Jay Lee wrote: > Has any thought been given to creating a rule that looks for "forged" > links? Here's one I got today in a phishing scam: > > <A > href="http://www.createtokill-clan.de/onlineshop/catalog/images/admin/chase.com/index.htm";> > > <FONT face="Times New Roman" color=#0000ff style="font-size: 13pt"> > http://www.chase.com/verification.asp</FONT></A> > > So how hard would it be to create a rule that triggers if the href > (http://www.createtokill-clan.de...) doesn't match the url that is > displayed (http://www.chase.com...) or at least contain the same > domain? I realize this is mostly done with phishing scams but it's not > unheard of for spammers to use this technique too. I've not seen a SA > rule that triggers on this specifically. Any thoughts? >
It's been discussed on this list *many* *many* times. The general problem is that "forged" links are very common in legitimate mail. To quote a list posting --------------------------------------- From: Theo Van Dinter Subject: Re: has someone already written this rule yet?" Date: Thu, 2 Feb 2006 20:21:35 -0500 <snip> Easily possible, but the rule performs horribly in real-life since it appears in a ton of ham in the generic sense (<a href=XYZ>ABC</a>). It's all covered in http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4255
