Tim, Your question or idea does spark some thought. The fact that your userids follow a defined format is helpful. The challenge is the pattern you are looking for could be found in existing traffic flows. On the plus side the http method would be a POST which would help narrow it down. The other challenge is that users log into legitimate websites and they could use a similar userid pattern. While we have created lots of custom vulnerability and spyware signatures, we are generally looking for a specific string. What we have had success with is tweaking our email / spam gateway to identify word patterns used by the Phishers and blocking those email messages. Not to say that is 100% effective but we have found a lot of success. Add the blocking or continue option for unknown and parked url categories will help also. Phil
... View more