-----Original Message-----
From: Albert Whale <[EMAIL PROTECTED]>
To: Matt Kettler <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Date: Mon, 19 Jul 2004 22:01:39 -0400
Subject: Re: Catching more phishers - Not Really a SURBL Case
> Matt Kettler wrote:
> >
> > Well YOUR message didn't trigger the minimum, but who knows what the
> > spam would have scored.
>
> Actually the Spam message looks a great deal like the Real McCoy. To
> the untrained eye, it is a Phisher used to Capture Account information.
>
> >
> > Remember, a nonspam message quoting spam is not the same thing as a
> > spam itself.. The headers are different, and the changes to the body
> > text both drop the bayes score considerably.
> >
> >
> OK so the message didn't trigger as SPAM. I need to figure out how to
> detect the Phisher, and ALWAYS trigger the SPAM sensor.
>
> Perhaps it's not the SURBL Test. But as in the following example, the
> first half of this http reference is not even close to the displayed
> URL, thus the nature of the Phisher:
>
> <a target="_blank"
> href="">
>
> http://scgi.ebay.com/verify_id=ebay&fraud alert id code=00937614</a>
>
> Is this programmable in SPAM Assassin?
From: Albert Whale <[EMAIL PROTECTED]>
To: Matt Kettler <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Date: Mon, 19 Jul 2004 22:01:39 -0400
Subject: Re: Catching more phishers - Not Really a SURBL Case
> Matt Kettler wrote:
> >
> > Well YOUR message didn't trigger the minimum, but who knows what the
> > spam would have scored.
>
> Actually the Spam message looks a great deal like the Real McCoy. To
> the untrained eye, it is a Phisher used to Capture Account information.
>
> >
> > Remember, a nonspam message quoting spam is not the same thing as a
> > spam itself.. The headers are different, and the changes to the body
> > text both drop the bayes score considerably.
> >
> >
> OK so the message didn't trigger as SPAM. I need to figure out how to
> detect the Phisher, and ALWAYS trigger the SPAM sensor.
>
> Perhaps it's not the SURBL Test. But as in the following example, the
> first half of this http reference is not even close to the displayed
> URL, thus the nature of the Phisher:
>
> <a target="_blank"
> href="">
>
> http://scgi.ebay.com/verify_id=ebay&fraud alert id code=00937614</a>
>
> Is this programmable in SPAM Assassin?
I tried a rule that checked for this a while back, but with no luck.
There are many newsletters that show for example:
http://t-mobile.com as url and
actually link to
http://newsletters.newsmail.com/?738648236483
Also microsoft, devpartner, codeproject and others use this technique.
I've stopped working on it, but if I can find it somewhere you might want to
work on it some more.
Jesse
