You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2005/01/28 23:34:15 UTC

[Bug 4112] New: rule to detect misleading hyperlinks

http://bugzilla.spamassassin.org/show_bug.cgi?id=4112

           Summary: rule to detect misleading hyperlinks
           Product: Spamassassin
           Version: 2.63
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Rules
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: gjanee@alexandria.ucsb.edu


(Sigh) I'm so sick of getting phishing emails.  A common characteristic seems to be the use of 
misleading hyperlinks, as in this example:

<a href="http://email.apollo-cn.idv.tw/webmail/database/.wamu/"
>https://login.personal.wamu.com/registration/CreateLogonEntry.asp</a>

A rule could be

<\s*a\s+href\s*=\s*['"](.*?)['"]\s*>(https?:.*?)</\s*a\s*>

where $1 != $2.  But I don't know how to express that kind of condition as a simple regular expression.

Please forgive me if this RFE is off-base... I'm not a spamassassin expert, just a satisfied user.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4112] rule to detect misleading hyperlinks

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4112





------- Additional Comments From lwilton@earthlink.net  2005-01-28 19:22 -------
Subject: Re:   New: rule to detect misleading hyperlinks

Good idea, and expressiable in an regex.  But it doesn't work well.
There are too many legit sites that do things where there is a chanracter or
two difference between the uris, or they are even completely different.
This is especially bad in newsletters.

This is probably a case where more specifically targeted rules will have a
better chance of working.  SARE has a number of anti-phishing rules that
work fairly well, although they could be improved.  WAMU in particular is a
fairly new phishing target.





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4112] rule to detect misleading hyperlinks

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4112


quinlan@pathname.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX




------- Additional Comments From quinlan@pathname.com  2005-02-18 00:07 -------
Unfortunately, this is really common in legitimate mail.  Don't ask me
why, but it is... I've tested this idea before quite extensively.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.