You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Rosenbaum, Larry M." <ro...@ornl.gov> on 2007/12/06 17:52:30 UTC
Mismatched URLs revisited
Some time ago (and more than once) there have been discussions on this list about email containing hyperlinks where the link text is a URL that doesn't match the URL in the link HREF, and the pros and cons of testing for and scoring these mismatched links. My management has raised this issue. My memory is hazy on what the final opinions were - it seems like this was initially discouraged, but later discussions may have been less discouraging. Could somebody point me to the threads where this is discussed? Also, does SpamAssassin currently contain any rules for this kind of testing, or are there third-party rules that do this?
Thanks, Larry
Re: Mismatched URLs revisited
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 6 Dec 2007, DAve wrote:
> I would think if you scored based on mismatched URLs you would tag
> the same messages incorrectly.
You could mitigate that bby using it in a meta along with rules that
hit on phishing-like text, and leave the score for a single mismatched
URL low, like 0.1 or so.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the business of government to make men virtuous or
religious, or to preserve the fool from the consequences of his own
folly. -- Henry George
-----------------------------------------------------------------------
9 days until Bill of Rights day
Re: Mismatched URLs revisited
Posted by DAve <da...@pixelhammer.com>.
Rosenbaum, Larry M. wrote:
> Some time ago (and more than once) there have been discussions on this
> list about email containing hyperlinks where the link text is a URL that
> doesn’t match the URL in the link HREF, and the pros and cons of testing
> for and scoring these mismatched links. My management has raised this
> issue. My memory is hazy on what the final opinions were – it seems
> like this was initially discouraged, but later discussions may have been
> less discouraging. Could somebody point me to the threads where this is
> discussed? Also, does SpamAssassin currently contain any rules for this
> kind of testing, or are there third-party rules that do this?
>
MailScanner does that under the concept of "Phishing Detection". We used
it very successfully for several months to catch phishing attempts.
Unfortunately we had to turn it off because it also catches multitudes
of legit (so I am told) opt in mailings. Several large mass mailing
providers (their names escape me now) use redirects in every URL.
Rewriting them made the beautifully designed html messages less
beautiful and clients objected.
I would think if you scored based on mismatched URLs you would tag the
same messages incorrectly.
Just my experience.
DAve
--
I've been asking Google for a Veteran's Day logo since 2000,
maybe 1999. I was told they finally did a Veteran's Day logo,
but none of the links I was given return anything but a
normal Google logo.
Sad, very sad. Maybe the Chinese Government didn't like it?
Re: Mismatched URLs revisited
Posted by Richard Frovarp <ri...@sendit.nodak.edu>.
Randal, Phil wrote:
> Unfortunately, people who should know better (e.g. McAfee) do this all
> the time.
>
> There'd have to be a huge whitelist of safe URLs to make this workable.
>
> We use MailScanner, which has this sort of phishing detection built
> in, flagging suspicious links.
>
> Cheers,
>
> Phil
Note as Phil said, MailScanner doesn't determine if a message is spam or
not using the Phishing Detection. It merely modifies that part of the
message inserting a warning that something odd is going on, but adds
nothing to the score. It has a whitelist of over 800 exceptions to this
rule. This is to try to reduce the number of rewrites for legit URLs.
A few examples in the whitelist are: americanexpress.com, apple.com,
bell.ca, capitalone.com, mcafee.com
RE: Mismatched URLs revisited
Posted by "Randal, Phil" <pr...@herefordshire.gov.uk>.
Unfortunately, people who should know better (e.g. McAfee) do this all
the time.
There'd have to be a huge whitelist of safe URLs to make this workable.
We use MailScanner, which has this sort of phishing detection built in,
flagging suspicious links.
Cheers,
Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
________________________________
From: Rosenbaum, Larry M. [mailto:rosenbaumlm@ornl.gov]
Sent: 06 December 2007 16:53
To: users@spamassassin.apache.org
Subject: Mismatched URLs revisited
Some time ago (and more than once) there have been discussions
on this list about email containing hyperlinks where the link text is a
URL that doesn't match the URL in the link HREF, and the pros and cons
of testing for and scoring these mismatched links. My management has
raised this issue. My memory is hazy on what the final opinions were -
it seems like this was initially discouraged, but later discussions may
have been less discouraging. Could somebody point me to the threads
where this is discussed? Also, does SpamAssassin currently contain any
rules for this kind of testing, or are there third-party rules that do
this?
Thanks, Larry
Re: Mismatched URLs revisited
Posted by Joseph Brennan <br...@columbia.edu>.
The URL mismatch that seemed like a sure thing to us was showing the
reader "https" but really linking to "http"!
Believe it or not major financial institutions send mail with these
fraudulent (I would say) links. Very sad.
OK, well, then say as long as the https and http links go to the
same *domain* maybe it's just an ill-advised redirect. Surely if
they go to totally different domains something must be wrong.
No. We log them. Here are some samples from yesterday, below.
"..." for long identifier strings.
I handpicked these for variety. There are actually many phishing
messages especially for paypal.com and some banks.
Says https://email.citicards.com
Links to http://info.citibank.com/... #real bank
Says https://web.da-us.citibank.com/...
Linsk to http://www.makrasrealestate.com/... #phishing
Says https://newsletters.1105pubs.com/...
Links to http://www.1105newsletters.com/... #legit?
Says https://www.gotomeeting.com/...
Links to http://www.itmpi-journal.com/... #legit?
Says https://www.hsbcdirect.com/...
Links to http://ebusiness.hsbcusa.com/... #real bank
Says https://online.lloydstsb.co.uk/...
Links to http://dundonaldbluebell.com/... #phishing
Says https://www.paypal.com/...
Links to http://0x94f57182/www.paypal.com/... #phishing!
Says https://www.wellsfargo.com/...
Links to http://teplomer.spb.ru/... #phishing
Says https://www.downeysavings.com/...
LInks to http://smtp.faith-sol-tech.com/... #phishing
Says https://www.regonline.com/...
Links to http://www.maildogmanager.com/... #legit?
Says https://www.moviemaker.com/...
Links to http://rs6.net/... #legit
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Re: Mismatched URLs revisited
Posted by Theo Van Dinter <fe...@apache.org>.
On Thu, Dec 06, 2007 at 11:52:30AM -0500, Rosenbaum, Larry M. wrote:
> Some time ago (and more than once) there have been discussions on this list about email containing hyperlinks where the link text is a URL that doesn't match the URL in the link HREF, and the pros and cons of testing for and scoring these mismatched links. My management has raised this issue. My memory is hazy on what the final opinions were - it seems like this was initially discouraged, but later discussions may have been less discouraging. Could somebody point me to the threads where this is discussed? Also, does SpamAssassin currently contain any rules for this kind of testing, or are there third-party rules that do this?
http://wiki.apache.org/spamassassin/AntiPhishFakeUrlRule
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4255#c24 has a good
amount of info.
It all resulted in a single rule:
0.021 0.0247 0.0017 0.935 0.53 0.00 HTTPS_IP_MISMATCH
which obviously isn't very helpful and still has false positives.
--
Randomly Selected Tagline:
"I protect home plate like a mormon girl on prom night."
- Mimi on the Drew Carey show