Re: has someone already written this rule yet?
Hi, I never tried something like that, but - if the visible link looks like an url and - the actual and visible url's are not related in some way (ideas: same ip, same netblock, subdomains of same domain) - or if the actual link looks like two url's concatenated (potential open redirector) and the visible link does not the message will look suspicious. Assuming that some senders will create such mails, it would be a good idea to forward the message to recipient WITH warning markup, and also reject at mta level with a suitable explanation, so SA may not be the best place in the mail chain. If many sites do that, senders will eventually reconsider whether this is a good idea Wolfgang Hamann Didn't I just respond about this the other day? On Thu, Feb 02, 2006 at 05:56:06PM -0700, Steven Manross wrote: A href=3Dhttp://www.whatever.com/secretphishersite/blah?something=3Dblahbl= ah http://www.paypal.com/somethingsecure/this?that=3D1/A =20 Or is that even possible? Or is it just expensive? :) Easily possible, but the rule performs horribly in real-life since it appea= rs in a ton of ham in the generic sense (a href=3DXYZABC/a). It's all cov= ered in http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3D4255
has someone already written this rule yet?
A href=http://www.whatever.com/secretphishersite/blah?something=blahblah; http://www.paypal.com/somethingsecure/this?that=1/A ...where you test what is in the href section against what they are trying to display in the visible part of the A tag -- and if a URL is found in the visible part of the A tag, check to see if the domain name matches the href... Or is that even possible? Or is it just expensive? :) It's just a thought. I hadnt seen it suggested. :) Let the flames begin! Steven
Re: has someone already written this rule yet?
Didn't I just respond about this the other day? On Thu, Feb 02, 2006 at 05:56:06PM -0700, Steven Manross wrote: A href=http://www.whatever.com/secretphishersite/blah?something=blahblah; http://www.paypal.com/somethingsecure/this?that=1/A Or is that even possible? Or is it just expensive? :) Easily possible, but the rule performs horribly in real-life since it appears in a ton of ham in the generic sense (a href=XYZABC/a). It's all covered in http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4255 -- Randomly Generated Tagline: As a little girl, she was a ho, I'll grant you that ... - Prof. O'Donnell pgpB8MH9CLqGQ.pgp Description: PGP signature
