"Gary Smith" <[EMAIL PROTECTED]> writes: > I just received this spam a little while ago. What many novice users > will find is a site identical to paypal. The problem is the link > actually goes to http://shelbycreative.com/alacarte/webscr.dll which > emulates the paypal site exactly, pop's it up in a new window and asks > you for all of your CC information.
It's called phishing. > I think it might be time to create a rule that says if the link domain > (whatever.com) doesn't match the href domain (for at least two levels > of the TLD) it should be considered spoof. I tried writing such a rule before phishing became common (just trying to match spam) and it was not a great success due to false positives on legitimate mail, but I think the idea has merit. At worst, it could be restricted to commonly phished sites like paypal. The code would not be too hard to write up in SVN HEAD... when closing a link, compare the last URL with the last text. Daniel -- Daniel Quinlan anti-spam (SpamAssassin), Linux, http://www.pathname.com/~quinlan/ and open source consulting
