On 8/25/2015 7:51 AM, RW wrote:
On Tue, 25 Aug 2015 09:55:57 +0200
Tom Hendrikx wrote:
Basically every MUA I know will label the message as a possible scam
when you use the BAD version, which why you actually never see it in
non-spam mail, unless the editor was a real noob.
That applies to spam too.
Would this really have a significant effect on modern phishes?
It still works against a lot of people, even those who know what to look
for. It's easy to get complacent and click a link without checking it
first when you go through a hundred emails a day.
That said, it also works because it's common in ham to the point that
you just sometimes have to ignore it. Lots of questionable but
consented-to mass marketing emails will use a tracker domain for
embedded URLs, so when someone links to <a
href=http://apache.org>apache.org</a>, it gets rewritten and now it hits
this new rule. Or perhaps if you ever are told to go to <a
href=http://*www*.google.com>google.com</a> and log into <a
href=http://*accounts.google.com*>gmail.com</a> you'll hit the rule too...
There's a lot of reasons to have such a rule and lots of reasons to not
have it. Without any data, I would lean towards not having it, because
there's usually a better pattern to match on.
But we can have data! Put the rule in a sandbox and see what RuleQA
thinks of its stats.
