Kevin A. McGrail wrote: > How can you content differentiate > between a "real" and a phish without something like SURBL?
The Mailscanner guy has a fairly effective heuristic that really should be plugged into SpamAssassin. He looks for something like this: <a href="http://bogus.site.com/.cgi/ebay/cgi";>https://secure.ebay.com</a> Got that? If the URL *text* in the hyperlink doesn't match the URL in the HREF parameter (modulo some canonicalization and other munging), flag as a phish. Dead simple algorithm, and I'd guess it catches about 75% of phishing attempts. The ones it doesn't catch are the ones where the URL looks like this: <a href="http://bogus.site.com/.cgi/ebay/cgi";>Click Here</a> and that's where SURBL can help. Regards, David. _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
