Mike Cardwell a écrit : > Just checking through my Spam folder and I came across a message that > contained this in the html: > > <a target="_blank" > href="http://www.kanotiser.se/images/logo.html";>https://www.paypal.co/us/webscr.php?cmd=_login-runcmd=_secure > > </a> > > Yet, there was no mention of this obvious forgery in the spamassassin > rules which caught the email. > > How would you create a rule which matched when the anchor text is a url > which uses a different domain to the anchor href? >
this has been discussed a (very) long time ago. the outcome is that a mismatch also happens in legitimate mail. you can do the check for selected domains such as paypal. but then I'd simply look for the presence of paypal (or variant) in the message then look for patterns that "confirm" it is from paypal, otherwise tag as spam.
