>> Has anyone else seen MIME spam that looks like: >> >> ... >> <a >> href="http://www.paypalnetwork.info/us/cgi-bin/webscrcmd=_login+run/?logIN=upDate";> >> https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run</a><br> >> ... >> >> Note that it looks like your clicking on the link >> "https://www.paypal.com/..."; >> but in fact your really going to the spammers link... >> >> I couldn't think of a regex to match these, so I guess you'd need to do >> full- >> fledged parsing of HTML in the message body. >> >> Do these occur often enough to be worthwhile? >> >> -Philip >> >>
Hi Philip, most phish works that way so it is probably worthwhile... This question comes up every now and then, and everytime there are a couple of responses saying that many legitimate html mail contains similar stuff <a href=somesite.com/buy.php?id=33>somesite.com/buy/dell_pc</a> <a href=shop.somesite.com/buy.php?id=33>somesite.com/buy/dell_pc</a> these would be okay for me and most others if the purported link works as well <a href=somesite.com/buy.php?id=dt3hu93f6nk1zb>somesite.com/buy/dell_pc</a> If it is a newsletter I signed up for, that could still be okay. Otherwise, I would expect that the long id could be some sort of unwanted tracking <a href=othersite.com/......>somesite.com/......</a> Well it depends on whether I am willing to trust the relationship between the two sites: - is othersite some service that could be contracted to do business for the visible site (former state telecom, as an ISP, contracts an ad company to emailsuspicious newsletters with encoded links ... it is just harmless spam) - does othersite look related to somesite (e.g. same netblock or same whois information) Well, my personal preference would be to mark all mail that does not meet the "same netblock" (extended, if not the same /24, could still be same ARIN) not only with a few spam points but with a thick red "THIS MAY BE PHISH" or even reject at the MTA Of course, it would need many recipients blocking those or complaining, before senders will start to understand that suspicious emails dont help but rather hinder their marketing efforts Wolfgang Hamann
