[EMAIL PROTECTED] wrote: > [snip] > >Hi Philip, > >most phish works that way so it is probably worthwhile... > >This question comes up every now and then, and everytime there are a couple of >responses >saying that many legitimate html mail contains similar stuff > ><a href=somesite.com/buy.php?id=33>somesite.com/buy/dell_pc</a> ><a href=shop.somesite.com/buy.php?id=33>somesite.com/buy/dell_pc</a> > >these would be okay for me and most others if the purported link works as well > ><a href=somesite.com/buy.php?id=dt3hu93f6nk1zb>somesite.com/buy/dell_pc</a> > >
If the two domain sites match, or are a partial right-most match, i.e. <a href=subdom.foobar.com/xyzzy/cgi-bin/grope>foobar.com</a> then it would be ok, I think. But if the two domains don't match right-most then it would be highly suspect. >If it is a newsletter I signed up for, that could still be okay. Otherwise, I >would expect that the >long id could be some sort of unwanted tracking > ><a href=othersite.com/......>somesite.com/......</a> > >Well it depends on whether I am willing to trust the relationship between the >two sites: >- is othersite some service that could be contracted to do business for the >visible site >(former state telecom, as an ISP, contracts an ad company to emailsuspicious >newsletters >with encoded links ... it is just harmless spam) > > I've thought about this... When I worked at Cisco there was an external fulfillment company that did outsourced emails on various things and they would come in from outside our corporate firewalls saying that they were from "@cisco.com"... And I never understood why anyone would want to do that. Why not set-up a VPN tunnel from your outsource company so that they can send the email from a machine that is both (a) within your intranet so that outgoing mail goes through the appropriate external relays, and (b) from a machine whose name is in the appropriate domain? >- does othersite look related to somesite (e.g. same netblock or same whois >information) > >Well, my personal preference would be to mark all mail that does not meet the >"same netblock" >(extended, if not the same /24, could still be same ARIN) not only with a few >spam points >but with a thick red "THIS MAY BE PHISH" or even reject at the MTA >Of course, it would need many recipients blocking those or complaining, before >senders >will start to understand that suspicious emails dont help but rather hinder >their marketing efforts > > That seems like a lot of guesswork to have to do. I get emails for target.com promotions that come from bfi0.com or bigfootinteractive.com... dartmail.com sends me barnesandnoble promotions... I would be happy with (a) either having to whitelist these senders, or (b) requiring the mail clearing house to pump out the emails via the far end of a VPN tunnel at the client's corporate network (i.e. target.com, bn.com, etc). -Philip >Wolfgang Hamann > > > >
