Re: Re[2]: Phishing attempt wasn't blocked by SpamAssassin

[ha...@t-online.de]

Hello Bob,

thanks for getting back on that.
The problem with these mails - they may not be spam, they may not be fraud either,
but they impose a different kind of threat .... by lowering recipients' thresholds on security.

I have had that argument "well, I read that mail, and nothing bad happened" from users
and dont want to have it again :)
Maybe I should ask these kind of people to sign a paper that they will never ask me to
disinfect there systems

We have seen
- banks that invite their custumers to "click somewhere" for their account statement
- banks that suggest to "go to the security tab in IE and drag the control to a lower setting" as
a response to cert wernings
- microsoft generate cert warnings by putting a valid cert onto the wrong server
and now we have "legitimate mail" with suspicious links
It is all these things together that eventually make people tolerant to phish (well, I got this
irritating "broken cert" thing every day from my bank as well - how should I know that their
"broken cert" was different)

I am also not sure whether anti spam is the proper place to deal with these messages - if they
get enough score, recipients will just route them to the trash and later complain about the missing
mail. I could even imagine to quarantine these mails and invite recipients to complain to the senders.
In the case of the bank mentioned above, a "bank smells like phish" article in a local
computer mag caused them to change the system

Wolfgang Hamann

>> Hello Wolfgang,
>> 
>> Monday, December 6, 2004, 7:39:09 AM, you wrote:
>> 
>> LW>> That's because such a rule won't work.  All manner of real mail ends up
>> LW>> sending things that have a real link address different from the one shown in
>> LW>> the link.  Often it is a very minor difference, like https vs http, but
>> LW>> sometimes there are no points of reality at all between them. This shows up
>> LW>> a lot in stuff generated from databases.
>> 
>> WH> if there is a visible url to a different server than the one in
>> WH> real url, I would not only want to tag that as possible spam, but
>> WH> rather have a nice red 20pt headline added to the mail: WARNING -
>> WH> DO NOT CLICK - THESE LINKS MIGHT BE FORGED
>> 
>> As the current ninja maintaining the SARE URI rules file (though not
>> the fraud or spoof files), I gladly invite you to develop such a rule.
>> If you can offer us a rule that does what you want, and in our testing
>> does not hit excessively on non-spam, we'll gladly include it in our
>> SARE rules file, and will support your submission of that rule to the
>> SA developers.
>> 
>> At this point in time, I can't think of a good (efficient) way to do
>> this that wouldn't also hit huge numbers of non-spam.
>> 
>> Bob Menschel
>> 
>> 
>> 
>>