# PHISH PATTERNS # # Current patterns. # # Updated and verified 4/16/06 # # Phish Domain Patterns :0 B * -1000^0 * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*[0-9a-z]+-account-verify(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*([0-9a-z]+-)?billings?-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*[0-9a-z]+-billings?(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*([0-9a-z]+-)?eaby-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*[0-9a-z]+-eaby(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*([0-9a-z]+-)?ebay-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*[0-9a-z]+-ebay(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*([0-9a-z]+-)?secur(e|ity)-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*[0-9a-z]+-secur(e|ity)(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*([0-9a-z]+-)?signin-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*[0-9a-z]+-signin(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*([0-9a-z]+-)?support-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*[0-9a-z]+-support(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*([0-9a-z]+-)?updates?-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*[0-9a-z]+-updates?(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*acc[o0]unt(ing|s)?-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*acc[o0]unt(inf[o0]|services|updat(e|ing|es))[-_0-9a-z]*(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*alert-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*ant[i1]fraud-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*auth[o0]r[i1]zed-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*aw-c[o0]nf[i1]rm(at[i1][o0]n)?-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*b[i1][i1][i1][i1]ng-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*b[o0]w-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*cgi[0-9]+-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*c[o0]nf-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*c[o0]nf[i1]gure-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*c[o0]nf[i1]rm([i1]ng|at[i1][o0]n)?-[0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*c[o0]nf[i1]rm([i1]ng|at[i1][o0]n)?(account|billing|bow|eaby|ebay|login|paypals?|user)[-_0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*custc[o0]nf[-_0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*cust[i1] nf[o0][-_0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*eaby-[0-9a-z][-_0-9a-z]+[0-9]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*ebay-[0-9a-z][-_0-9a-z]+[0-9]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*ebay(account|alerts?|bill(ing)?|cgi|cust(omer)?s?|login|secur(e|ity)|signin|updates?)[-_0-9a-z]+[0-9]*(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*login-user[0-9]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*online-(accounts?|banking|billing|cust(omer)?|eaby|ebay|info(rmation)?|login|paypal|user)(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*onlinebanking-[0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*paypal+-[0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*paypal+(online|security|update)[0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*paypall+[-_0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*secure-[0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*security-(accounts?|banking|billing|cust(omer)?|eaby|ebay|info(rmation)?|login|paypal|user)(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*signin-[0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*signin[0-9]+[-_0-9a-z]+(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) * 1100^1 (^|[^0-9a-z])https?//:([0-9a-z][-_0-9a-z$+!]*(ÿ|\.|[=%]2E))*update-(accounts?|banking|billing|cust(omer)?|eaby|ebay|info(rmation)?|login|paypal|user)(-[0-9a-z][-_0-9a-z]+)?(ÿ|\.|[=%]2E)[a-z][a-z][a-z]?[a-z]?((ÿ|\.|[=%]2E)[a-z][a-z])?(:[0-9][0-9]+)?(\"|/) { LT3=yes SBLOG="C3R-${TESTNAME} (Phish Domain Pattern)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # Chase Bank Phish URL Pattern # :0 B * LT3 ?? no * -1000^0 * 1100^1 (^|[^-_0-9a-z])https?://[0-9]+:8[1-9]\ ([0-9a-z][-_0-9a-z.]+/)*((ÿ|\.|[=%]2E)|~)?\ /([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))*chase(ÿ|\.|[=%]2E)com/ * 1100^1 (^|[^-_0-9a-z])https?://([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?:8[1-9]\ /(ÿ|\.|[=%]2E)?([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))*chase(ÿ|\.|[=%]2E)com/ * 1100^1 (^|[^-_0-9a-z])https?://([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?:8[1-9]\ /(ÿ|\.|[=%]2E)?(chase|chsweb|colappmgr|mnb)/ * 1100^1 (^|[^-_0-9a-z])https?://([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))*chase(ÿ|\.|[=%]2E)com\ (ÿ|\.|[=%]2E)([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+\ [a-z][a-z][a-z]?[a-z]?(/|$) * 1100^1 (^|[^-_0-9a-z])https?://([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))*chaseonline\ (ÿ|\.|[=%]2E)([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+\ [a-z][a-z][a-z]?[a-z]?(/|$) * 1100^1 (^|[^-_0-9a-z])https?://([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?/\ ([0-9a-z][-_0-9a-z.]+/)*((ÿ|\.|[=%]2E)|~)?\ (((%[0-9a-f][0-9a-f])+|([0-9a-z][-_0-9a-z.]+))[^0-9a-z])?\ chase(ÿ|\.|[=%]2E)com(/|$) { LT3=yes SBLOG="C3R-${TESTNAME} (Chase Bank Phish URL Pattern)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # EBay Phish URL Patterns # :0 B * -1000^0 * -1100^1 (^|[^-_0-9a-z])https?//([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))*ebay(ÿ|\.|[=%]2E)\ com([^0-9a-z.]|$) * -1100^1 (^|[^-_0-9a-z])https?//([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))*ebay(ÿ|\.|[=%]2E)\ doubleclick(ÿ|\.|[=%]2E)net([^0-9a-z.]|$) * 1100^1 (^|[^-_0-9a-z])https?//([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))*(eaby|e+b+a+y+)s?\ [-_0-9a-z]*(ÿ|\.|[=%]2E)([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))*\ [a-z][a-z][a-z]?[a-z]?([^0-9a-z.]|$) * 1100^1 (^|[^-_0-9a-z])https?://([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?/\ ([0-9a-z][-_0-9a-z.]+/)*((ÿ|\.|[=%]2E)|~)?\ (((%[0-9a-f][0-9a-f])+|([0-9a-z][-_0-9a-z.]+))[^0-9a-z])?\ (eaby|e+b+a+y+)s?[0-9a-z.]*(/|$) { LT3=yes SBLOG="C3R-${TESTNAME} (eBay Phish URL Pattern)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # PayPal Phish URL Pattern # :0 B * LT3 ?? no * -1000^0 * -1100^1 (^|[^-_0-9a-z])https?//([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))*paypal(ÿ|\.|[=%]2E)com([^0-9a-z.]|$) * 1100^1 (^|[^-_0-9a-z])https?//([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))*p+a+y+p+a+l+[-_0-9a-z]*(ÿ|\.|[=%]2E)([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))*[a-z][a-z][a-z]?[a-z]?([^0-9a-z.]|$) * 1100^1 (^|[^-_0-9a-z])https?://([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?/\ ([0-9a-z][-_0-9a-z.]+/)*((ÿ|\.|[=%]2E)|~)?\ (((%[0-9a-f][0-9a-f])+|([0-9a-z][-_0-9a-z.]+))[^0-9a-z])?\ p+a+y+p+a+l+[0-9a-z.]*(/|$) { LT3=yes SBLOG="C3R-${TESTNAME} (PayPal Phish URL Pattern)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # AMEN Networks URL Pattern # :0 B * -1000^0 * 1100^0 (^|[^-_0-9a-z])62\.193\.19[2-9]\.[0-9][0-9]?[0-9]?([^a-z0-9.]|\. |\.$|$) * 1100^0 (^|[^-_0-9a-z])62\.193\.2[0-4][0-9]\.[0-9][0-9]?[0-9]?([^a-z0-9.]|\. |\.$|$) * 1100^0 (^|[^-_0-9a-z])62\.193\.25[0-5]\.[0-9][0-9]?[0-9]?([^a-z0-9.]|\. |\.$|$) * 1100^0 (^|[^-_0-9a-z])https?//vds-[0-9]+(ÿ|\.|[=%]2E)amen-pro(ÿ|\.|[=%]2E)com([^a-z0-9.]|\. |\.$|$) { LT3=yes SBLOG="C3R-${TESTNAME} (AMEN Networks URL)" INCLUDERC=${SBDIR}/functions/loglevel.rc } # Generic Phish URL Pattern # :0 B * LT3 ?? no * !--.*forwarded message -- * !^forwarded message: * -1000^0 * 1100^0 (^|[^-_0-9a-z])https?://([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?/\ ([0-9a-z][-_0-9a-z.]+//?)*((ÿ|\.|[=%]2E)|~)?\ ((%[0-9a-f][0-9a-f])+|\ %252ecom|\ amcore((ÿ|\.|[=%]2E)com)?|\ bankofthewest((ÿ|\.|[=%]2E)com)?|\ barclays((ÿ|\.|[=%]2E)com|(ÿ|\.|[=%]2E)co(ÿ|\.|[=%]2E)uk)?|\ BOW((ÿ|\.|[=%]2E)com)?|\ charterone((ÿ|\.|[=%]2E)com)?|\ chase(ÿ|\.|[=%]2E)com|\ CREDIT-UNION|\ fmbnk((ÿ|\.|[=%]2E)com)?|\ hsbc(-online)?|\ jpmorgan|\ keybank((ÿ|\.|[=%]2E)com)?|\ lasalle(bank|na)?((ÿ|\.|[=%]2E)com)?|\ mibank((ÿ|\.|[=%]2E)com)?|\ mutual-sk|\ r1/[a-z][a-z]?/|\ REGIONS((ÿ|\.|[=%]2E)com)?|\ south-id|\ ([0-9a-z][-_0-9a-z.]+)?unionplanters((ÿ|\.|[=%]2E)com)?|\ wamu)(/|$) * 1100^0 (^|[^-_0-9a-z])https?://([0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?|([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?)/([0-9a-z][-_0-9a-z.]+/)*(ÿ|\.|[=%]2E)(ÿ|\.|[=%]2E)(ÿ|\.|[=%]2E)/ * 1100^0 (^|[^-_0-9a-z])https?://([0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?|([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?)/([0-9a-z][-_0-9a-z.]+/)*(ÿ|\.|[=%]2E)[*,]/ * 1100^0 (^|[^-_0-9a-z])https?://([0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?|([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?)/([0-9a-z][-_0-9a-z.]+/)*(ÿ|\.|[=%]2E)?(%20| )+/ * 1100^0 (^|[^-_0-9a-z])https?://([0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?|([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?)/([0-9a-z][-_0-9a-z.]+/)*(ÿ|\.|[=%]2E)[0-9]+/ * 1100^0 (^|[^-_0-9a-z])https?://([0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?\ (ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?(ÿ|\.|[=%]2E)[0-9][0-9]?[0-9]?|\ ([0-9a-z][-_0-9a-z]+(ÿ|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?)/\ ([0-9a-z][-_0-9a-z.]+/)*((ÿ|\.|[=%]2E)|~)\ (cgi-bin|checking|e?banking|e|logon|pay|ppl|\ secur(e|ity)|signin|update|verify|ws)\ (((ÿ|\.|[=%]2E)[0-9a-z][-_0-9a-z.]+)?/\ |(ÿ|\.|[=%]2E)(asp|cgi|s?html?|js|php|pl)) * 1100^0 (^|[^-_0-9a-z])login-user[0-9]+(ÿ|\.|[=%]2E)info($|[^0-9a-z]) { LT3=yes SBLOG="C3R-${TESTNAME} (Phish URL Pattern)" INCLUDERC=${SBDIR}/functions/loglevel.rc }