Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention
Richard Leroy a écrit : The situation I am talking about is when the text IS a URL. I don't want to block this: http://www.hacker.com";>CLICK HERE !!!. I understand that this situation happens frequently. I want to bloc URLs when the text has http:// before it, like in this example: http://www.hacker.com";>http://www.real-bank.com I understand, but as soon as you have this in SARE, spammers will use http://www.hacker.com";>www.real-bank.com would you also catch www.*? then, they will add some text or html tags. If it's step by step, we won't win the race...
Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention
On Tue, Nov 01, 2005 at 12:27:34PM -0500, Richard Leroy wrote: > I don't want to block this: http://www.hacker.com";>CLICK HERE > !!!. I understand that this situation happens frequently. > > I want to bloc URLs when the text has http:// before it, like in this > example: http://www.hacker.com";>http://www.real-bank.com Doesn't work, the hit rate is horrible. Looked into this several months ago when doing up some anti-phishing rules. -- Randomly Generated Tagline: "The only way you'll get me to talk is through slow painful torture, and I don't think you've got the grapes." - Stewie on Family Guy pgpQ4O5RpZED3.pgp Description: PGP signature
Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention
mouss wrote: Richard Leroy a écrit : My point is that I want to make this check an "integrity check". If you choose to display a URL, then it must match the real URL, nothing else. Too bad if it is classified as a false-positive. The benefits in helping stop "phishers" are way larger than the advantage of displaying a different URL than the advertised one. but then you are adding requirements to what a display text is. The following is fully legitimate. a url is somethink like http://en.wikipedia.org/Url> example.com and what to do if it's not a url? something like http://www.something.example> the site of foo.example is legitimate, but something like http://www.hacker.example> visit www.bank.com is not. Also, as already said, some legitimate opt-in newsletters do use this trick to implement tracking. you can consider this bad practice, but not everybody can afford to block legitimate opt-in newsletters/services/... Also, I will feel better if a email is classified as a false-positive if it has hits on this rule than any other rule, because I can say that the sender is in part related to classification error. sure, but those of us concerned with FPs prefer to find other ways to detect spam. The situation I am talking about is when the text IS a URL. I don't want to block this: http://www.hacker.com";>CLICK HERE !!!. I understand that this situation happens frequently. I want to bloc URLs when the text has http:// before it, like in this example: http://www.hacker.com";>http://www.real-bank.com Thanks for replying, -- Richard Leroy [EMAIL PROTECTED]
Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention
Richard Leroy a écrit : My point is that I want to make this check an "integrity check". If you choose to display a URL, then it must match the real URL, nothing else. Too bad if it is classified as a false-positive. The benefits in helping stop "phishers" are way larger than the advantage of displaying a different URL than the advertised one. but then you are adding requirements to what a display text is. The following is fully legitimate. a url is somethink like http://en.wikipedia.org/Url> example.com and what to do if it's not a url? something like http://www.something.example> the site of foo.example is legitimate, but something like http://www.hacker.example> visit www.bank.com is not. Also, as already said, some legitimate opt-in newsletters do use this trick to implement tracking. you can consider this bad practice, but not everybody can afford to block legitimate opt-in newsletters/services/... Also, I will feel better if a email is classified as a false-positive if it has hits on this rule than any other rule, because I can say that the sender is in part related to classification error. sure, but those of us concerned with FPs prefer to find other ways to detect spam.
Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention
Kelson wrote: [EMAIL PROTECTED] wrote: http://hacker.com";>http://legit-bank.com On top of my mind, I never saw a situation like this in real life, except in phish emails. I see this all the time in promotional emails (spam, not phish) to track > clickthrough. I see it on legit mail too, including a couple of newsletters and, in one case, an "item not won" notice from eBay. Yes, it was legit. This has caused a number of legit messages to trip Thunderbird's new phishing filter. It's a poor practice, and in the case of eBay they seem to do the right thing on their other notices (either matching the URL to the text or using descriptive link text instead of a hostname), but sad to say there *is* legit mail that uses redirectors in this fashion. So it's worth scoring, but not safe to score too highly or use as rejection criteria unless you whitelist the legit senders (or convince them to change their ways). My point is that I want to make this check an "integrity check". If you choose to display a URL, then it must match the real URL, nothing else. Too bad if it is classified as a false-positive. The benefits in helping stop "phishers" are way larger than the advantage of displaying a different URL than the advertised one. Also, I will feel better if a email is classified as a false-positive if it has hits on this rule than any other rule, because I can say that the sender is in part related to classification error. -- Richard Leroy [EMAIL PROTECTED]
Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention
Loren Wilton a écrit : I've written a number of rules to check for this, so have others. Yes, it will catch some of the phish. Unfortunately it also catches just an amazing amount of legit mail. I think the last statistics were something like 50/50, or maybe even heavier on the ham side. It just doesn't seem to occur to anyone writing html that there should be an actual relationship between the real url and the displayed url. Even checking for http://dotquad";>https://mybank.com will get hits on an amazing quantity of ham. on the other hand, I sometimes see things like: You have new mail on href="http://hacker.example";>http://www.free.fr for one, I don't use webmail, and more importantly, www.free.fr isn't the webmail url. the "silly" spammer is just adding www to my email domain. now even this may cause FPs I guess.
Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention
> > > http://hacker.com";>http://legit-bank.com > > > > > > On top of my mind, I never saw a situation like this in real > > > life, except in phish emails. > > > to be precise, the rule should only trigger if the text between the href=> and parts of the url has a hostname at all, so that an > url like http://www.spamassassin.org";>click here to ged rid > of it doesnt trigger it. I've written a number of rules to check for this, so have others. Yes, it will catch some of the phish. Unfortunately it also catches just an amazing amount of legit mail. I think the last statistics were something like 50/50, or maybe even heavier on the ham side. It just doesn't seem to occur to anyone writing html that there should be an actual relationship between the real url and the displayed url. Even checking for http://dotquad";>https://mybank.com will get hits on an amazing quantity of ham. Loren
Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention
Mathias Homann a écrit : and increasing the score on spams hurts WHY? to be precise, the rule should only trigger if the text between the href=> and parts of the url has a hostname at all, so that an url like http://www.spamassassin.org";>click here to ged rid of it doesnt trigger it. doesn't seem easy. The rule should not trigger on these: http://www.spamassassin.org";> spamassassin.org a url is something like http://en.wikipedia.org/wiki/Url";> http://www.domain.example http://www.foo.example";>foo.example http://www.foo.example";>color=blue>http://www.foo.example ... but should catch http://www.hacker.example";>color=blue>http://www.foo.example I guess redirectors and tinyurl should be handled by redir rules?
Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention
[EMAIL PROTECTED] wrote: http://hacker.com";>http://legit-bank.com On top of my mind, I never saw a situation like this in real life, except in phish emails. I see this all the time in promotional emails (spam, not phish) to track > clickthrough. I see it on legit mail too, including a couple of newsletters and, in one case, an "item not won" notice from eBay. Yes, it was legit. This has caused a number of legit messages to trip Thunderbird's new phishing filter. It's a poor practice, and in the case of eBay they seem to do the right thing on their other notices (either matching the URL to the text or using descriptive link text instead of a hostname), but sad to say there *is* legit mail that uses redirectors in this fashion. So it's worth scoring, but not safe to score too highly or use as rejection criteria unless you whitelist the legit senders (or convince them to change their ways). -- Kelson Vibber SpeedGate Communications
Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention
Am Montag, 31. Oktober 2005 19:33 schrieb [EMAIL PROTECTED]: > > http://hacker.com";>http://legit-bank.com > > > > On top of my mind, I never saw a situation like this in real > > life, except in phish emails. > > I see this all the time in promotional emails (spam, not phish) to > track clickthrough. and increasing the score on spams hurts WHY? to be precise, the rule should only trigger if the text between the and parts of the url has a hostname at all, so that an url like http://www.spamassassin.org";>click here to ged rid of it doesnt trigger it. bye, MH -- gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
RE: Integrity checks in URLs for blocking phishers as anti-phishing prevention
> http://hacker.com";>http://legit-bank.com > > On top of my mind, I never saw a situation like this in real life, > except in phish emails. I see this all the time in promotional emails (spam, not phish) to track clickthrough. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Integrity checks in URLs for blocking phishers as anti-phishing prevention
Hi list, I want to know if there is some sort of integrity checks for a situation where a URL would be different from the "CAPTION" url, example: http://hacker.com";>http://legit-bank.com On top of my mind, I never saw a situation like this in real life, except in phish emails. I have also checked the list and I have found a post related to this question, here at http://marc.theaimsgroup.com/?l=spamassassin-users&m=109523766204334&w=2 . But it looks like nobody produced a rule for this. I also saw a white paper at www.stanford.edu/~amo/sa-spoofguard/saspoofguard.pdf and it looks like the check is already included in their plugin, but I want to know if there is something more mainstream at the moment in the current version of SpamAssassin. If not, would it be possible for someone familiar with SA to include this check? I use SA 3.0.4, redhat 8.0 and I'm calling spamassassin through amavisd-new. Thanks. -- Richard Leroy [EMAIL PROTECTED]