You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Eugene Morozov <sa...@eltex.net> on 2004/12/06 13:02:59 UTC

Phishing attempt wasn't blocked by SpamAssassin

Hello!
Our customer received email which contained invitation to confirm 
personal information at the online bank. Link was hidden using following 
trick:

<A 
href="http://www.designlaboratory.jp/board/hg.html">https://www.ebank.hsbc.com.hk/servlet/onlinehsbc.jsp</A>

It was a big surprise for me that there're no rules in the stock SA 
3.0.1 installation to catch such forged links. I was also to unable to 
find such a rule on Rules Emporium.
Eugene

Re: Phishing attempt wasn't blocked by SpamAssassin

Posted by Jeff Chan <je...@surbl.org>.

On Monday, December 6, 2004, 4:02:59 AM, Eugene Morozov wrote:
> Hello!
> Our customer received email which contained invitation to confirm 
> personal information at the online bank. Link was hidden using following 
> trick:

> <A 
> href="http://www.designlaboratory.jp/board/hg.html">https://www.ebank.hsbc.com.hk/servlet/onlinehsbc.jsp</A>

> It was a big surprise for me that there're no rules in the stock SA 
> 3.0.1 installation to catch such forged links. I was also to unable to 
> find such a rule on Rules Emporium.
> Eugene

In addition to the other suggestions, I'd recommend reporting the
phish to:

  postmaster@corp.mailsecurity.net.au
  reportphishing@antiphishing.org
  spam@uce.gov

Doing so will help get some of the destation URIs into
ph.surbl.org, though in this particular case I'm not sure
that we should list designlaboratory.jp since this could
be a Joe Job or hijacked message board.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Phishing attempt wasn't blocked by SpamAssassin

Posted by Loren Wilton <lw...@earthlink.net>.

> Our customer received email which contained invitation to confirm
> personal information at the online bank. Link was hidden using following
> trick:
>
> <A
>
href="http://www.designlaboratory.jp/board/hg.html">https://www.ebank.hsbc.c
om.hk/servlet/onlinehsbc.jsp</A>
>
> It was a big surprise for me that there're no rules in the stock SA
> 3.0.1 installation to catch such forged links. I was also to unable to
> find such a rule on Rules Emporium.

That's because such a rule won't work.  All manner of real mail ends up
sending things that have a real link address different from the one shown in
the link.  Often it is a very minor difference, like https vs http, but
sometimes there are no points of reality at all between them.  This shows up
a lot in stuff generated from databases.

I believe we (SARE) do have a rule that checks for a dotquad link and a link
name that looks like it might be a bank.  However, it is fairly specific to
the more common bank scams, and won't catch the particular case you found.

        Loren