http://bugzilla.spamassassin.org/show_bug.cgi?id=4386
------- Additional Comments From [EMAIL PROTECTED] 2005-06-03 08:22 ------- Theo wrote: > Jifl wrote: > > So for example (based on a real one, but not verbatim): > > <a href="http://12.98.176.54/billing.ebay.com"; > > onMouseOver="status='https://billing.ebay.com/'; return > > true">http://billing.ebay.com/</a> > > 3.1 already has a rule to flag this specific type of href setup. Cool! I'm "only" using the latest released version. >> In this example SA could pick up on two things: SA could detect that the link >> contents are themselves in the form of a URI ("http(s?)://" would do), and >> then >> that the href in the link refers to a URL that differs from that URI. >> Secondly > It's not that simple. This has been discussed numerous times already > on users@ and other tickets. In short, testing shows that assuming > the anchor text URI and the href URI match in ham but not in spam is > completely not valid and FPs wildly. I wasn't able to find any similar tickets in an earlier query before I submitted this, and am not on the users list sorry. So sorry if I'm repeating something, but checking just the protocol/host part of the URI would probably be sufficient. The chance of FPs then would seem much smaller for legitimate ham. Derek wrote: > The onmouseover status is harder to catch. I don't think it would be required to match the whole extract with the use of status etc. I think the presence of onmouseover anywhere is probably a sufficient indicator that this mail is irregular. And thanks for the forms suggestion and regexps. It's difficult to imagine ham that wanted to legitimately use such a construct. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
