On 2016-09-25 12:39, Alex wrote:
Hi,
On Sun, Sep 25, 2016 at 3:29 PM, Sean Greenslade
<s...@seangreenslade.com> wrote:
On Sun, Sep 25, 2016 at 03:12:00PM -0400, Alex wrote:
Hi, I'm seeing quite a few FPs with HTTPS_HTTP_MISMATCH and its score
of 2.0. Isn't that kind of high for a rule that doesn't even have a
description?
Can someone explain what the rule does, and consider whether its score
should be adjusted?
Thanks,
Alex
From my quick glance over the code, it looks like that rule is meant to
trigger when a link presents its text as an https://... link, however
the actual link is to an http://... URL. Like this:
<a href="http://spammersite.com/virus";>https://www.email-service.com/login</a>
The only place I would imagine false positives arising from this rule
would be if an email sender uses some sort of automatic link replacement
(e.g. for click-through tracking) that doesn't support https. And I
personally am inclined to agree that an email that mis-represents
insecure links as secure should be considered suspisious.
Contact the senders of the flagged emails and ask them to fix their
systems. Spam or not, that is a real problem.
I think it must be something more than that. I've included the HTML
component of an FP I received, and I don't see any occurrences of an
https link where the text component is just http, or even vice-versa.
http://pastebin.com/BNM9sLRL
The HTML is a bit hard to read. Let me know if you want the whole
email (which is even harder, consider it's encoded, so you'd have to
actually run it through SA).
Thanks,
alex
These days even mixed links, some https and some simple http, is suspicious.
It's easy to include https links to page elements and an http link to the real
intended payload. With http you know nothing about who sent it. With https you
know either who sent it or who has an insecure system. Conceptually you can turn
your pet lawyer loose on 'em. (That being the "nicest" thing I think should
happen to them.)
{o.o}
