Erwan David wrote: > On Wed, Mar 18, 2009 at 01:55:14PM CET, Dennis Peterson <denni...@inetnw.com> > said: >> Moray Henderson (ICT) wrote: >>>> From: Török Edwin [mailto:edwinto...@gmail.com] >>>>>> Try using <a href="..."> for the URL. >>>>>> >>>>> Is that a requirement? If so we should get the spammers on board because >>>> some of >>>>> them may not know this :). >>>> No, there are more places from where URLs can be extracted, but "<a >>>> href" is one that must work. >>> With modern email clients "helpfully" presenting text that looks like a URL >>> as a real URL at the client end, SafeBrowsing really ought to check the >>> plain text, not just within html tags. http://pastebin.com/m13232c54 may >>> be just plain text when transmitted and scanned, but it's an "<a href>" by >>> the time I read it: underlined, blue, and turns my cursor to a pointy >>> finger with a pop-up box saying "Click to follow link". >> I don't imagine the world's premier spammers are sitting at their laptop in >> their shorts sending out thousands of spams with Thunderbird. There are >> purpose >> built products for this and can format the mail any way they wish. >> > > What was said is that many MUA, *receiving* a mail with an URL in the > text will automatically create a link from it. It has bothing to do > with the sending software. > >
I see - I think we're all recommending that ClamAV detect URL's regardless of how they're presented in the message. And that will certainly include encoded URL's and all the HTML tricks that can be used to disguise them from scanning software. I would not suggest they go so far as to build in a JavaScript engine to find those URL's that are intended to be constructed in the browser or MUA at rendering time, but it may come to that at some point. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
