You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Eugene Morozov <sa...@eltex.net> on 2004/12/06 13:02:59 UTC
Phishing attempt wasn't blocked by SpamAssassin
Hello!
Our customer received email which contained invitation to confirm
personal information at the online bank. Link was hidden using following
trick:
<A
href="http://www.designlaboratory.jp/board/hg.html">https://www.ebank.hsbc.com.hk/servlet/onlinehsbc.jsp</A>
It was a big surprise for me that there're no rules in the stock SA
3.0.1 installation to catch such forged links. I was also to unable to
find such a rule on Rules Emporium.
Eugene
Re: Phishing attempt wasn't blocked by SpamAssassin
Posted by Jeff Chan <je...@surbl.org>.
On Monday, December 6, 2004, 4:02:59 AM, Eugene Morozov wrote:
> Hello!
> Our customer received email which contained invitation to confirm
> personal information at the online bank. Link was hidden using following
> trick:
> <A
> href="http://www.designlaboratory.jp/board/hg.html">https://www.ebank.hsbc.com.hk/servlet/onlinehsbc.jsp</A>
> It was a big surprise for me that there're no rules in the stock SA
> 3.0.1 installation to catch such forged links. I was also to unable to
> find such a rule on Rules Emporium.
> Eugene
In addition to the other suggestions, I'd recommend reporting the
phish to:
postmaster@corp.mailsecurity.net.au
reportphishing@antiphishing.org
spam@uce.gov
Doing so will help get some of the destation URIs into
ph.surbl.org, though in this particular case I'm not sure
that we should list designlaboratory.jp since this could
be a Joe Job or hijacked message board.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Phishing attempt wasn't blocked by SpamAssassin
Posted by Loren Wilton <lw...@earthlink.net>.
> Our customer received email which contained invitation to confirm
> personal information at the online bank. Link was hidden using following
> trick:
>
> <A
>
href="http://www.designlaboratory.jp/board/hg.html">https://www.ebank.hsbc.c
om.hk/servlet/onlinehsbc.jsp</A>
>
> It was a big surprise for me that there're no rules in the stock SA
> 3.0.1 installation to catch such forged links. I was also to unable to
> find such a rule on Rules Emporium.
That's because such a rule won't work. All manner of real mail ends up
sending things that have a real link address different from the one shown in
the link. Often it is a very minor difference, like https vs http, but
sometimes there are no points of reality at all between them. This shows up
a lot in stuff generated from databases.
I believe we (SARE) do have a rule that checks for a dotquad link and a link
name that looks like it might be a bank. However, it is fairly specific to
the more common bank scams, and won't catch the particular case you found.
Loren