra/chaseonline(ÿ|\.|[=%]2E)chase(ÿ|\.|[=%]2E)com-colappmgr-colportal-prospect-nfpb=true&_pageLabel=page_logonform/
*  1100^0 (^|[^-_0-9a-z])http://citibank(ÿ|\.|[=%]2E)us(ÿ|\.|[=%]2E)cards(ÿ|\.|[=%]2E)accountonline(ÿ|\.|[=%]2E)banklogin(ÿ|\.|[=%]2E)updateinfo(ÿ|\.|[=%]2E)renew(ÿ|\.|[=%]2E)spillanes(ÿ|\.|[=%]2E)com/
*  1100^0 (^|[^-_0-9a-z])http://jhroof(ÿ|\.|[=%]2E)com/www(ÿ|\.|[=%]2E)paypal(ÿ|\.|[=%]2E)com/us/
*  1100^0 (^|[^-_0-9a-z])http://adsl-216-63-175-34(ÿ|\.|[=%]2E)dsl(ÿ|\.|[=%]2E)elpstx(ÿ|\.|[=%]2E)swbell(ÿ|\.|[=%]2E)net:81/colappmgr/
*  1100^0 (^|[^-_0-9a-z])http://adsl-068-016-101-060(ÿ|\.|[=%]2E)sip(ÿ|\.|[=%]2E)asm(ÿ|\.|[=%]2E)bellsouth(ÿ|\.|[=%]2E)net:81/colappmgr/
{ LOCALTAG=yes }

:0
* LOCALTAG ?? yes
{
 LT3=yes

 SBLOG="C3R-${TESTNAME} (Pattern Match)"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
}


# Ebay Phish URL patterns
#
#  Patterns so reliable that I can't imagine a false positive
#  from them for the most prolific types of phishes.
#
:0 B
* !--.*forwarded message --
* !^forwarded message:
* -1000^0
*  1100^0 (^|[^-_0-9a-z])[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?\
          (ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?\
          (:[0-9][0-9]+)?/\
          (((ÿ|\.|[=%]2E)|~)?[0-9a-z][-_0-9a-z]+/)*\
          ((ÿ|\.|[=%]2E)www)?(ÿ|\.|[=%]2E)ebay((ÿ|\.|[=%]2E)com)?([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^-_0-9a-z])([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+\
          ebay(ÿ|\.|[=%]2E)com(ÿ|\.|[=%]2E)webscr-cmd-id(ÿ|\.|[=%]2E)\
          ([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?([^a-z0-9.]|\. |\.$|$)
{
 LT3=yes

 SBLOG="C3R-${TESTNAME} (Target: eBay)"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
}

# Paypal Phish URL patterns
#
#  Patterns so reliable that I can't imagine a false positive
#  from them for the most prolific types of phishes.
#
:0 B
* !--.*forwarded message --
* !^forwarded message:
* -1000^0
*  1100^0 (^|[^-_0-9a-z])[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?\
          (ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?\
          (:[0-9][0-9]+)?/\
          (((ÿ|\.|[=%]2E)|~)?[0-9a-z][-_0-9a-z]+/)*\
          ((ÿ|\.|[=%]2E)www)?(ÿ|\.|[=%]2E)paypal((ÿ|\.|[=%]2E)com)?([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^-_0-9a-z])([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+\
          paypal(ÿ|\.|[=%]2E)com(ÿ|\.|[=%]2E)webscr-cmd-id(ÿ|\.|[=%]2E)\
          ([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?([^a-z0-9.]|\. |\.$|$)
{
 LT3=yes

 SBLOG="C3R-${TESTNAME} (Target: PayPal)"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
}