Re: anchor forgery

2009-07-25 Thread mouss 
Mike Cardwell a écrit :
 Just checking through my Spam folder and I came across a message that
 contained this in the html:
 
 a target=_blank
 href=http://www.kanotiser.se/images/logo.html;https://www.paypal.co/us/webscr.php?cmd=_login-runcmd=_secure
 
 /a
 
 Yet, there was no mention of this obvious forgery in the spamassassin
 rules which caught the email.
 
 How would you create a rule which matched when the anchor text is a url
 which uses a different domain to the anchor href?
 

this has been discussed a (very) long time ago. the outcome is that a
mismatch also happens in legitimate mail.

you can do the check for selected domains such as paypal. but then I'd
simply look for the presence of paypal (or variant) in the message then
look for patterns that confirm it is from paypal, otherwise tag as spam.

Re: anchor forgery

2009-07-25 Thread Matt Kettler 
mouss wrote:
 Mike Cardwell a écrit :
   
 Just checking through my Spam folder and I came across a message that
 contained this in the html:


 
censored example, Verizon won't let me send it 
 Yet, there was no mention of this obvious forgery in the spamassassin
 rules which caught the email.

 How would you create a rule which matched when the anchor text is a url
 which uses a different domain to the anchor href?

 

 this has been discussed a (very) long time ago. the outcome is that a
 mismatch also happens in legitimate mail.

Not just happens, it happens quite a lot.

Sometimes in nonspam it is differences that are easy to compensate for,
like the link being to hosting.example.com, but the anchor text is
www.example.com.

Other times it's difficult to compensate for, where they first send you
to a link at their ESP, which then redirects you to the actual site.
Some ESPs prefer to do this, either for billing (charge extra for
clicks) or spam control reasons (if the sender violates the ToS, the ESP
will disable the redirect, which isn't much, but it does prevent the
sender from profiting at the ESPs expense.).

Regardless of reasons, Senders tend to make the text match what your
browser will show after the redirect occurs, not the ESP target in some
totally different domain.

Re: anchor forgery

2009-07-25 Thread Karsten Bräckelmann 
On Sat, 2009-07-25 at 15:59 +0100, Mike Cardwell wrote:
 Just checking through my Spam folder and I came across a message that 
 contained this in the html:

Hey, it was classified spam. ;)  And it's a phish anyway...

 a target=_blank href=http://www.example.net;https://www.example.com/a

 How would you create a rule which matched when the anchor text is a url 
 which uses a different domain to the anchor href?

I'm with mouss and Matt, that is FP prone.  *Might* make a somewhat
decent meta, with carefully picked rules, though.

Anyway, there's something better than the domain mis-match. It's a
protocol mis-match, pretending false security.


For either one, URIDetail [1] would be the way to go. Specifically, have
a look at its FAKE_HTTPS example. ;)

  guenther


[1] 
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html

-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}