Jay Lee wrote:
> Has any thought been given to creating a rule that looks for "forged"
> links?  Here's one I got today in a phishing scam:
> 
> <A
> href="http://www.createtokill-clan.de/onlineshop/catalog/images/admin/chase.com/index.htm";>
> 
> <FONT face="Times New Roman" color=#0000ff style="font-size: 13pt">
> http://www.chase.com/verification.asp</FONT></A>
> 
> So how hard would it be to create a rule that triggers if the href
> (http://www.createtokill-clan.de...) doesn't match the url that is
> displayed (http://www.chase.com...) or at least contain the same
> domain?  I realize this is mostly done with phishing scams but it's not
> unheard of for spammers to use this technique too.  I've not seen a SA
> rule that triggers on this specifically.  Any thoughts?
> 

It's been discussed on this list *many* *many* times.

The general problem is that "forged" links are very common in legitimate mail.


To quote a list posting
---------------------------------------
From: Theo Van Dinter
Subject: Re: has someone already written this rule yet?"
Date: Thu, 2 Feb 2006 20:21:35 -0500
<snip>

Easily possible, but the rule performs horribly in real-life since it appears
in a ton of ham in the generic sense (<a href=XYZ>ABC</a>).  It's all covered
in http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4255



Reply via email to