Kevin A. McGrail wrote: > Philip: > > This rule won't hit on the phishing email I was discussing. It doesn't use > a mouseover. It uses a nested a tag to hide to real link. Thanks to > Kenneth Porter, here's my original post: > > http://thread.gmane.org/gmane.comp.jakarta.tomcat.user/127749
Kevin, I get that. The larger point that I was trying to make (and I could have done a better job of connecting the dots) is this: * sometimes someone will send out HTML that will look like: <a href="http://www.foo.com/...";>http://www.bar.com/...</a> where you think you're going to www.bar.com, but you're actually going to www.foo.com. * Some browsers will display (below in the status bar) the real URL contents when you put your mouse over the anchor in the status bar (as visual confirmation of where you're about to go). * the connection I was trying to make is that if the attributes of the <a> contain: onMouseOver="window.status=' ... you can override what the contents of the status bar end up looking like, thus circumventing the limited security that browsers provide (in the form of visual feedback above). Hope this is more clear. -Philip _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
